Due to a rise in bug bounties from companies large and small, many hackers are seeing the light and using their skills for good. We look at some of the ways you can work with this new breed of hacker.
Imagine you’ve been told someone in your organisation is a hacker. Whilst your gaze might fall on a teenage intern or a recently disgruntled colleague, you’d probably be wrong. Very often, the hacker in your business is a professional just like you, but using their potentially nefarious skills for good rather than evil. This is because, rather than damaging your business he, or she, could be performing an essential business process: testing your company’s defences for potential areas of infiltration.
To understand the 21st-century hacker’s mind, you need to first understand the market. Increasingly, the most reliable route to riches for them isn’t to blackmail weakly protected organisations, but to earn “bug bounties” – rewards offered by companies to have their applications and networks tested.
Time to look inside the mind of the hacker of today – and shatter some commonly held illusions about how they work.
Myth #1: They are all criminals
Whilst there are still plenty of hackers out there associated with criminal gangs or rogue regimes, there is the increasing emergence of the white hat community (leading proponent Bugcrowd is currently 383,000 strong). These are hackers that aren’t interested in becoming criminals, they’re interested in stopping them.
Today’s white hat hacker is often highly educated and among the best coders in the business. In fact, a survey by BugCrowd shows over 50% of white hat hackers have either a Bachelor’s or Master’s degree, and over eight in ten have spent at least some time in higher education.
Myth #2: The theory of the lone gunman
Hollywood movies would have you believe that most hacks originate from a lone evil genius working solo. However, even a solo perpetrator in a darkened bedroom generally doesn’t work alone. He or she is constantly picking up intelligence from web chats, news sources, rumours and gossip. The truth is that hackers are inherent talkers. When the buzz gets louder, people start strategizing about it, forming new teams, and swapping ideas.
In the same way, successful, regulated, penetration testing – or “pentesting” as it’s more commonly known – where you the systems behind your company’s IT defences, usually involves much more than a lone consultant at a desk. Don’t be surprised if the pentesting hacker in your office is that gregarious, funny administrator downstairs who asks to borrow your password “just for a moment”.
Myth #3: It’s all attacks from the East
Whilst the media is often quick to point the finger to those in the East, in all actuality over 112 nationalities are represented in BugCrowd including Australia, Germany, the UK, and the USA in substantial numbers.
This correlates with another change in the market for hacking services: the size of companies running bug bounty programs. It’s not just small developers outsourcing their bug discovery any more. Blue chip multinational western companies of 5,000 employees and up are now the fastest-growing segment to offer bounties to hackers.
Myth #4: It’s just about the code
The myth persists that a hacker’s skills are limited to simply scrolling through source code and unleashing attacks. This is a misnomer. Actually, today’s hacker is as much a social scientist as a computer scientist, using Facebook and LinkedIn profiles to discover potential passwords. Also, by simply looking at the online resumes of the company’s security team can tell a hacker what technologies their network is likely to be using, and therefore what vulnerabilities might be exploitable.
Hackers themselves are often into social climbing. It’s not the secret world many imagine it to be. Every bug bounty won increases their desirability within the marketplace. A good white hat hacker often doesn’t have to go out a seek work; rather, they will get invited to participate in private bug bounties by the companies themselves.
Myth #5: a successful hack is a failure of your company
Of course, no company – particularly a listed company with sensitive shareholders – likes to admit its systems have been compromised. But if your bug bounty programme exposes genuine vulnerabilities in your IT infrastructure, that’s no failure: it’s a huge success. This is because the cost of paying a bounty is usually vastly lower than being held to ransom by evil actors later. For example, Google’s bug bounties start at just a $4,000 bug bounty for information leakage, whereas Uber was forced to pay 25 times this as hush money to hackers that stole 57 million records back in 2016.
The successful white hat bug hunters have managed to turn their frequent bug bounties into their principal source of income. This is likely to grow too. The lesson for companies is clear: don’t try to stop the hackers. Instead, invite them in.
Many a hacker has moved away from the dark side in recent years. Encouraged by a rise in bug bounty programs - with Facebook paying security researchers $880,000 last year, and Google awarding $2.9 million - the term “hacker” is losing its negative status. For many years, managers and journalists conflated the terms “hacker” and “evil”. Today’s hacker isn’t necessarily a threat – he can be your information infrastructure’s greatest friend.
- Hackers aren’t all criminals - evildoers may even be the minority
- Stereotypes about their origin are outdated
- Methods of attack are as much sociological as technological
- Bug bounties are increasingly used by companies to pre-empt problems