In an era where government agencies, contractors and even municipalities have been hit in cyber attacks, it would seem odd that any of these entities would want to pay someone to try to hack their respective systems, let alone pay for it. However, offering hackers the chance to test the security of a network is exactly how potential exploits are being plugged before a real attack could occur.
Recently, the United States Air Force called in “bug bounty” firm Synack to bring in so-called “ethical” or “white hat” hackers to find weaknesses in the most important IT systems – including those used for maintaining weapons technology. The ethical hackers were charged with trying to access the USAF’s Reliability and Maintainability Information System (REMIS) – the central, common source of all unclassified maintenance information for Air Force weapon systems – so that potential vulnerabilities could be discovered and accordingly addressed.
Last fall the Department of Defense and the Digital Defense Services awarded a set of contracts under the “Hack the Pentagon” bug bounty program to three firms: HackerOne, Synack and Bugcrowd.
“Whether called ethical hacking or penetration testing – ‘pen testing’ – these are practices used by professionals who scrutinize a system’s attack surface in order to find security gaps before the bad guys might exploit them,” explained Jim Purtilo, associate professor in the Computer Science department at the University of Maryland.
“We obviously invest effort into erecting defenses in order to expose suspicious activity and prevent inappropriate usage, but this is only part of the story,” Purtilo told ClearanceJobs. “Just because we erect a high castle wall doesn’t mean a bad guy will accommodatingly attack there; usually he attacks the weakest point in our defenses, not where we’re strong. This is where ethical hacking comes in. It lets us study our perimeter from the outside, with the same mindset and tools as our would-be opponents.”
The electronic barriers are much like castle fortifications in other ways – namely that you can’t always see the weak spots from within the walls.
“If we only ever look at our perimeter from the inside then it is easy to get near sighted and miss important features that fresh eyes might have caught,” added Purtilo. “That’s why we pen test [penetration test]. Ethical hackers with our team will look at the system from the outside.”
Bug bounties come into play when it comes to finding those vulnerabilities.
“It is very common at the DoD, and the United States Air Force is leading the way to offer bug bounties as a way to root out exploits in a system,” said Mitch Jukanovich, vice president of federal sales at security automation firm Tripwire.
“A bug bounty is like pen-testing but on steroids,” Jukanovich told ClearanceJobs. “You are pen testing but in a physical demonstration performance. In theory the most successful companies can show not only the exploit but how to remediate what was hacked as well.”
Magicians Revealing Secrets
Ethical hackers are like the magician duo Penn & Teller, who are known not only to pull off an impossible trick but then to show the audience how it was done.
This is how ethical hackers now often operate.
“In the old days the white hat guys didn’t want the trade craft revealed,” explained Jukanovich.
Instead it was common for the hackers to break in and let the cybersecurity teams figure out how to plug the holes. Today the ethical hacker offers solutions to the problems that were found. At the same time, the ways that a system is breached is openly addressed.
“The tricks of the trade are open to everyone’s eyes,” said Jukanovich. “Now it is also common to have a hacker from one company sitting next to someone from another company and they’re actively showing how they did it! The tricks of the trade are open to everyone’s eyes. It has its own culture, but the paradigm has shifted to more collaborative work. The days of the tattooed hacker sitting alone in a basement are becoming a thing of the past.”
This isn’t because the code of hackers has changed, but because the companies paying for the ethical hacker require it.
“It isn’t just novel to show off how they pulled off the ‘illusion,'” added Jukanovich. “They have to show the cybersecurity teams what they are doing and how to replicate it. So if you’re going to be an ethical hacker today you have to be open. The millennial workers get it.”
As a result there is also greater trust with today’s ethical hackers.
“These people are seen as trusted advisors now,” said Jukanovich. “They’re expected to hang out and assist in solving the problem, not just finding the weakness.”
Mercenary Hackers
Just as militaries in medieval Europe hired skilled soldiers or companies of soldiers to breach city or castle walls, the military is now hiring the modern equivalent to protect the digital fortress. This is why the bug bounties have become a popular way to find the holes and other bugs in a system. Hackers – even if they are of the white hat variety – still want to be paid.
The other part of the ethical hacker that has changed is that it isn’t so much about the lone wolf anymore. While there are still lone actors, today the majority of ethical hackers are working for firms or being hired directly by companies.
Teamwork is becoming crucial in the world of ethical hacking.
“On the football field, a defensive linebacker should have a good understanding of how the offense’s running backs see the field,” explained Purtilo. “The same is true in cybersecurity. I want the young professionals training in my lab to learn how to see our systems from both directions. I want them to develop the broader perspective and I especially want them to have a deep appreciation of the ‘ethical’ part of their title, so we’re clear on what are the appropriate limits to activities at others’ sites.”