During the last decade, we have faced the grim reality that is cyber-attacks in their most sophisticated forms. Incidents orchestrated by malicious actors that tested many companies’ cybersecurity practices, and even brought other companies to bankruptcy.
The goals for such attacks often vary, depending on the actor, malicious actors do it for financial gain, activists operate for a multitude of reasons, fun, profit, and to advocate change, and state-aligned actors attack each other as a new form of warfare.
These attacks have been getting more and more sophisticated as time goes by; there are many examples, such as the most prolific ransomware group, Conti, which managed to gain $180 million from its victims last year through various cyber-attacks, or the Netwalker ransomware attack executed on Equinix, one of the largest data center provider companies in the world, demanding $4.5 million.
As these attacks evolve, the defending side also adapts and develops in order to be able to protect and secure public and private infrastructure from these devastating attacks, often using new, innovative, and clever ways, since the ancient ways of simple cybersecurity and compliance audits are no longer sufficient all by themselves.
This is the difference or gap created by modern, sophisticated cyber-attacks. Two decades ago, a crude but thorough cybersecurity and compliance audit was necessary since most corporates infrastructure was relatively small compared to the modern, federated, decentralized, cloud, and microservice-based infrastructure.
Securing, auditing, and maintaining massive modern networks requires considerable time and effort with a specific competence not easily found among most network engineers and other IT professionals.
Many new approaches and strategies have been invented to deal with this issue, so far, the most commonly utilized strategy is the employment of a wide set of practices under the term “ethical hacking.”
What is ethical hacking exactly, and what does it constitute?
In simple terms, ethical hacking is an authorized, simulated attack against a computer, network, or organization to identify existing cybersecurity vulnerabilities and system misconfigurations, gauge the risks, and protect them from real threat actors (malicious hackers).
It is possibly one of the most effective, time and cost-efficient ways to enhance an organization’s cybersecurity posture due to its flexible nature and realistic practices.
Are such practices legal?
The target organization explicitly authorizes these operations in order to assess their security posture and fix any weaknesses that exist within.
In fact, these operations are often ordered by the higher-ups of the organization, sometimes without the knowledge of the subordinates in order to simulate an actual attack, but this is not always the case, as the scope and goals always vary from one operation to another.
Who executes ethical hacking operations?
Authorized attacks are often carried out by professional cybersecurity experts known as “white hats or white hat hackers.” Regarding technical proficiency, white hats must present a thorough, top-to-bottom expertise in networks, operating systems, databases, web servers, web applications, mobile applications, and other concepts, such as Cloud Computing and IoT.
As for trade proficiency, white hats must have a grasp of the legalities surrounding the operation and the industry as a whole, the principles of information security, and the compliance involved.
What does ethical hacking consist of?
Ethical hacking is a very broad term that helps companies to evaluate the risks of cyber-attacks and can encapsulate many operational concepts depending on the customer goals and his desired scope of simulation, but the four most relevant ones are; vulnerability assessments, penetration testing, red teaming, and bug bounties programs. These different operations vary in size, scope, rules of engagement, and goals.
A. Vulnerability Assessment
Usually considered an audit against a target or a list of targets that vary in nature (networks, computers, or applications) and attempts to find all known vulnerabilities.
Vulnerability assessments attempt to discover a very wide area of vulnerabilities, misconfigurations, and non-compliances that developers and system administrators usually cannot catch, a vulnerability assessment must be thorough, enforcing, and methodical.
Vulnerability assessment follows a very specific four step lifecycle:
- Asset discovery
- Asset prioritization and target configuration
- Vulnerability scanning
- Result analysis and actions
First, the operator needs to make sense of the target infrastructure and understand the big picture; this usually is a tricky phase since the operator has no guarantees that the target will be fully visible, and even if it is, it is even tougher organizing their digital footprints.
2. Asset prioritization and target configuration
This part of the assessment is completed by organizing the assets into clearly ordered priorities and organized attack metrics, this is not necessary if the customer can afford a full scan on each and every single one of its assets, but most cannot afford it, so they resort to scanning their most critical assets, which are usually public internet facing web applications, servers, or internal critical infrastructure, such as a domain controller, some targets require finer tuning than others depending on their nature, criticality, and robustness.
