While more companies are investing in beefing up their IT security, most cybersecurity practices are still reactive in their nature, relying on software tools to identify when a breach has happened – or been attempted – and then responding accordingly.
But as cyberattacks continue to increase in frequency and sophistication, it is clear that businesses need to take a more proactive approach to countering cybersecurity threats. Ethical hackers are being sought out to help businesses identify potential threats and weaknesses in their networks before an attack can occur, effectively working against cyber criminals to beat them at their own game.
“No matter how much budget you devote to cybersecurity tooling alone, you need a human element,” says Haris Pylarinos, CEO of ethical hacker training platform, Hack the Box.
Pylarinos, a former ethical hacker and pen-tester with over 15 years of experience in IT and cybersecurity, argues that typical approaches to cybersecurity are limited in that they aren’t reflective of the methods and techniques hackers use for cyberattacks.
He firmly believes that the best defence is a strong offence. “You have to think and act like the attacker in order to find all the ways, no matter how creative they are, of gaining unauthorized access to your systems,” he tells ZDNet.
While cybersecurity training programmes can improve organizational awareness of and resilience to cyberattacks, they do not typically provide the sort of hands-on experience that allows security teams to get into the mind of adversaries, says Pylarinos, or dedicate time to stress-testing corporate networks for flaws that could be exploited by hackers.
That’s where ethical hackers come into the picture. “They are mimicking this behaviour, they are finding those holes that no tool is able to find,” he says.
Public sector bodies are also beginning to recognize the value of ethical hacking. In May 2022, the UK Government Cabinet office put out a job ad for a senior ethical hacker to help deliver penetration testing and red-teaming capabilities for the government, and take responsibility for “simulating offensive cyber tools and techniques.”
“I presume, like most organisations, they recognise the critical need to adopt a hacking mindset in today’s high-threat environment,” Pylarinos offers. “That’s the only way to stay ahead of the criminals and it’s to be welcomed.”
Despite this, the profession remains something of a niche. The closest thing most organizations have to ethical hackers are penetration testers (pen testers), whose job is to probe specific parts of a company’s IT environment to uncover and disclose any vulnerabilities.
In reality, ethical hacking comprises a much broader role. They will use all the tools and techniques at their disposal to stage attacks and test weaknesses across multiple parts of the IT environment, much as a criminal hacker would.
“Generally speaking, for me, a pen tester describes what someone does – a cybersecurity professional who focuses on ways to break into networks,” explains Pylarinos.
Ethical hackers needn’t be cybersecurity professionals, either: “If one developer in a team thinks like an ethical hacker, they can often spot the security vulnerabilities before they happen.”
Of course, hiring and training people to be ethical hackers remains a significant obstacle, not least because there is a massive shortage of available talent.
Again, Pylarinos points out that ethical hackers needn’t be cybersecurity people – although they do need to be highly tech-savvy and share some of the traits that make hackers good at what they do, he says.
“Evaluation of technical skills should take priority in the recruitment process, but the good news is they’re often easiest to evaluate,” says Pylarinos.
“This allows hiring managers to gauge hackers’ knowledge of the latest exploits and attack vectors across new tech solutions and platforms being used by organizations and businesses today, such as cloud expertise.”
An innate curiosity for how things work – which “signals the candidate will be able to spot vulnerabilities easily, and at speed” – as well as soft skills like communication, influence and teamworking ability are also core traits, according to Pylarinos.
The best ethical hackers have an ability to clearly communicate and accurately express the severity of different situations, he says. “The counsel they provide, as well as their suggestions for actionable ways to mitigate issues, requires immediate trust and buy-in from the wider team to make the difference in a fast-moving, high-pressure work environment.”
Training people to be ethical hackers also carries unique considerations, in that it requires a safe technical environment where trainees can test out different techniques and scenarios. “You can’t just go and ‘hack around’,” Pylarinos notes. “It’s illegal and you can cause damage.”
Companies can create and build their own sandbox test machines and networks, with real-world, built-in vulnerabilities, where teams can develop their skills in a safe environment where code can be run securely – or use environments that are already available.