Ethical Hacking in Mature Cybersecurity Programs

How Ethical Hacking Can Help Your Security Teams Stay One Step Ahead of Threat Actors

When most people hear the word “hacking” the word nefarious often comes to mind — cloaked bad guys looking to take advantage of your security weaknesses to infiltrate your systems and steal, alter or take hostage your data and assets. But, not all hackers are necessarily bad guys. In fact, ethical hackers, also known as white hat hackers, can actually work with you to help strengthen your security defenses so those bad guys can’t take advantage of you.

Unlike the bad actors looking to exploit weaknesses in your attack surface, often without your knowledge, ethical hackers can work with your security teams to identify cybersecurity gaps so you have the information you need for effective exposure management.

By working with an ethical hacker, your teams will have the opportunity to remediate your security flaws, misconfigurations and other vulnerabilities (otherwise known as exposures) to decrease the chance of a successful breach or other security incident.

In this knowledgebase, we take a closer look at ethical hacking, what it is, who does it, and how ethical hackers can help you seek out security issues you might otherwise overlook with a goal to improve your overall security posture.

Ethical hacking is a practice your organization can proactively use to seek out cyber risk across your attack surface. Ethical hackers, or white hat hackers, use tools and resources just like cyberattackers to discover where you have gaps within your existing cybersecurity program so your teams can address exposures before bad actors can take advantage of them.

An ethical hacker can be someone who is part of your existing security team or can be a third-party consultant who has permission to access your network and assets. The ethical hacker will generally replicate the same type of actions threat actors use to get unauthorized access to your network.

Once an ethical hacker successfully breaches your network, the goal is to uncover all of your security weaknesses. After the white hat hacker uncovers these security issues, the hacker will share that information with your teams, along with any additional information about how you can effectively address those issues.

One of the key points of ethical hacking is it’s something that should be conducted with an organization’s permission and all activities should be approved. There are also certifications, for example, the Certified Ethical Hacker designation, these individuals can attain to demonstrate they understand and are compliant with a range of corporate and government standards for ethical hacking.

According to the EC-Council Cybersecurity Exchange, which offers a certification in ethical hacking, ethical hackers should have a core understanding of these basic principles:

• How to code in relevant programming languages
• An understanding of wired and wireless computer networks
• Database proficiency
• Understanding of information security principles
• Both creative and analytical thinking abilities
• Firsthand hacking and workplace experience

Yes. There are several types of hackers and they’re usually defined by their intent. Here are a few examples:

• White hat hackers
  • White hat hackers are those who practice ethical hacking. They’re often hired by organizations to uncover security issues across an attack surface and while they may use the same tools and practices as other hackers, they do so with permission and legally. White hat hackers also operate without causing intentional damage.
• Black hat hackers
  • Black hat hackers are those who attempt to exploit vulnerabilities and other security issues with malicious intent and/or for profit. These cybercriminals often overstep basic ethical standards and will violate laws if necessary.
• Gray hat hackers
  • A gray hat hacker (or grey hat hacker) is a threat actor who operates somewhere in the middle of white hat and black hat hackers. Gray hat hackers might not necessarily have malicious intent, but they could violate basic ethical principles or go beyond. They may breach systems for personal gain, but sometimes will also share this information with the organizations or individuals they successfully exploit. A gray hat hacker might uncover a security issue and then offer to fix that issue for the affected party for a fee.
• Red hat hackers
  • Red hat hackers are often referred to as vigilante-types. They are generally those who work to defend networks, but also aggressively hunt for cyberattackers with a goal of stopping them on their own instead of, for example, leaving that to authorities. Red hat hackers aren’t generally malicious or bad actors, but they may operate outside of basic ethical (and legal) principles and don’t usually request permission from system owners to initiate their moves. Once they discover bad actors, red hat hackers usually don’t stop until they effectively destroy their systems. They usually do this for the mere satisfaction of stopping cybercriminals, not for financial gain.

Ethical hackers might take different approaches in an attempt to breach your network or assets, but generally they employ the same tools, resources and practices threat actors use, but they do so with an organization’s permission and adhere to relevant laws.

Generally, ethical hackers will first survey your attack surface to get a better understanding of it. From there, many will use a range of scanning techniques to try to uncover vulnerabilities or other weaknesses such as misconfigurations, flaws or unpatched systems in an attempt to gain access into your environment.

