Can You Hack My Network? Why Ethical Hacking is Essential for Improving Your Security
You’ve convinced the necessary parties to invest in improving your information security, examined your options, and selected and deployed a new cybersecurity solution. Even once you’re up and running, however, you might not feel completely secure. Is there anything you missed during deployment, which you may not have done correctly? Do you need to test your incident response process as much as testing the detection software? Does the new solution have vulnerabilities you – or its creators – don’t know about? Are there emerging types of attacks that it will miss?
If you want to know that a cybersecurity solution will do what you need it to do – that is to say, to protect your network – and that you’re ready to respond to whatever it detects, you need to test it first. Penetration testing (“pentesting”) is a common part of deploying any new tool for cybersecurity, and it may help you identify and fix weaknesses in your defense. This is doubly true for AI-based cybersecurity solutions, as they benefit tremendously by learning from supplemental data.
However, being an able security administrator does not mean you are necessarily skilled at probing for holes in the solutions you control. Penetration testing can be automated through software, but that can lack the ingenuity of a live human trying to breach your system. The surefire way to simulate a real human attack is to enlist the service of a real human attacker – subjecting your network and its cybersecurity defenses to “ethical hacking.”
What Is Ethical Hacking?
Ethical hackers also called “white hat” hackers as a nod to the fashion sense of good-guy cowboys in old Western films, go beyond a typical pentest; they’re trying to exploit your system like a real attacker would, including trying to leverage human error. For all intents and purposes, a white hat hacker will approach your network as a truly malicious hacker (aka “black hat”) would, using all the ingenuity and tricks at their disposal.
While many ethical hackers operate in a contract-based framework, others are hired more as freelancers in a bug bounty-based environment – a firm offers a set amount of money (often in the five-figure range if not higher) for anyone who can find bugs or gaps in a system’s defenses or successfully breach it, and some of the Internet’s finest white hats are off to the races.
The value in skilled ethical hacking is tremendous and critical for identifying vulnerability in cybersecurity solutions before a real bad actor comes along. The United States Air Force has used ethical hacking to simulate a user with insider access gone rogue, for example, and DARPA has hosted ethical hacking tournaments to develop AI cybersecurity tools like Mayhem, which can identify and fix vulnerabilities with minimal human involvement.
How Ethical Hacking Benefits AI Cybersecurity Solutions
Like humans, AI-based solutions like Mayhem only know what they’ve been taught. The information that goes into an AI cybersecurity tool is arguably just as critical as the tool itself. For instance, AI-powered network traffic analysis (NTA) tools function by learning what is normal in a network and then flagging what is anomalous, or abnormal.
The AI can learn by itself over time (unsupervised machine learning), learn by being fed a set of pre-determined parameters, like a list of known viruses and what they look like and how they behave (supervised machine learning), or both. The more data, and the wider the variety of data, you give an AI-powered cybersecurity solution, the better.
Of course, not everything abnormal is an attack, and AI-driven tools that are operating under limited data – for instance, only considering an analysis of network traffic without knowing typical threat behaviors – may trigger false positives from benign actions. Training AI on what an actual attack might look like helps it distinguish between harmless abnormal behavior and malicious anomalies. With this, you can reduce false positives, and consequently reduce the time human workers need to spend checking to make sure a system hasn’t been breached.
AI-powered cybersecurity tools are very good at recognizing the work of software because malware will usually behave in predetermined or recognizable patterns. An actual human who has penetrated a system, though, may not be so predictable. What steps is this malicious actor taking? Where do they look first, once they have breached the perimeter defenses and gained access?
By simulating real attacks, ethical hackers can help AI-based systems learn to recognize the behavior of humans attacking the system it’s protecting. However, the benefits of ethical hacking aren’t just for training AI – ethical hackers can also help the security software’s human cybersecurity partners understand the types of attacks that are able to evade detection.
Ethical hackers can also try to leverage human error in the way a real black-hat hacker might. They can use business email compromise (BEC) scam or compromised websites, or see how your employees might respond to a phishing attack. Skilled white-hat hackers can help identify vulnerability in cybersecurity protocol in two ways: They can show security professionals where their human-error-driven weak points are, so they can modify or increase training, and they can teach an AI-based system what it looks like when the first lines of defense have failed.
In other words, before machine learning can help smart lighting defeat a hacker, it helps to first have an ethical hacker hack the lightbulb to learn where it’s vulnerable.
How to Hire an Ethical Hacker
As ethical hacking becomes an increasingly accepted profession within the field of cybersecurity, it’s increasingly easy to hire one for your own purposes. However, there are several things you should look for, or decide upon, before hiring a white hat hacker.
- Pick a proven pro. It’s easy for a young hotshot to claim to be an ethical hacker, and perhaps they truly are a savant, but you shouldn’t chance that. Look for hackers and firms with proven records of success for clients willing to discuss their work. And check references.
- Align skills to your goals. Starting with what you want tested, evaluate the skills and experience of your hacker against these goals. For example, is this a web app test, general security test, are you testing endpoint protection, employees’ ability to resist phishing emails, your ability to detect evasive and zero-day attacks, etc.
- Plan what type of test you want to run. Certain ethical hackers may specialize in one format over another, such as black-box testing vs. white-box testing, where would-be attackers know less or more about the system in question.
- If all else fails, offer a bug bounty. This perhaps may not be the most professional option, but offering a prize to someone who can successfully infiltrate your network might wind up pleasantly surprising you.
Finally, be sure to confer with your legal team about the terms of the contract you have with your white hat hacker and don’t think that you’re done just because your hacker doesn’t find anything. New attack techniques are developed constantly, and the attack surface is constantly changing. Be sure to engage white hat hackers on a regular basis to continually recheck your security.
The field of cybersecurity will always be a duel between aggressors, whether malicious or ethical, and the defensive solutions they’re seeking to defeat. Lastline knows what’s at stake and our AI-powered cybersecurity puts serious barriers in the way of any attackers; contact us today to schedule a demo and see for yourself. And then be sure to let us know how we do with your next white hat attack.