It was none other than Michael Corleone who in the second Godfather movie uttered this oft-repeated line: “Keep your friends close and your enemies closer.” This line offers a relevance that extends beyond the movie’s recounting of an organized crime family. When you have adversaries out to inflict harm, it pays to have them close, so you can see what they’re doing and potentially plotting.
But how do you apply this concept in the world of cyber security, where a cyber attacker may just as well be down the block as on another continent? For many security leaders, the answer has been to employ “white hat hackers.” What are white hat hackers and how do they differ from the actual hackers that we’ve come to know and loathe? In this post, we’ll offer a high level look at what white hat hackers do, the tactics they employ, and some of the limitations they present.
White Hat vs. Black Hat: What’s the Difference?
White hat hackers use their skills to help protect against attacks. White hat hackers work to proactively find security weaknesses in order to fix them before they can be exploited by attacks. Malicious, or “black hat” hackers, are the ones looking to take down networks, steal data, or compromise systems.
What do White Hat Hackers Do?
Most commonly, white hat hackers are employed by specific businesses. These experts then set about identifying weaknesses and helping to improve security.
To safeguard services and assets against attack, white hat hackers are often behind the scenes, thwarting attacks in real time. In addition, they can be focused on cyber threat analysis, exposing weaknesses to try to help guide and prioritize vulnerability remediation.
White Hat Penetration Testing
In the enterprise security arena, white hat hackers have traditionally offered penetration testing (widely known as pentesting) services. In typical pentesting engagements, white hat hackers are hired by organizations that are looking to bolster their defenses. These white hat hackers then seek to hack into their client’s networks. In some cases, they may be given a broad charter to try to attack specific assets, such as private networks, applications, and endpoints. Alternatively, they may be given a broad mandate to uncover security gaps, wherever they may be.
By using talented hackers to find gaps, security teams can better test their defenses. In this way, these teams can therefore be better positioned to eliminate gaps and strengthen their defenses—before a real attack happens. Based on the insights a white hat hacker uncovers, teams may need to establish new policies, update or change configurations, or update or replace tools.
Using real attack techniques to proactively find weakness is the best and only way to truly prove the effectiveness of security defenses. White hat hackers often use the same tools and techniques as their black hat counterparts. The techniques employed can range from simple public “root kits” with documented approaches, to complex and sophisticated campaigns that may include social engineering, exploiting endpoint vulnerabilities, presenting attack decoys, spoofing protocols, and more.
The Limitations of White Hat Hacking
If you consider security as a battle between a white hat and a black hat hacker, the folks with the white hats have several disadvantages and limitations. Following are a couple key limitations:
- Limited time. Ultimately, there’s one huge difference between white hat and black hat hackers: Time. In short, malicious hackers have a lot of it, white hat hackers don’t. Once hired, a white hat hacker may have a day or up to a few weeks to do their work and deliver their findings. Fundamentally, these individuals are limited by cost, time, and staffing concerns. On the other hand, black hat attackers are relentless. These actors have been known to take years to successfully execute campaigns. This gives attackers a major advantage: they can try hundreds of different attack techniques—and keep trying—until they successfully breach their targeted networks.
- Limited testing scope. White hat hackers are often reliant upon pentesting, focused on infiltrating a corporate environment or asset. However, infiltration is only one phase of an actual cyber attack, the entire process of which is known as the “cyber kill chain.” Moving around within networks and systems, and then exfiltrating (stealing) data back out are also key parts of the kill chain. However, these efforts are not typically covered by a white hat hacker doing pentesting, often due to concerns around the impact these tactics may have on the organization.
These limitations are exacerbated by the highly dynamic nature of today’s organizations and technology environments. Quite simply, a white hat hacker’s complete investigation from last week won’t be of much assistance if a configuration error is introduced this week. Ultimately, the time and cost associated with white hack hacking are significant, which makes it difficult for organizations to employ these approaches with anywhere near the regularity that’s required. Companies that can afford penetration testing, or for whom it’s a mandatory requirement to meet compliance regulations, often only perform testing once a year. Ultimately, rather than establishing continuous security, leaders are simply left to hope that their security controls will be effective against attack.
Breach and Attack Simulation: Automating the White Hat Hacker
Today, breach and attack simulation technologies are available that enable security teams to overcome the limitations of white hat hackers. These technologies build upon the talent and expertise of white hat hackers and automate their techniques. Rather than relying on a small team of humans to do cyber threat analysis in a short period of time, breach and attack simulation executes thousands of proven attack techniques at scale, continuously, and automatically. In this way, enterprises can now be as relentless as real attackers, to truly find the “unknown unknowns” in their security architecture.
Unlike traditional attack techniques, breach and attack simulation can also be 100% safe for production environments. The best solutions only run attack simulations on and between simulators, and never put sensitive data at risk. This way, even the most sensitive production networks can have security validated continuously to stay ahead of real attackers.
The SafeBreach platform safely executes real attacks in production environments to prove where security can withstand such attacks—and where it needs to be improved. The platform can do automated testing of an organization’s security architecture, using advanced, patented technology that can execute attacks safely and continuously.
SafeBreach also uses its own dedicated team of white hat hackers, called SafeBreach Labs, to build new attack techniques on a continuous basis, and maintain thousands of proven attacks. In this way, enterprises can constantly validate their security and immediately identify if gaps arise.
Learn more about the SafeBreach Labs team and their critical work here.