The cybersecurity threat landscape has never been more complex. Employers are in the midst of a difficult talent shortage. Oh, and it seems we’re headed into an economic downturn. With all this volatility and uncertainty, CISOs and other security team leaders are challenged more than ever to invest in the right people and technology to remain as proactive and agile as possible.
When it comes to personnel, a critical hiring decision for the modern security team is whether to employ in-house hackers. These ethical hackers (aka, “white hat” hackers) can include a range of individuals who possess the skills to conduct some type of penetration testing, be it on your applications, devices, and/or services, without the ill intentions of their malicious “black hat” counterparts. Ethical hackers may also commonly work as red or purple teamers—I know, it’s a lot of colors.
Ethical hackers also come from a range of backgrounds. There’s no one set place to go looking for them. While there are some institutions that provide certifications or offer courses, these are typically general in nature and may not apply to your needs. Also, a certification does not necessarily indicate the innate skills of each individual ethical hacker.
Know What You Need
First and foremost, you should seek an individual with a firm understanding of the specific software or services they’ll be hacking, and they’ll also need to demonstrate familiarity with the right tools to execute said attacks. The more experience the better, generally speaking, but be prepared to pay a lot more for a veteran ethical hacker’s services—and be prepared to deal with someone more set in their ways and less inclined to try novel approaches.
Ethical hacking is about breadth and depth. Some hackers are limited to surface-level attacks but can deliver a broad range of capabilities. Other hackers are hyper-specialized in certain types of advanced attack methods. If you specifically want to test your applications, find an ethical hacker well-versed in that realm. If you’re looking to pen-test a variety of systems and devices across your environment, then you’ll want to seek more of a generalist.
Before you even begin interviewing candidates, do your diligence. Seek out information about the candidate in online forums and explore their experience in your domain so you can determine ahead of time if they’ll be a good fit for the tasks at hand. Don’t ever take them at their word, and if possible, put their skills to the test before you extend a job offer. And when you do interview prospective ethical hackers, favor those candidates who have come prepared themselves with a decent understanding of your company and your software and/or services. This will show they have the background and interest best suited to your needs.
Occasionally, talented ethical hackers might emerge in the legit job market without the most scrupulous of backgrounds. A former black-hat hacker may possess the exact firsthand knowledge and specific capabilities you’re looking for, but can they be trusted? I advise caution in considering former black hats. Each situation is unique, but be sure to carefully weigh the pros and cons before hiring anyone with a potentially criminal cyber past. You may also want to consult your business partners in legal and HR to avoid issues after the candidate accepts your offer.
Set Clear Objectives
To prepare for day one, start by identifying your high-priority targets—those areas you know may be most vulnerable or those items you most want to ensure are as secure as possible. Next, set up a process of challenge and reward for your new ethical hacker. I suggest finding ways to gamify the environment to keep them highly motivated and engaged as they go after your top targets.
Keep things open and transparent, and don’t overstructure or constrict their activities with too many rules. Remember, the malicious actors you’re racing against will have no such limitations. If there’s one rule you should insist upon, it’s “do no harm.” Give your ethical hacker(s) the freedom to carry out their own attacks as long as those actions don’t negatively impact your business, your digital infrastructure, or the services you provide.
Allow your new ethical hacker to use the tools they’re most comfortable with. A breach and attack simulation (BAS) solution should be at the top of your hacker’s arsenal wish list. The SafeBreach BAS platform is especially well-suited for a wide range ethical hacker and red-team activities, enabling greater efficiency and safety through automated, real-time, continuous security validation. And now included in all SafeBreach subscriptions is SafeBreach Studio, the industry’s first no-code platform allowing red teamers and ethical hackers of all skill levels to create, customize, and run sophisticated attacks in a simple drag-and-drop interface.
Finally, be prepared to act swiftly upon the outcomes of your ethical hacker’s exploits. Part of this will involve ensuring your wider organization and key stakeholders are pre-aligned around the goals of your new ethical hacking exploits, with a firm process and plan in place to take action on the results.
Another part of this will be to make sure that your ethical hacker keeps a clear record of their every tactic. Like a grade-school math teacher, ask them to show their work so you can quickly address all gaps discovered in their attack path. Then after remediation steps have been taken, have them run the attack again to be certain the fixes implemented removed all vulnerabilities and that the ethical hacker can no longer successfully breach the target.
Stay tuned for more CISO-to-CISO Insights on navigating the uncertainty. Want to learn more about how the SafeBreach BAS platform helps enhance ethical hacking efficiencies? Connect with a SafeBreach cybersecurity expert today or schedule a personalized demo.