The Hacker Rainbow
Hackers are commonly divided into three hats: white, gray and the infamous black. These colors serve as broad labels describing the extensive spectrum in hacker communities — from the good (white), to the bad (black) and those who fall somewhere in between (gray).
Generally, white-hat and black-hat hackers do similar tasks. Both target applications, networks, computer systems, infrastructure and occasionally even people; often, both camps use the same tools and resources. But their work is not completely homogeneous, differentiating on some major points — including motivation, permission, legality and time.
A white hat is commonly employed or contracted to carry out an attack under explicit permission and clear-cut boundaries. The goal of white hats’ work is to research, find and test vulnerabilities, exploits and viruses in their defined targets. The findings of these professional engagements is reported directly to the target to enable them to fix any holes and strengthen their overall security posture. White hats are also sometimes involved in developing security products and tools.
In the professional landscape, white hats work under the pretense of multiple job titles — security engineer, security analyst, ethical hacker, penetration tester, security researcher, etc. Some organizations and individuals may stray away from explicitly using the term hacker because of its perceived negative connotations. Conversely, others choose to embrace the hacker terminology. For example, the Certified Ethical Hacker (CEH) is a popular professional certification, while Black Hat is a renowned security industry conference. In a different context, hacker may also describe developers who rapidly create software or hardware at hackathons.
As part of their employment, white hats may specialize in a specific area of cybersecurity. For example, my team and I at the IBM Ireland Lab work solely in penetration testing Web and mobile applications. This enables us to focus our security expertise, threat intelligence and analysis quality at the application layer. In the course of testing, application security engineers may even be invited to review source code for insecure programming practices.
Other important areas of expertise for security professionals include networks, malware and even social engineering. Regularly, a white hat will function as a de facto consultant inside an organization, advising executives and developers on risk management, threat modeling, planned implementations and other security issues.
Gray hats, as the name suggests, are more ambiguous in their definition. Their work may be classified as leaning toward good or bad on the spectrum depending on your perspective.
The term gray hat is sometimes used to describe those who break the law but without criminal intent. This definition may include cyber vandals who deface websites and so-called rogue security researchers who publicly share discovered vulnerabilities without notifying or receiving prior permission from their targets.
In contrast, black hats cause great intentional damage and profit at the expense of their targets. These hackers are responsible for directing attack trends and inversely stimulating work demands in the white-hat market through harmful, illegal online activities.
This darker side of the hacker spectrum can be further subcategorized into different camps: cybercriminals, cyber spies, cyber terrorists and hacktivists. What motivates this diverse assortment of black hats? A huge array of incentives and goals strongly attract hackers — including money, bragging rights, revenge, media attention, advancement of their beliefs, the pursuit of valuable data and even pure amusement.
Malicious actors may not always be operating externally from their victim. Research suggested that the insider threat within an organization’s networks and premises, including from current or former employees and contractors, is responsible for a large portion of successful hacks.
To carry out attacks, black hats may develop their own malicious tools but will frequently employ or repurpose existing white-hat software. Often, the bigger the challenge the target presents, the greater the satisfaction or payoff. No individual, corporation or organization is 100 percent secure; complete immunity from highly determined hackers is nonexistent.
In the Shadow of the Web: How Black Hats Operate
Black hats capitalize on a diverse assortment of private and public means to communicate and collaborate. In search of recognition and self-satisfaction, some prolific hackers take to social media sites to publicly boast of their exploits, embarrass their targets and expose poor security practices. Others may choose to communicate in cryptic hacking communities and legally dubious forums — many of which can be found on the fringes of the surface Web, accessible with a simple Google search.
These social platforms often simultaneously serve as a public square, university and marketplace. Data, knowledge and software are the primary commodities; the exchange of exploits, malware, information, tutorials and tools are common among members. Many individuals also sell their skills as a hacker for hire, offering to attack any specified target in exchange for a fee. Reputation and notoriety play a meaningful role in defining the social currency and culture of these unique ecosystems, determining an individual’s trustworthiness and respect.
Outside of the visible surface Web, shady actors also conduct business in more covert channels, including the Dark Web, private encrypted chats or even offline meetups. These underground mediums provide some privacy for illegal activities, helping to hide the identity of active black hats from watchful law enforcement.
The bad guys can choose to go it alone, but many collaborate in tandem with others. Contemporary hacking teams have successfully secured the widespread attention of the international media and technology community for their sophisticated attacks against victims spanning multinational corporations, news organizations, governments and famous individuals.
There are clear benefits to black hats collaborating. Multiple minds are nearly always better than one, producing bigger, better and badder hacks. However, there is also real danger associated with this close collaboration, such as the risk of exposing the collaborators’ identities.
In 2011, U.S. hacker Hector Monsegur — once more commonly known under pseudonym Sabu — was arrested and charged for his activities. Sabu had been an influential leader of hacking group LulzSec, directly involving himself in an estimated 250 malicious attacks on private and public entities and causing over $50 million in damages. As part of his custodial cooperation with the FBI, Sabu revealed the identities of several other members from his black-hat alma mater, which resulted in multiple prosecutions across the globe.
Response Team: White-Hat Hackers Are Go
Organizations and businesses need to know their enemy. They must understand and adopt the mindset of malicious actors to proactively protect and defend their products, infrastructure and assets.
White hats are often required to mimic or replicate black hats’ attacks. To accomplish this, ethical hackers must keep their fingers firmly on the digital pulse of emerging technologies, vulnerabilities, threats and attack vectors. Even with the greatest effort, it is a constant challenge for security professionals to stay ahead of the curve and protect against innovations from complex black-hat networks.
