The term ‘Devil’s Advocate’ is well-known in the corporate world. It is said to have evolved from the Catholic Church’s procedure of appointing a lawyer specialized in Canon Law from the Office of the Promotor Fidei (Promoter of the faith) to present counterarguments and evidence as to why a candidate being recommended for canonization should not be sainted. The practice was quickly adopted by the business and legal sectors to promote critical thinking, reveal weaknesses, stimulate discussion, and even provoke responses.
In many ways, the role of the white hat hacker in cybersecurity teams is like that of a ‘devil’s advocate’ – adopting the mindset of the bad actor and using a professional set of skills and resources, he primarily questions the efficacy of the organization’s cybersecurity posture and system, in order that the organization is better prepared to weather cyber threats.
The white hat hacker
The term white hat hacker is said to have been coined from the Western movies of yesteryear where well-meaning, law-abiding cowboys typically donned white hats. By contrast, their ill-intentioned counterparts wore black hats. White hat hackers could therefore be called the ‘good guys’ who use their knowledge and skills to prevent cyberattacks orchestrated by the ‘bad guys’, the black hat hackers.
The origins of white hat hacking can be traced to the mid-sixties when the Multics operating system, a time-sharing operating platform widely regarded as the forerunner of modern operating systems, was repeatedly compromised. The United States Army is reported to have resorted to the first recorded cases of ethical hacking to test vulnerabilities in their Multics module.
The contemporaries
White hats boast of the same skills as black hat hackers. However, they use these skills to avert the threats posed by black hat hackers, who invariably look at monetizing their malicious intentions. White hat hackers conform to ethical standards and legal frameworks and perform with the permission of the organizations that hire them. It is not uncommon to find academicians, researchers, and students of cybersecurity employed as white hackers.
Based on the nature of their skill levels, approaches to hacking, and intentions, hackers are further categorized as (1):
- Green hat hackers – the wannabes of hacking. They often are beginners learning the nuances of hacking, and aspiring to become black hat hackers. Like their role models, they are in it to monetize their efforts
- Blue hat hackers – the ‘revenge seeker’ and the ‘gun for hire’. The revenge seeker seeks only to defame or discredit a target. Unlike black hat and green hat hackers, they work externally without any attention to money or fame. The second type is the hacking professional who is hired by organizations as a consultant to detect vulnerabilities and perform penetrative testing. Microsoft is known to organize forums for blue hat hackers to test their systems at ‘by-invite-only’ events
- Grey hat hackers – ‘the self-appointed custodians’. These are ‘do-gooders’ who work outside the organization without ever being appointed. They are known to often reach out to organizations to inform them of system vulnerabilities. However, they breach organizations’ defenses without prior consent or proper authorization, effectively making their initiatives illegal
- Red hat hackers – ‘the self-appointed vigilantes’. They are also external ‘do-gooders’. However, they differ from grey hat hackers in their approach and target. They target bad actors directly, waging aggressive and unsolicited war against them, often launching attacks that render the latter’s systems ineffective
The benefits of white hat hacking
The benefits of ethical hacking are numerous, making them a must-have for organizations looking at shoring up their security posture. Here are some of the benefits that accrue:
- Improved levels of cybersecurity, and fewer chances of a data breach
- Less damage/chances of damage due to proactive threat hunting
- Increased trust levels with investors, supply chains, employees, and other stakeholders
- Cost savings in legal fees, and fines from violation of regulatory procedures due to limited damage arising from early detection and timely remediation
- Compliance with industry standards and requirements
- Cybersecurity training and awareness from in-house industry experts
- Knowledge sharing in the cybersecurity community, thanks to the exchange of information on case studies and best practices
What’s involved
An oft-heard call in recent times, especially with the surge in AI-generated hacks, is to fight the fire with fire – to use Generative AI itself to combat the hack. The same logic could be easily applied to the inherent qualities required in a white hat. Cast in the role of a thief catcher, he must necessarily think like the thief he has set out to catch.
