The Value of Ethical Hacking

If you have read my LinkedIn profile, you will have noted that I am strong proponent of the idea that offense informs defense in relation to information security. For far too long, the industry has relied on a haphazard collection of vendor tools and system engineers patching and attempting hardening in the dark. I say "in the dark", because when an enterprise does not truly understand their attack surface or has not done threat modeling, how do they really prepare for attacks? If they have not seen the offense (hackers) playbook of tools, techniques and methods how will they be able to prepare to defend?

Don't get me wrong, patching and hardening your devices and networks are core to the basic blocking and tackling that many enterprises still struggle with. We still see enterprises who do not patch thoroughly, timely or who do not understand hardening. We see weekly breaches due to the lack of basic security hygiene across the globe. If an enterprise cannot get basic blocking and tackling down, then executive leaders need to address this.

How do you get leadership involved you ask? Well, employ an ethical hacker. Offensive security experts can go by names like pen-testers, threat hunters, white hat hackers. It is important to note that they are not all equal. I am going to build the case that you actually want someone trained to think and employ attacks like a malicious attacker would. An ethical hacker. Let this offensive security-minded person actually review all the work you have done hardening and patching and let them report how you are doing. The real value of an ethical hacker is that they can show in real-time the context of any attack against your enterprise. They can talk you through a real time threat model and show you your actual attack surface as it is presented to them. They can show how trivial it is to sometimes bypass existing "security". This is usually enough to get senior leadership involved. Ethical hackers can open eyes. I have witnessed this first hand.

I can issue as many vulnerability reports as I want, but until your system admins and developers actually see their work bypassed in real time, they usually think they are ok. Most of sys admins and developers are used to having vulnerability reports thrown at them, only to find that a lot of so-called findings are false positives and cannot seem to be repeated. They see vulnerability reports as a waste of time. This is another value ethical hackers can bring to you. A good ethical hacker will actually test that all of their findings are actually exploitable and provide you detailed steps and screen shots of their activity. This is gold to an enterprise. Enterprise GRC (Governance, Risk and Compliance) can now understand actual risks better, which is another powerful plus you can leverage with ethical hackers.

The color of purple. Here is where employing offensive security gets interesting and can be a valuable form of education across your enterprise. I have touched on sys admins doing the patching and hardening which are defensive measures for an enterprise. Defense is the blue team. Ethical Hackers are the red team. See where I am going? A knowledgable security leader will combine both his red and blue teams in regular exercises. The red team will attack the enterprise and the blue teams role is to try to find them and attempt to block them. This is harder than you would think. The red team has so many options, that they usually find a way in. The idea of the purple team comes into play now. This is when the red team sits down with the blue team and helps to them to see, understand and fix the vulnerable stuff that was identified. This is not an us vs them exercise, but rather let's see what we can learn together!

It is really useful to have at least several planned events each year where you sit in the SOC or by the SOC, with both sys admins and ethical hackers and run through several playbooks of attack scenarios. In this case, the blue team watches their tools and logs while the red team attacks. Then the SOC analysts are also trying to watch alerts or catch the red team and stop them before they can succeed and get to data. The obvious analogy here, is any sport team going up against an opponent they have never played and not having studying their offense, but hoping for the best! Sports coaches know the value of researching their opponents and testing their own team by running similar plays and styles with a scout team. Why is the enterprise blind to this need in 2018? Why would you patch and harden but then never actually test it in real time? Essentially you want to pair up the offensive minded ethical hackers with sys admins, with domain admins, with SOC analysts, developers, cloud architects, etc. Create a playbook for each sort of defense and then test it with all the people who own that security engaged. What you learn WILL improve your security across the enterprise.

Why does this work? The answer is multifaceted. All of the things I talked about are part of the equation. You have a person or persons testing what you think is hardened. You then learn about the vulnerabilities and how to fix them. But maybe the most important aspect I did not touch on, is why you want what I keep calling an ethical hacker. The secret sauce is that people who are truly trained as a hacker, learn to think and reason like a malicious attacker. They learn and use the same tools, learn the same scripts, learn how to reverse shell and write malware, etc. This is why they can find things other's cannot. This is why they are set apart from other pen-testers who may be used to having their hands-tied or have only used automated tools.

As a security leader, you really need to understand the difference in how different training and certification bodies teach and test. You need to research collegiate security programs. Then you need to stay on top of all these training paths since they do change. You need to find the talent that is passionate about security. That loves puzzles, That does not like to give up and loves competition. And then you need to find someone who has been trained to think like a hacker and can relate to you what that means. Then ask them to how they feel about purple teaming. These are the people you need to hire and let loose testing your enterprise hardening.

One last thought. Who knows, since your ethical hacker is trained to think like a hacker, you could also set them loose inside your network to look for signs of a current compromise. With all the hype around threat hunting tools, you likely already have people who can do that for you. It is a needle in a haystack sometimes, but the mindset of an ethical hacker on your team is crucial.

This is how we turn the tide.