Some security professionals, along with researchers and law enforcement, opt to monitor shady online hacking ecosystems to explore the cutting-edge attack trends, tools and threat landscape. However, despite the benefits of learning through direct connections to the dark side, it is imperative that white hats understand precisely where the fine ethical and legal lines exist in their work.
In my role as a security engineer, I always opt to demonstrate a vulnerability without going the (frequently unnecessary) whole nine yards, which could risk damaging a system or compromising sensitive customer data. A black hat does not normally bear that ethical responsibility. Malicious hackers are often predisposed to behaving destructively or dangerously in their attacks unless they have a reason to operate more covertly.
Bug Bounty Programs: Crowdsourced Collaboration
There has been a surge in organizations incorporating open bug bounty programs to outsource part of their security assessments. These popular initiatives are an excellent example of fruitful white-hat collaboration.
The objective of bug bounty programs is to invite the security community to hack an organization’s products and assets within defined boundaries, encouraging the participants to responsibly disclose any findings to the target owner. This offers security students, enthusiasts and professionals a chance to legally and ethically hack real-world targets using methods normally employed by black hats.
In return for reporting security issues, hackers are bestowed with formal acknowledgment, swag or money. Where applicable, monetary awards typically function on a sliding scale, awarding as little as $200 for small bugs to as much as $100,000 or more for a critical zero-day vulnerability. Alongside this income, bug bounties offer participants around the world an opportunity to hone their skills, boost their industry reputation or even find employment. Hackers may choose to work independently on bounties or collaborate with others to increase their coverage and effectiveness.
Advantages for Organizations
The chief difference between typical security consultancy and bug bounty programs is that participants in bug bounty programs are not directly employed by the target. For businesses, this economic advantage means they generally are only required to pay out per vulnerability disclosed or, depending on the bug and program terms, sometimes not pay at all. This crowdsourced approach is in stark contrast to the time-based status quo adopted in formal penetration testing engagements. In the security industry, there are benefits to both methods.
Crucially, bug bounty programs offer businesses and organizations a decisive opportunity to preemptively fix a disclosed vulnerability that may have otherwise persisted unknowingly, risking future malicious utilization by a black hat-hacker in an attack.
Facebook, Google, Yahoo, Mozilla and many other substantial players have successfully adopted bug bounty programs. This positively impacts their ability to keep their products, infrastructure, assets, employees and customers secure. In a recent example, a participant from Facebook’s bug bounty program discovered a malicious backdoor in the company’s systems that had been used by a black-hat hacker to log Facebook employees’ credentials.
Bug Bounty Considerations
For CISOs considering the establishment of a bug bounty program in their organizations, it is essential to ensure the program sets a specific test scope and provides clear vulnerability disclosure instructions. Organizations should also ensure their assets, systems and infrastructure are capable of accommodating a large scale of white-hat attacks.
As an additional security measure, companies may choose to prescreen and/or monitor bug bounty participants for eligibility and compliance. However, ethical and malicious hacking can be hard to differentiate from an intrusion detection perspective since both types essentially follow and exhibit similar, if not almost identical, attack footprints.
Likewise, those participating in bug bounty programs must understand and strictly follow any rules or stipulations set by the target owner. These boundaries protect both the business and the security researcher. Many guidelines will mandate that participants don’t exploit any vulnerabilities found and avoid sharing their findings publicly. A violation in the terms of the bug bounty program may result in the hacker not being recognized for the work or even legal prosecution.
Behind Enemy Lines
Black hats sometimes collaborate with governments and law enforcement, albeit generally as part of a plea to reduce jail time. Black and gray hats may also decide to collaborate or anonymously share information with whistleblowing organizations and journalists.
However, direct collaboration between white-hat and black-hat hackers is generally unheard of. As a rule, white hats working in tandem with black hats would risk their employment and reputation. Yet hackers of all colors and inclinations indirectly collaborate by wielding the same resources and tools in the course of their work.
For example, both white-hat and black-hat hackers benefit from publicly known security vulnerabilities in products and technologies, which are referred to as Common Vulnerabilities and Exposures (CVEs). These vulnerabilities are often the results of internal security assessments, bug bounty programs or responsible disclosures from a third party.
Normally, after a patch has been released, a CVE report is published describing the affected vulnerability — its severity, impact, mitigation techniques and more. These reports and other data on known vulnerabilities are available for all to see, including on sites such as Exploit Database, CVE Details and the National Vulnerability Database (NVD).
For IT professionals, CVEs can be used as a checklist in maintaining their assets and overall security posture. Meanwhile, shady hackers can harness this same information to attack the many unpatched systems in the wild. A plethora of tools exist to automate this hacking using the ever-expanding back catalog of known vulnerabilities, including cutting-edge exploits scraped from CVEs. While not always a graceful or clever way to hack, these automated tools can nevertheless be applied successfully for both good and bad purposes.
Occasionally a hacker will switch camps in the course of a career. There are copious cases of former black-hat hackers turning good and vice versa. Unfortunately for many recently reformed black hats, companies and organizations are often unwilling to employ their services because of their perceived tainted past in spite of their evidently valuable talent and experience.
A Look to the Future
White hats play a valuable role in any organization. They respond to malicious activity and raise the baseline defense of products, assets and infrastructure against attacks. Despite these small victories, it is a constant cat-and-mouse game between the white-hat and black-hat communities. This escalating digital arms race is pitched against the context of a growing enterprise demand for penetration testing, audits and data security compliance, as well as a global shortage in security graduates and IT personnel.
There are still lessons to learn from the complex, antagonistic relationship between the black-hat and white-hat camps. This evolving reality is dramatically shaping the cybersecurity space, presenting a pressing challenge that organizations, businesses, governments and educational institutions must all understand to solve.