It’s not a crazy idea. Many organizations – including the U.S. Department of Defense, Google, Apple, General Motors and others – work directly with so-called white hat hackers. These outfits pay hackers money to find their vulnerabilities.
White hat hackers have become such an appreciated and respected resource that if organizations don’t come around in recognizing their worth, they’ll fall steps behind in the never-ending battle against black hat hackers.
This is the first in a four-part series of posts about threat intelligence and how hackers work non-stop to penetrate cybersecurity measures. Here, we’d like to share the thoughts of a white hat hacker we recently interviewed. Hopefully his insights prompt your company to invest even greater time and money into cybersecurity, going so far as to employ the services of white hat hackers. It’s money worth spending.
CyberInt: What’s it like on the other side of cybersecurity?
Hacker: Any criminal act that can be done in the real world can be done in the cyber world: Cyber blackmail, bullying, spying, you name it. Getting access to and publishing intimate details about people’s lives, activating cameras from a far is much easier (still) than people believe. What differs from my world and the physical world is that in the cyber world, it’s much harder to identify the criminal. Most victims will stay anonymous because they know that the chances of finding the criminal is limited and the cost of reporting a breach is very high – You can embarrass yourself and your business by acknowledging you’ve been successfully targeted by a cybercriminal.
CyberInt: What drives cybercriminals?
Hacker: For many, it’s because they are criminals. For most, they need the money. I do it for money. I move as quickly as I can without getting caught. The most common hack is for financial gain. You can hack into business offices and plant malware in the servers and sit back waiting for a blackmail payment. You can slow down a company’s website and then extort that business because their competitors’ faster websites are taking the lead. A DDOS attack is the easiest and best money a hacker can make. Ransomware – locking an individual’s computer until they pay money – is also easy. Do many of these and it’s lucrative.
There’s also prestige to be gained, the opportunity to be recognized in the hacking community for pulling off something daring and unimaginable. Aside from money, a big reputation is quite a lure.
It’s also easy work. You need only a bunch of servers and hosts and everything is under my control. I can generate traffic to anywhere I want. Sure, ethical hackers can earn money through bug bounty programs with companies, but it is small money compared with what you can gain from black hat operations.Selling user databases is the best money. You steal user details and sell them to some interested companies and individuals. They’ll use that information for great gain on online currency trading markets, like Forex.
CyberInt: How do you choose your targets?
Hacker: Attacks are usually focused and planned. The typical lead time to an attack is anywhere from two to four weeks, the money is worth the wait. Hackers can make as much as $200 per company that they hack. Money and the level of difficulty usually determine who’s going to be hacked. Some targets are chosen randomly, basically an impulsive decision by the hacker based on his behavior and past activities. But money can dictate who the target is, especially if a hacker is taking orders from online gangs and the mafia.
CyberInt: Does anything deter you from attacking, either before a hack or even midway through?
Hacker: Nothing. If it is part of my job, I will stop when I am told to stop. But you also need to think about whether you want to ruin a company or just steal enough to get money. Or you can take the long view and ask if you should keep going so you can plant something for future use. Keep in mind that hackers are always striving for knowledge and trying to bypass any mechanism that people think keeps them safe. So a hacker will sometimes keep hacking just to see how something works. We’re all looking to evolve and understand new technology. If you stand still, you go back.
CyberInt: How often do you succeed? How often do you fail?
Hacker: About 20% of companies are under constant surveillance or attack. If a hack is easy, I will go all the way. We can be a bunch of lazy buggers. We don’t want to waste a lot of time and will often only go after the easy targets. Unless, of course, I am paid to go after the heavy guns. If I was a black hat hacker, I would first do some research to understand the value of my prospect, including how much could I sell their data for.
Breaching anything is a matter of time and money. You can never really fail. It always depends on the resources that you have for the hack. Giving up is not failing. It means I don’t have the time to do it. It doesn’t mean that I failed. There is no such thing as a 100% cyber-proof company.
Part 2 of the series will cover the resources and tools available to the hackers to commit their crime of choice.