The cynic would say there are two types of motorcycle riders: those that have dropped their bike and those that will. In a similar vein, there are two types of networks: those that have been hacked and those that will be.
To defend against hacks, cyber professionals can benefit greatly from ethical hacking programs. Courses such as Certified Ethical Hacker v10 teach the learner how to think and act like an intruder in an attempt to understand the process of a cyberattack.
Don’t succumb to “data breach fatigue”
In medical practices—and especially Intensive Care Units—patients in distress may not get the treatment they need because caregivers are inundated with electronic notifications. There are just too many alarms that can distract staff. “Alarm fatigue” desensitizes caregivers who struggle to process the number of diagnostic tools designed to get the practitioner’s attention.
We, as a community, regularly hear about data breaches that affect hundreds of millions of victims—or more. Whether it’s Equifax, Marriott, Twitter, Yahoo, Uber, MyFitnessPal.com, T-Mobile, Cathay Pacific or British Airlines, we have perhaps become desensitized to massive data breaches. But defenders and security professionals can’t afford to succumb to “data breach fatigue.” One “oh crap” moment wipes out all the “atta boys” that preceded it.
Whether we are defending against competitors, nation-states, rivals, cybercriminals, or just joy-riders, we need to know how adversaries think and operate. Attackers have a huge range of motives from fun-and-profit, to transnational espionage, to political and philosophical motivation, to just being “nasty.” Quoting Sun Tzu, the late sixth century BC general:
“Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Knowing the enemy has its benefits. Enter the world of ethical hacking.
From countermeasures to offensive security
The late comedian George Carlin regularly made fun of oxymorons. (“The term Jumbo Shrimp has always amazed me. What is a Jumbo Shrimp? I mean, it's like Military Intelligence—the words don't go together, man.”)
Some view ethical hacking as an oxymoron. As you please. Feel free to pick another euphemism: penetration testing, tiger (or red) teaming, etc. Whatever you call it, it’s important.
Cybersecurity author Bruce Schneier says good engineering is about making things work. Good cybersecurity is worrying about how they break. And thinking isn’t natural to most of us.
Hacking isn’t all bad. Writing an elegant and efficient piece of code is a good hack. Preventing a data breach by finding a vulnerability before attackers exploit it is great. Whether the hack is a taxi driver or a writer, having a good one at your disposal makes life much more pleasant. I’m a hacker and I’m proud.
Three phases of hacking
We can think of the process of hacking in three phases:
Reconnaissance uses internet resources and publicly available information. These include using search engines, web sites, domain and internet information, and a healthy dose of social engineering. Called footprinting or open-source intelligence (OSINT), the goal is to build a view of the target organization and its staff.
Next, we scan the networks for interesting systems, their applications, operating systems and platforms, and their vulnerabilities. This helps build a portfolio of the environment. We document and catalogue the systems and their vulnerabilities. Lastly, we enumerate the systems to catalog user names, services and as much about the systems’ security as we can.
The more thorough the understanding of the victim environment, the easier the next step becomes.
System and network hacking allow us to penetrate the network. Often, the easiest way is to exploit weak passwords from naïve users or break in using similar techniques. Good cybersecurity practice says that people should use a regular (non-administrative) account. This requires one to escalate their privilege on the systems and the network.
Privilege escalation is necessary because most hacker software will require installation—something only done by an administrator. This may be remote access often called a Trojan.
Finally, hackers deploy anti-forensic techniques such as log manipulation. The hacker may also deploy cloaking software called “rootkits” to hide their presence and files they may be using. Using encrypted files and network communications also serve to obfuscate the attacker. Another frequent anti-forensic technique, “steganography,” involves using a visible or audible carrier so the attacker can embed the payload and it remains hidden in plain sight.
These anti-forensic tools and techniques serve two purposes: First, to evade detection during the crime, and secondly, to make it difficult to carry out post-incident analysis.
Security systems, such as intrusion detection systems (IDS) and network firewalls, are designed to limit the flow of information and block inbound and outbound access. Bypassing these systems allows easier infiltration and exfiltration.
Get trained to think like a hacker
After the fundamentals, Certified Ethical Hacking (CEH) adds other tools to the hacker toolbelt:
- Network eavesdropping (sniffing) and session hijack
- Web and database hacking
- Malware and denial of service—all safely done in the lab environment
- Evasion and bypassing defensive mechanisms
The Certified Ethical Hacker program has matured over nearly 20 years. Versions 1 to 3 were “Kinko’s Specials”—three-holed paper in a white binder. Version 4 introduced perfect-bound books and that continues today. Beginning with version 7 through today’s v10, the courseware simply contains the slides. There are also downloadable versions that include text should students choose to read the course authors’ words. Labs have also migrated from custom in-classroom environments to cloud-based. This allows 24-hour access and the students can use the lab platform for up to six months after the class.
The certification exam has also morphed from a single test to add the CEH Practical exam. Achieving both earns you the title of EH Master.
But remember, the emphasis is on the “ethical” part of hacking. Only use this for good and not for evil. Beware the dark side of the hacker force, my Padawans!