How Old-School Hackers Are Enabling the Next Generation of Offensive Security Professionals

November 21, 2019
| |
6 min read

As an industry, cybersecurity has come a long way since it first started in the late 1990s. Back then we didn’t have degrees in cybersecurity from prestigious colleges, because they didn’t exist. Most of us were just “hackers.” Fast-forward to today, and many of the industry’s founders, those same hackers, are leading security programs for some of the largest companies in the world.

However, despite hackers’ successes, we’re still being mistaken for criminals in hoodies, hanging out in basements, aggressively typing code and stealing passwords in the dark. This misconception has helped keep the security skills gap as wide as ever and has left veterans, like me, to fight against this stereotypical delusion.

Hackers Aren’t the Bad Guys You See on TV

As my colleague Charles Henderson noted in his recent piece for The New York Times, most hackers aren’t criminals. “Professional hackers work to keep people safe by finding security vulnerabilities before criminals do,” he explained.

There are a ton of misconceptions about hackers. In popular culture, news and media, we’re seen as the bad guys prowling the dark web and taking part in any and all malicious behavior. But as Charles explained, just because we have the ability to engage in crime doesn’t mean we partake. Locksmiths have skills that could be used for bad, and yet people don’t think all locksmiths are bad guys. Not everyone understands that most of us, who have been hacking for decades, have been doing so for good — to not only help organizations but to help everyday citizens as well.

In 1992, a group of hackers launched L0pht Heavy Industries in a warehouse in Boston. L0pht was a hacker think tank that gave us the opportunity to work on the projects we wanted to take on with like-minded people.

In 1998, as members of the L0pht, we found ourselves testifying in front of Congress and urging the U.S. government to better protect the internet. We exposed some of the flaws we had seen in the hopes that something would be done and that things would start to get fixed. Now, would a criminal do that? Our group hacked with passion, but with the greater good in mind, so it’s disheartening to see what the word “hacker” still means to so many people today. Even more upsetting is that these misconceptions are now keeping the next generation from entering the offensive security workforce.

Where’s the Offense?

While the wider security industry is expected to see a shortage of nearly 2 million professionals by 2022, according to a report from The Center for Cyber Safety and Education, (ISC)² and others, offensive security is bound to see the largest deficit.

When you look at the industry as two major categories of offensive and defensive security, the gloom and doom that surrounds the term “hacker” on the offensive side can lead most up-and-coming talent to pursue careers in defensive security. We see a lot of colleges and universities actively building cybersecurity programs to train the next generation of cyber experts, but many of those programs only teach the defensive side of security and forget about the offensive side, lest they be accused of teaching evil hackers.

While defensive security and incident response are incredibly important and fantastic fields to break into, my hope is that the next generation also learns to understand the importance of offensive security. Moreover, even defensive security professionals need to build an offensive understanding and skillset to excel in the field. Those who understand offensive techniques are better equipped to defend against them.

Defending against cyberattacks is a team effort, and while it may sound backwards, offensive teams are actually the first line of defense, getting ahead of attackers by pointing out flaws and weaknesses that could be openings for criminals before they even have the chance to attack. Of course, responding to attacks is necessary, but preventing those attacks in the first place is even better.

X-Force Red, IBM Security’s team of hackers, operates under the motto, “Hacking Anything to Secure Everything,” based on the knowledge that red teams are hackers themselves and know how criminal hackers operate. Red teams are better positioned to adopt the same mindset as an attacker’s and can intercept potential threats by discovering what’s hackable before criminals do. They use their specific knowledge to keep the public safe from criminals who most closely mimic those manic cybercriminals you might see in pop culture.

The Need for Pen-Testers

Among personnel shortages within the offensive security domain, we’re specifically seeing a lack of penetration testers — aka pen-testers. According to ESG, 23 percent of organizations reported having a shortage of pen-testers, and the practice is listed fourth among cybersecurity skills that are seeing the largest shortage.

This is a surprising finding considering the importance placed on pen-testers, as they provide an invaluable set of offensive skills that can allow them to break into systems and seek out potential threats to ensure security methods are working as they should be. This can all be done before criminals even launch their attacks.

Now, the idea of paying someone to break into your systems might sound suspicious, but this step is essential to ensuring you know your security flaws and what needs to be fixed before it is taken advantage of. However, outdated and frightening perceptions of hackers make the idea of onboarding one to perform these tasks a scary one, which could be one of the factors leading to an underrepresentation of pen-testers in the industry.

Collegiate Pen-Testing Competitions

To answer this call for pen-testers and professionals in the wider offensive security field, the Rochester Institute of Technology (RIT) launched the Collegiate Penetration Testing Competition (CPTC) in 2015. The CPTC shines a light on the importance of offensive security by providing young professionals with a platform to showcase their pen-testing skills, an opportunity they would normally need to procure on the job.

RIT recognized that students need the chance to gain hands-on experience and learn about security beyond what can be learned in the classroom. More than half of today’s hiring managers cite one or more hands-on and credible penetration-testing certifications as the top item they look for when recruiting for jobs in the field, as reported by EC-Council.

The competition, now in its fifth year, simulates a real-life scenario in which each participating team responds to a Request for Proposal and delivers a penetration test. They are then tasked with providing a report accompanied by an in-person presentation of their findings to an expert panel who then determines the winner.

While the technical portion of the competition serves as an incredible resource for students, the report writing and presentation portions are just as important. Being able to adopt soft skills and perform tasks such as drafting proposals, initiating communications and giving presentations is essential for cybersecurity professionals looking to break into the field. Being able to properly communicate risks found during a test to corporate management is one of the essential steps to ensure a client properly understands and handles potential threats.

Hackers Giving Back

IBM has served as a premier sponsor for the CPTC since its start, and while the competition benefits from our infrastructure support, servers, cloud, volunteer resources, funding and IBM Security experts, our team of hackers at X-Force Red also benefits from this collaboration.

I’ve been helping with the competition for the past three years — judging, offering insights to participants and even acting as part of the scenario for this year’s regional competition. Through working with the event, my colleagues and I are able to interact with up-and-coming offensive security stars in real time. We can coach them, offer them real-life anecdotes from our experience, stress the importance of the work they’re doing and help jumpstart their careers.

It’s this work that I believe spreads the proper narrative, the story of what most of us hackers really do — help the public. Assisting in young people’s careers is especially important to me because I also head X-Force Red’s internship program and, through the CPTC, we’ve been extremely successful in securing top talent with hands-on experience that would be much harder to find on our own. Being able to witness these students demonstrate their skills, giving them the chance to gain experience among other professionals, and seeing their passion for the industry firsthand is an incredible advantage for us as we look to garner talent for everything from internships to full-time positions.

Launching full-scale internship programs, participating in competitions like the CPTC, and taking the time to spread knowledge and the true story of hackers are small steps toward a larger mobilization that needs to happen among my fellow longtime hackers.

I believe that we need to not only be denouncing negative connotations around our practice, but also taking positive action in introducing the importance of it and welcoming the next generation of hackers. The industry has changed since that congressional testimony from L0pht almost 30 years ago, and it’s important for us to pass the torch to individuals with that same passion for keeping the public safe as we move into the future.

Learn more about X-Force Red and our penetration testing services
Space Rogue
Global Strategy Lead, IBM X-Force Red

With more than two decades of experience, Cris Thomas (aka Space Rogue) commands an uncanny ability to link disparate events, read between the lines and dist...
read more