Ethical hacking is done by organizations for their crown jewels. The frequency of this mostly once a year or at most twice. However, this approach has a couple of challenges.
Challenge No 1 – While the focus is mostly on the crown jewels, the real data is not just accessed through the, data could also be in the form of shadow IT assets.
Shadow IT assets are those which are not a part of the asset inventory that the security teams gatekeep. Some of the examples could be database servers created by the cloud or projects team, a pre-production system with production data or keys, etc. These assets can serve as a door for a hacker but are typically not tested as a part of the ethical hacking exercise.
Challenge No 2 – As mentioned before, ethical hacking is done once or twice a year, it’s periodic in nature. Whereas, threat actors are trying to attack continuously. They really need a small window or one lucky day to break in.
Red teaming is an ethical hacking exercise but done on a much broader scale than conventional security testing. It involves first discovering an organization’s attack surface and then launching simulated attacks to test blind spots – just like a real attacker would do. It differs from penetration testing on the basis that is not based on the scope of IPs/applications instead, it looks at objectives. It is a goal-based exercise which means you must attack everything to achieve the goal.
However traditional red teaming comes with its own share of challenges. It involves multiple tools, manual effort and ends up testing only a fraction of the organization’s assets and that too occasionally. It’s also hard to scale and unaffordable for most organizations.
The advantage that cyber attackers have is they just need to win once, whereas defenders need to win everyday. On top of that, Organizations are typically only able to test some of their assets, some of the time, whereas hackers are attacking all assets all of the time. It is like going to a gunfight with a knife.
New Age AI And The Changing Nature Of Ethical Hacking
AI is something that is being used by both sides, the good guys and the bad guys. Two decades back ethical hacking was a manual process but today it is mostly automated.
A new breed of companies is using AI to transform rule-based automation into learning-based automation.
It delivers scalability and extensibility, which is otherwise tricky with non – AI-based systems.
The State Of Talent In Ethical Hacking
There is a huge talent gap in the field of cybersecurity, including that of ethical hackers. However, the answer to that is not training more and more people. The fact that we did not come out stone age by carving more stone, but figured a way to use bronze. Similarly, in our context, we need more automation and AI to solve the problem at scale. We need a combination of both automation and human skills. We need to move to an “Iron man” age where man and machine work in perfect harmony.
Skillsets For An Ethical Hacker
What we need right now are the right mindset and traits. Skills can be acquired if you have the right traits. The main trait of an ethical hacker is to have curiosity. Followed by a love for learning new things, a love for breaking the norms, and traits to see the edge – cases.
It is more like having a microscope trained to see the edge cases which normal people will miss. If such traits are there, then you can learn the skills for ethical hacking quite easily. Future ethical hackers need to have strong fundamentals because easy things will be automated. There’s enough opportunity in the traditional web application security, IoT, Hardware, and Red team.
Changing Trends In Vulnerabilities And Threats Pertaining To the Ongoing Pandemic - Solving The Problem With Ethical Hacking
The pandemic made a few significant shifts in the landscape, for example, shifting organizations to go remote. This, in turn, increased the attack surface since organizations now need to open the doors to their employees across the world. So the attack surface has now increased hundreds of times, which also includes Shadow IT. Different teams are creating online assets for collaboration and executions, and many of those might be unknown to the security organization.
In order to handle the above shift in terms of expansion of attack surface and rise in Shadow IT, an organization needs the ability to discover and test its attack surface continuously. This pandemic shall serve as a drive for the rise of automated red teaming. Red teaming is an attempt to achieve certain defined objectives with absolute zero knowledge and zero access. It typically involves discovering the attack surface ( reconnaissance ) to vulnerability discovery, exploitation, lateral movement, data exfiltration, etc. As an industry, we need to do what our adversary does. We need to simulate or emulate such a kind of Red teaming exercise to know our “true attack surface, and its risks.” Last but not least: this cannot be a one time but a continuous exercise.
FireCompass Helping Enterprise To Combat The Problem
The challenge that one notices with traditional ethical hacking is that organizations test some of the assets some of the time, whereas attackers are attacking all of the assets all of the time. Red teaming is today mostly manual with the need for multiple tools and a lot of human intervention.
At FireCompass, the vision is to help organizations discover and test their entire attack surface continuously by automating Red Teaming and making it continuous.
FireCompass CART (Continuous Automated Red Teaming) is designed to automate red teaming so that one can achieve the breadth and depth of the process to make it scalable to conduct continuous proactive testing. There are multiple potential approaches, including hardware, software, or even Software-as-a-Service (SaaS).
During the CART process, an organization can search already indexed deep, dark, and surface web data using similar reconnaissance techniques as nation-state actors. It automatically discovers an organization’s dynamic digital attack surface, including unknown exposed databases, cloud buckets, code leaks, exposed credentials, risky cloud assets, and open ports, etc. Once an attack surface is recognized and the scope for the simulated attack is authorized, the attack engine launches multi-stage attacks on the discovered surface to identify security blind spots and attack paths before hackers do. The platform then prioritizes the risks and recommends the next steps for mitigation.
Author – Bikash Barai, Co-Founder FireCompass
*Note – You will find a similar version of this article in Dataquest Magazine