UnitedHealth Says BlackCat Behind Change Healthcare Cyber Attack
Tom van de Wiele, Principal Technology and Threat Researcher, WithSecure
Ask the average person to describe a hacker, and they’ll probably default to teenagers wearing hoodies, surrounded by flashy screens with thousands of numbers, huddled in a dark room. And they’re always hacking into high-grade systems like CIA, FBI, or MI5 databases in a matter of minutes.
These stereotypical images have been perpetuated by movies and TV shows for decades, and a lot of stereotypes are still informed by movies like 1995’s cyberpunk-styled Hackers, or Alan ’s Russian criminal in Goldeneye proclaiming, “I am invincible!”
More recently we’ve had popular shows like Mr. Robot with a slightly more grounded approach to the act of hacking, but nevertheless full of pervasive stereotypes. Mr. Robot, for example, depicts a brilliant vigilante hacker, with a troubled and isolated personal life, and an ever-present black hoodie. Things have been a bit more grounded with Channel 4’s new trending show ‘The Undeclared War’, portraying a team of GCHQ analysts striving to fend off nation state cyber attackers in the run up to a 2024 UK election. But we still have a way to go to override those enduring caricatures.
It’s no surprise that, because of these stereotypes, the word ‘hacker’ has become a negative term in today’s world. What’s more concerning is that businesses have bought into this stereotype. Today, business leaders often don’t want to associate with a hacker, perceiving them as an illicit group that will only harm their organisation.
In reality, hacking is a skill - and just like any other skill, it can be used equally by malicious black hats or benign white hats. In the right hands, these skills offer massive benefits to an organisation, enabling them to better identify and stop cyber threats. That’s why we tend to use the term “attacker” when referring to threat actors or hackers with negative intentions.
After 20 years of being an ethical hacker, such stereotypes don’t amuse, but worry me. Popular culture often sets a very different perception of being a hacker, something that’s completely opposite to reality. These stereotypes can be misleading for both would-be security professionals, and the businesses that could benefit from their expertise.
So, let’s dispel some of the most common clichés about hacking and explore what it truly means to be an ethical hacker, and how such skills can be of great value to a security-conscious organisation.
Busting the myths: What vs Who?
Hacking requires substantial knowledge, experience, and preparation - whether it's ethical or criminal. It’s not necessarily someone in the basement breaching critical systems with an expensive setup. While ‘script kiddies’ can breach unprepared businesses fairly easily, it takes a lot of education and experience to pull off more sophisticated attacks.
It’s about more than being able to code, buying a technical gimmick or “hacking tool” or being a technical expert. One has to have an inquisitive, passionate, and borderline obsessive interest in how things work. We call this a ‘hacker mindset’. In essence, that’s what we do - hackers are meant to know the ins and outs of a system. They know where things are bolted together within a system’s architecture, because that’s usually where the obvious cracks are. Some individuals will use this knowledge to protect the system, and some to attack and profit from it.
The bad actors are often mis-portrayed as basement-dwelling lone wolves. What we often don’t realise is that many attackers, like any employee, have budgets and managers. They run campaigns, conduct research on identifying their targets, test various attack methods and often work as a part of illicit organisations or criminal gangs.
In the industry, we see attack methods becoming cheaper and more efficient. This is because conventional attackers don’t just practice specific skills and work in isolation. They often operate as a community, share or steal resources from one another, continuously optimise their skills, and research different ways to exploit vulnerabilities.
Life of an ethical hacker
Attackers are constantly in the limelight because of the countless security incidents industries face every day. But we don’t talk enough about the good guys. Yes, hacking as a skill can be used for the greater good. In fact, hackers were always meant to understand and identify the vulnerabilities of a system, rather than using their skills for criminal activities.
Hacking can be used to protect or attack the system, but ethical hackers tend to walk the line between both worlds. They don’t just know the law, but also understand what is acceptable and unacceptable from an ethical perspective. Ethical hackers understand how the threat actors think – an invaluable skill for any business to have in their corner.
How ethical hackers can add value to your security infrastructure
One of the core tasks when starting an ethical hacking project is to conduct threat modelling. This means analysing the systems a business runs on, where it can be disrupted and, if so, how, as well as mapping out the potential attack surface. It’s our job to identify how well an enterprise’s digital infrastructure is prepared to handle inevitable attacks, without causing disruption to real-life IT environments.
So, when you have a skilled ethical hacker in your security team, you’ll be better equipped to predict potential threats and align your defenses accordingly. Their prime responsibility is to always keep your organisation on the front foot before an incident occurs.
There are a lot of analytical aspects to an ethical hacker’s role. It’s our responsibility to know how controlled and efficient the organisation’s defenses are, compared to their competitors. This is because in the world of cyber security, your fence needs to be as high as your neighbours or, preferably, higher.
That’s why ethical hackers must engage in the interplay between threat modelling, anticipating what an attacker might do and preparing organisational defenses accordingly. If for example an organized crime gang-based attacker looks at your infrastructure and thinks it will take a lot of resources and customisation to breach - they are most likely to skip you. This is what we try to achieve. To raise the cost of attack and to make sure attacks can at the very least be detected.
Ethical hackers don’t try to make a system impenetrable, because that’s impossible. Rather we identify where the cracks lie and shut down potential attack paths to reduce the likelihood of a breach.
Overall, ethical hackers have an intense and somewhat fun job. As I have mentioned, you don’t get into this line without obsessive passion. That’s the first prerequisite. We help organisations ensure their IT roadmap is a sound one and that they are aware of the risks and help them make decisions that don’t leave a hole in their cyber security budget.
I don’t know if ethical hackers are the ‘heroes’ of the IT world, but we are definitely not some shady and lonely individuals working from our basements breaking the law. Ethical hackers can make a powerful difference, using their skills and mindset to protect our businesses, and even society at large, from bad actors. It’s time to step out of the stereotypes.