In addition to a Certified Ethical Hacker (CEH) accreditation and an appropriate Offensive Security Certified qualification which many consider the gold standard for Penetration Testing (or Pentesting for short), a white hat hacker would require:
- Professional qualifications and programming proficiency in languages like Java, C++, Python, etc that will facilitate Pentesting
- A thorough knowledge of Operating Systems including Linux
- Network expertise covering network protocols (TCP/IP), architecture, firewalls, and intrusion detection systems (IDS), and
- A good knowledge of Cryptography Compression and algorithms.
The white hat hacker’s arsenal and strategies mirror those of the black hat hacker. Amongst the most important of his ongoing exercises is the evaluation of the success-detection rate of the antivirus software deployed. Many ‘cultivate’ malware as a proactive step in observing how they behave and assessing how they could pose a threat to their systems.
Coursera (4) provides an indicative list of what a white hat hacker does.
- Reverse engineering malware and viruses
- Analyzing attacks and security incidents for their root causes
- Scanning a target network with vulnerability scanners
- Designing plans of attack to try and exploit (and then patch) vulnerabilities
- Providing technical support, and reviewing and updating documentation
The inherent challenges
Since the role of the white hat hacker considerably overlaps the role of a cybersecurity professional, many of the challenges faced by the latter also apply to the former. Some challenges however are unique due to the environment in which the white hat hacker operates. An article in Medium (9) summarizes the top five challenges associated with ethical hacking.
- A rapidly and constantly evolving threat landscape – requiring the ethical hacker to keep abreast of industry developments, new hacking techniques, tools, and trends
- Complex work structures and system architectures – some often including tenuous network connections and heritage systems
- Legal, ethical, and authorization issues – involved in the access, navigation, handling, and treatment of systems and data
- Resource crunch – compelling ethical hackers to sometimes opt for a hiatus, putting their crucial threat-hunting activities on hold
- Time constraints, breach (5), and alert fatigue (6) – arising from work overloads and sustained operations
Conclusion
A good indication of the importance given to white hat hacking is the global market size for ethical hacking and penetration testing (2). Both are expected to surge exponentially in the coming years, registering CAGRs in excess of 20%. The tech giants are already deeply invested. Facebook and Apple have their bug bounty programs, Microsoft and IBM their ethical hacking processes for products, and Amazon Services their white-hat-assisted cloud security testing. Many giants routinely hold conferences, events and competitions to promote and discover industry talent. A significant number of winners are notably from India (8), a country that is also witnessing a surge (7) in ethical hacking in recent years.
On the legislation front, the 2022 revision of the Computer Fraud and Abuse Act (CFAA) by The Department of Justice (3) came as a shot in the arm for the community. Its new policies guarantee software testing, investigation, security flaw analyses, and other “ethical hacking” activity will not be prosecuted. This has put to rest many reservations about the ethical nature and security concerns associated with white hat hackers.
Almost four decades ago, the Catholic Church took the unprecedented step of considerably reducing the role and scrutiny of the Office of the Promotor Fidei. Though critics claim it has made beatification and canonization easier, its value however is not diminished. Rather it has arguably helped propagate the faith.
So too with the white hats. With the benefits they confer, the industry support that they receive, and the legislation that continues to empower them, ethical hacking and the white hat hackers are here to stay.
References:
- Different Types of Hackers: The 6 Hats Explained – InfoSec Insights (sectigostore.com)
- $1.1 Billion Worldwide Penetration Testing Global Market to (globenewswire.com)
- Demystifying Ethical Hackers And Why Modern Organizations Need Them (forbes.com)
- What Is a White Hat? The Ethical Side of Hacking | Coursera
- Breach Fatigue Tips for Protecting Your Organization in a Constant Cyber Threat Landscape – Aurora Systems Consulting Inc. (aurorait.com)
- The Looming Threat of Fatigue, Stress and Burnout in Cybersecurity – Aurora Systems Consulting Inc. (aurorait.com)
- India’s hackers make a fortune hunting bugs for tech giants (techinasia.com)
- Indian Ethical Hackers Won Rs 29 Crore In 2019, Second Highest In The World Behind USA (indiatimes.com)
- White Hat Hacking Challenges. White Hat Hackers, or Ethical Hackers… | by InfosecTrain | Medium