The fact that cyber threats are increasing in both variety and number is placing greater and greater demands on information security professionals, who are trying to stay one step ahead of the attackers. To anticipate where and how an attacker might strike next, security professionals are realizing the importance of being able to understand the mind of the attacker and what they value in a target.
To gain insight on an attacker’s perspective, some argue it is useful for aspiring security professionals to engage in black hat hacking. The reasoning goes that hacking would provide professionals firsthand experience in thinking and acting like an attacker, enabling them to develop an extensive foundation in offensive maneuvering that they could then use to defend and protect. Under this model, the contributions these professionals could make to security would, therefore, outweigh the downsides of their black hat exploits.
However, despite the benefits one might derive from hacking a company, some security experts agree that any and all malicious computer activity that goes unreported, especially conduct that stems from security professionals, is counterproductive to security.
More than that, however, hacking does not in any way help security professionals become better at protecting users, a viewpoint with which Tim Erlin, Director of Product Management, Security and IT Risk Strategist at Tripwire, agrees:
“The logic of this premise is fundamentally flawed. We don’t believe that law enforcement officers need to try out being criminals to understand how a criminal might think. Understanding the tools and techniques of your adversary is important to establishing an effective defense, but it doesn’t require an immersion into some shady underworld.”
Lane Thames, a software development engineer and security researcher with Tripwire’s Vulnerability and Exposure Research Team (VERT), is even firmer in rejecting undocumented hacking as a potential security tool.
“You want to learn how to hack, and you think it is ok to go hacking on someone’s (or some organization’s) website? Absolutely not,” Thames concludes. “This type of activity is purely malicious and should never be done without the organization’s (or person’s) permission.”
That is not to diminish the value of being able to understand the mind of an attacker. On the contrary, these viewpoints merely shift the conversation to various tools and solutions of which aspiring security professionals can take advantage without having to worry about causing harm to another company.
If a security professional is interested in learning about offensive computer measures at their own pace, they can turn to virtualization technology as a means to hack a computer system in an isolated environment.
“In a world where virtualization is freely available, there’s little to stop the average security analyst from setting up a few target systems and attacking them,” Erlin observes.
Thames is of the same mindset: “Learning the art of hacking is a good thing. Just remember that it is ‘How’ you hack that determines whether or not you are categorized as a black hat. Don’t be a black hat.”
There are also a variety of safe hacking resources open to individuals who learn better in more team and group settings.
Dwayne Melancon, CISA and Tripwire’s Chief Technology Officer, explains more:
“When it comes to learning about information and system security, I love using simulations, ‘capture the flag’ events, and red team / blue team exercises as a way to understand the mindset of an attacker. They also help you practice your defenses in a more realistic environment.”
These kinds of simulations are now readily accessible at conferences and in training classes, including SANS, Blackhat Conference trainings, and SensePost.
“In these scenarios, you learn a lot quickly, then take that learning back to your day job where you can apply the principles without having to engage in any questionable activities,” said Melancon.
Additionally, security professionals who are interested in learning more about hacking can seek to join a pentesting team at their workplace, an opportunity of which Irfahn Khimji, CISSP and Senior Information Security Engineer at Tripwire, is a firm advocate.
“Many companies offer penetration testing type roles where the sole goal of the team is to find new exploits. Google’s Project Zero is a great example,” Khimji observes. “Their goal is to discover and responsibly disclose vulnerabilities they find in various products. An aspiring security professional can join a role like this to get a better understanding.”
Whether one pursues virtualization technologies, simulations, or a junior pentesting position, all of these resources convey the same message: security is not a zero-sum game. A security professional might derive some benefit from hacking a company. However, the losses borne by the victim would not only outweigh those benefits; they would also undermine the role of the security professional as one who can be trusted to protect users online.