Hackers: Who are they?

Hollywood Hacking
(image credit: inkmedia.eu)

In a recent conversation with my mom she was concerned that I had recently gone to a hacker meetup. She thought all hackers were criminals, and I don't blame her for thinking that after reading about them in the news and seeing them in movies. It's usually a guy in a hoodie, typing fast, with complicated text scrolling by (check out hackertyper!). He has an aura of mystery and probably some malicious intent. I went on to explain the white hat / black hat concept. For those of you that aren't aware, in old cowboy movies the bad guy often wore a black hat, and the good guy wore a white hat. These are terms that we've adopted to distinguish between the good and bad hackers of today's world.

The tools and techniques used by white hats and black hats are the same, the big difference is in the intent. I wanted to review a couple different types of hackers and the things that motivate them:

Penetration Tester - A white hat hacker with good intentions that works to identify flaws and get them fixed. Sometimes they are part of an in-house security team, or a third party hired to test software or networks. Pen tests are essential to any modern security program, because I guarantee that black hats are looking for vulnerabilities to exploit, so you should hope a white hat finds them first. Their actions are limited by the scope of a test, and the time the testing is scheduled for.

Bug Bounty Researcher - A white hat hacker, usually with good intentions, that also works to identify flaws and report them to companies in exchange for money, swag, or "kudos" (street cred). These are often individuals with a pen testing background that do it on the side for extra income, or if they are really good they can do it full time. Some consider it fun and like to practice their hacking skills on real systems where permission is given via a bug bounty program's scope and rules (Example: Google's bug bounty rules). Some of them are not seen in the best light, see "Grey Hat" below.

Red Team - A term that is used to describe a team of white hat hackers, usually well intentioned, with the goal of simulating a real attack. They use Tactics, Techniques, and Procedures (TTPs) similar to those used by real world attackers. Some of these techniques could include making phone calls to social engineer someone into giving up useful information, wearing janitors clothes to sneak into a building to insert an infected USB drive, or launching an attack on a holiday when the defenders aren't around.

Blue Team - A term used to describe the defensive white hat hackers working as Incident Responders in a Security Operations Center (SOC). These are the white knights of the security world, doing everything they can to secure the environment they protect, although they are at a significant disadvantage having to secure potentially thousands of computers at all times, where an attacker only has to find one entry point. They will often use a Security Information and Event Management (SIEM) to help them monitor the health of their network, computers, and overall infrastructure. This could mean monitoring for failed login attempts that indicate a brute force attempt, looking for port scans that might indicate the first stages of an attack, or just reviewing recent malware alerts for uncontained threats. Additionally they will work with the people in the company to educate them on threats like phishing emails and unfamiliar USB drives, and notify them of current events and recommend defensive actions they can take to protect themselves.

Advanced Persistent Threat (APT) - APT's are teams of black hat hackers, often state sponsored, with goals like espionage for political or business gain. Historically they have been behind attacks such as the Stuxnet worm built to damage Iran's nuclear program, the 2014 hack on Sony Pictures, and the 2013 Target breach where malware was installed on point of sale devices to steal credit card information. I recently found a Google Doc with a nice summary of known APT's and their TTPs. They have names like "Fancy Bear", "Unit 121", and "Hurricane Panda". I would classify them as having malicious intent, but with a laser focused goal in mind.

North Korea's Hacker Farm - Bloomberg recently wrote a great article on North Korea's Hacker Farm where hackers are worked up to 15 hours a day and are required to make money for the government by any means necessary. This can mean hacking online gambling sites allowing them to cheat, compromising ad servers to deliver malware to distribute cryptocurrency miners, or distributing ransomware at hospitals and demanding a payout to return their data. These guys are black hats, but I can't help feeling sorry for their situation.

Grey Hat Hackers - Grey hat hackers live in the moral gray area. Some of the previously mentioned hackers can be considered grey hats. I've met bug bounty hunters that used aggressive tactics that border on blackmail to negotiate for a bigger payday for a bug they reported. While the intent was to fix an issue to secure the company, the tactics were a little dirty. One time Mark Zuckerberg's Facebook page was hacked to prove a security flaw, this is against the concept of responsible disclosure and was considered a "grey hat action".

As you can see, the world of hackers is a diverse group of individuals with various motives and techniques, and I find it endlessly fascinating! :)