3. Vulnerability scanning
The most important step of the process, using a massive database of publicly known vulnerabilities and the ability to scan, probe, and attempt to check the target’s service vulnerabilities. It is only a matter of time until the vulnerabilities are identified and the report is generated based on a predefined baseline. At this stage, the pentester team must well configure the vulnerability scanners to reduce the number of false positives.
4. Result analysis and actions
Vulnerability scanners, no matter how advanced, are still tools; they may generate false positive, and they may identify a vulnerability that does not really exist or bump up the severity rating on a relatively harmless bug, therefore, human bug triaging and analysis is instrumental to a successful assessment, the operators will check and recheck for the existence and severity of identified bugs, as well as vulnerabilities in an attempt to patch them in a suitable manner.
B. Penetration Testing
Often like a red teaming exercise, penetration testers use their experience in order to attempt to attack all possible angles of the organizational structure. Penetration tests also consist, usually, of a five step comprehensive lifecycle:
- Planning and Reconnaissance
- Gaining System Access
- Persistent Access and Housekeeping
- Analysis and Reporting
1. Planning and Reconnaissance
This phase covers describing and defining the scope as well as limits of the test and a preliminary, (often automated) information gathering mission in order to understand the infrastructure and topology of the target entity. By the end of this step, the pentester team will have as much information as possible to map the attack surface.
This phase, based on the information acquired from phase one, attempts and gets not only a complete top-tobottom granular technical overview of the target entity’s technology stacks (services, defensive measures, etc.), but also a list of vulnerabilities that can be exploited.
3. Gaining System Access
The penetration testers parse all the information they have acquired throughout phase one and phase two and look for misconfigurations and exploitable vulnerabilities that will allow them to gain network or system access belonging to the target then run the payload to exploit the target.
4. Persistent Access and Housekeeping
Once one or more systems have been successfully attacked, the penetration testers try to understand how far they can go inside the target system by trying to infect more machines, intruding on more networks, escalating their privileges, packaging, and exfiltrating as much valuable data as possible. The testers must not forget that housekeeping is essential; any modifications to the target systems must be reverted and rolled back; in other words, the target system must be exactly what it was like before starting the penetration test.
5. Analysis and Reporting
The penetration testers compile the results and findings of their operation into a report, findings such as the vulnerabilities exploited, a list of machines successfully infected, and weaknesses found in security systems.
This report will be sent to the target organization for analysis. In the meantime, the penetration testers will work with the corresponding team to fix any weaknesses they find. It is pivotal that organizations running critical infrastructure conduct, regularly and often, penetration tests to get the most accurate and complete overview of their security posture.
C. Red Teaming
Attempts to simulate a real threat, actor’s attack against the target organization, trying to gain access and reach the goals by any means necessary.
Most members in the organization should have no idea that a red teaming operation is taking place. Otherwise, it defeats the purpose.
Operators will use tactics that emulate known adversaries (criminals, state actors), as well as develop their own tactics.
Red teaming follows an attack lifecycle very similar to penetration tests, but unlike penetration tests, where the target is to map out and exploit every attack vector possible, the red team’s target is to reach a well-defined objective, such as access to a server, access to a network, creating a successful data breach, or acquire domain controller admin account. Usually, red teaming operations follows the MITRE ATT&CK framework and mostly deliver the attack using social engineering.
D. Bug Bounties
A method of loose cooperation between corporations and paid volunteers in the form of a bounty program, bug bounties are essentially companies giving ethical hackers the permission to attempt and exploit their applications and infrastructure, as long as the ethical hacker responsibly cooperates in vulnerability disclosure and the payoffs are often massive.
Many large corporations such as FAANG (Facebook, Amazon, Apple, Netflix, and Google) or even government organizations, such as the US Department of Defense (DoD) implement their own bug bounty programs.
This kind of program will help companies to fix new vulnerabilities, assign them a unique ID called CVE (Common Vulnerabilities and Exposures) and then add them to the database of publicly known vulnerabilities which is used by vulnerability scanners.
Each of these methodologies and operations employs ethical hacking and is essential to maintaining a sufficiently advanced cybersecurity posture to protect organizations and their subsidiaries and assets from harm caused by all sorts of malicious actors in cyberspace.
Neither of these methodologies is enough on its own, and they all must be combined and carried out regularly or risk asset loss through cyber-attacks.