Ethical hacking, as we all know, is a process that involves structured hacking performed with the permission of the organisation in question by a “white hat” or an ethical computer hacker to expose vulnerabilities in a system. Ethical hacking plays an imperative role in the cyber security industry as white hats identify and exploit known security vulnerabilities and attempt to evade security to gain entry into secured areas, thus helping enterprises identify their weaknesses. In an interview with Dataquest, Bikash Barai, co-founder of FireCompass talks about the limitations of ethical hacking, skillsets required to become an ethical hacker and much more.
DQ: Where does conventional ethical hacking fail?
Bikash Barai: Conventional ethical hacking is typically conducted on a defined target system, typically the crown jewel, i.e., known essential systems. It is typically done once or a few times a year. However, there are two critical challenges to this approach. The first challenge is that data is no longer accessible through only crown jewel systems and, it could also be in shadow IT assets. Shadow IT assets are those that are not part of the asset inventory known to security teams. A few examples could be database servers created by the cloud or projects team, a pre-production system with production data or keys, etc. These assets can serve as a door for a hacker but are typically not tested as a part of the ethical hacking exercise. The second challenge is that ethical hacking is typically conducted periodically on known critical assets. Periodic testing typically is yearly or quarterly for most organizations.
However, attackers are trying to attack continuously. They just need a small window of a few minutes to break in. Red teaming is ethical hacking on a much broader and more extensive scale than conventional security testing. It’s a way for security teams to first discover an organization’s attack surface and then launch simulated attacks to test blind spots – just like a real attacker would. Unlike penetration testing, it is not based on scope of IPs/applications but instead objective- or goal-based, meaning you can attack whatever you want to achieve the goal.
The challenge with traditional red teaming is that it involves multiple tools, manual effort and only tests a fraction of an organization’s assets, occasionally. It is mostly manual, hard to scale, and unaffordable for most organizations. Cyber Attackers have an edge because they only have to succeed once, where defenders need to succeed every time. On top of that, Organizations are typically only able to test some of their assets, some of the time, whereas hackers are attacking all assets all of the time. It is like going to a gunfight with a knife.
DQ: How are new-age technologies such as AI transforming ethical hacking?
Bikash Barai: AI is being used on both sides: defense as well as offense. Ethical hacking, which was largely a manual process two decades back, has become mostly automated today. Most of such automation is non-AI based automation. Today a new breed of companies are using AI for transforming rule-based automation to more learning-based automation. AI can be used to learn new attack patterns on its own. AI can also deliver scalability and extensibility, which is otherwise tricky with non-AI based systems.
DQ: Are there enough skilled individuals available when it comes to ethical hacking?
Bikash Barai: Definitely not. There is a huge talent gap in cybersecurity, including for that of ethical hackers. However, the answer to the scarcity is not just training more people and producing more ethical hackers. We do need more of them. We did not come out of the stone age by producing more stones. We invented Bronze. Similarly, in our context, we need more automation and AI to solve the problem at scale. We need a combination of both automation and human skills. We need to move to an “Iron man” age where man and machine work in perfect harmony.
DQ: What are the skillsets required to become an ethical hacker?
Bikash Barai: I am a bigger believer in the right mindset or traits. Skills can be acquired a lot more easily if you have the right traits. The most important traits of an ethical hacker (or most of the fields) are immense curiosity, a love for learning new things, a love for breaking the norms, and traits to see the edge-cases. It is more like having a microscope trained to see the edge cases which normal people will miss. If such traits are there, then you can learn the skills for ethical hacking quite easily. Future ethical hackers need to have strong fundamentals because easy things will be automated. There’s enough opportunity in the traditional web application security, IoT, Hardware, and Red teaming.
DQ: With regard to the on-going pandemic, what kind of vulnerabilities and threats has been witnessed? How can ethical hacking solve this problem?
Bikash Barai: The pandemic made a few significant shifts in the landscape, for example, shifting organizations to go remote. This, in turn, increased the attack surface since organizations now need to open the doors to its employees across the world. So the attack surface has now increased hundreds of times, which also includes Shadow IT. Different teams are creating online assets for collaboration and executions, and many of those might be unknown to the security organization. In order to handle the above shift in terms of expansion of attack surface and rise in Shadow IT, an organization needs the ability to discover and test its attack surface continuously.
This pandemic shall serve as a drive for the rise of automated red teaming. Red teaming is an attempt to achieve certain defined objectives with absolute zero knowledge and zero access. It typically involves discovering the attack surface ( reconnaissance ) to vulnerability discovery, exploitation, lateral movement, data exfiltration, etc. As an industry, we need to do what our adversary does. We need to simulate or emulate such a kind of Red teaming exercise to know our “true attack surface, and its risks.” Last but not least: this cannot be a one time but a continuous exercise.
DQ: How is FireCompass helping enterprises with products or solutions to help combat such situations?
Bikash Barai: My previous startup was into the field of automated ethical hacking, which eventually got acquired. The challenge that we noticed with traditional ethical hacking is that organizations test some of the assets some of the time, whereas attackers are attacking all of the assets all of the time. Red teaming is today mostly manual with the need for multiple tools and a lot of human intervention.
At FireCompass, our vision is to help organizations discover and test their entire attack surface continuously by automating Red Teaming and making it continuous. FireCompass CART (Continuous Automated Red Teaming) is designed to automate red teaming so that one can achieve the breadth and depth of the process to make it scalable to conduct continuous proactive testing.
There are multiple potential approaches, including hardware, software, or even Software-as-a-Service (SaaS). During the CART process, an organization can search already indexed deep, dark, and surface web data using similar reconnaissance techniques as nation-state actors. It automatically discovers an organization’s dynamic digital attack surface, including unknown exposed databases, cloud buckets, code leaks, exposed credentials, risky cloud assets, and open ports, etc.
Once an attack surface is recognized and the scope for the simulated attack is authorized, the attack engine launches multi-stage attacks on the discovered surface to identify security blind spots and attack paths before hackers do. The platform then prioritizes the risks and recommends the next steps for mitigation.