Once inside, just like a bad actor, the ethical hacker will attempt to maintain access for as long as possible without your knowledge. The hacker will often make lateral movements across your attack surface, discovering interdependencies and looking for ways to access more systems and data.

Eventually, the ethical hacker will take steps to eliminate evidence of intrusion and exit your network. From there, the ethical hacker shares all findings with your organization and helps your teams come up with plans to address all the discovered issues as well as make recommendations to improve your security practices and policies to decrease the likelihood of future successful breaches.

No. Ethical hacking and penetration testing are not the same. The terms ethical hacking and penetration testing are sometimes interchanged, but they are different. They are both white-hat hacking techniques and both can help your organization uncover vulnerabilities so your teams can address them, but there is a significant difference between the two.

In pen testing, for example, the tester tries as many ways as possible to break through your cyber defenses with a goal of discovering vulnerabilities and determining the type of impact an exploit might have. Many organizations conduct routine penetration testing, at least annually, but sometimes as often as quarterly or more frequently. A third party can also conduct penetration testing for you. Penetration testing is a tool an ethical hacker may use.

An ethical hacker, who is often an outside consultant or other certified professional, goes beyond standard penetration testing. After discovering your cyber risks, the ethical hacker should then help you establish stronger cybersecurity practices to address those issues and better protect your attack surface now and in the future.

Ethical hackers are different from malicious hackers. While both might utilize the same tools and practices to attempt to gain unauthorized access to a network or other assets, ethical hackers do so with permission. They also act within a set of standards and legal expectations while carrying out their work and don't intend to harm the organization, as malicious hackers do.

There are generally five main types of ethical hacking — or five key elements an ethical hacker may employ:

Black-box testing

• Think of black-box testing as going into a scenario with no insight into a system or application’s functionality. NIST defines black-box testing as “a methodology that assumes no knowledge or internal structure and implementation detail of the assessment object.”

White-box testing

• White-box testing is different from black-box testing because in this practice, the tester has knowledge about the system or application’s internal structure. NIST defines white-box testing as “a methodology that assumes explicit and substantial knowledge of the internal structure and implementation detail of the assessment object.”

Gray-box testing

• In gray-box testing the tester has some basic knowledge of the internal structure and implementation details of the system or application.

Penetration testing

• In penetration testing, the tester attempts to defeat security measures intended to protect a system or application. There are two common types of penetration testing: internal and external.
  • Internal penetration testing
    • A tester generally conducts an internal pen test from within a network with the goal of discovering vulnerabilities from inside of an organization.
  • External penetration testing
    • In external penetration testing, the tester is generally working remotely, for example as an ethical hacker, with a goal of discovering security issues for internet-facing assets.

Web app hacking

• In web app hacking, an ethical hacker will attempt to exploit vulnerabilities or other security issues within a web application. By exploiting these security weaknesses, bad actors would hope to gain access to systems and data for potential financial gain or other malicious reasons.

Ethical hackers have an ultimate goal of discovering security issues and helping individuals or organizations address those issues to decrease the likelihood of a successful breach by a bad actor. Here are some examples of things an ethical hacker might do during an engagement:

1. Surveillance: Also known as reconnaissance, the initial phase of ethical hacking enables the hacker to collect as much information as possible about an organization’s network, systems, and assets. This is also the time when they gather information about existing security measures. Generally, ethical hackers will employ two types of reconnaissance: active and passive. Active reconnaissance is inherently more risky than passive because it increases the likelihood of discovery.
2. Scanning: The next step is generally a scanning phase. During this phase, an ethical hacker will use information gathered from initial surveillance to scan for vulnerabilities. There are a variety of scanning techniques an ethical hacker may use. For example:
   1. Vulnerability scanning
   2. Open port scanning
   3. Network scanning
   4. Penetration testing
   5. User permission scanning
   6. Ping scanning
   7. Intrusion detection systems (IDS) scanning
   8. Proxy scanning
3. Successful Access: Once scanning is complete, the ethical hacker’s next step is generally an attempt to gain access. This is where the actual “hacking” begins. During this phase, the ethical hacker will launch an attack with a goal of exploiting any of the vulnerabilities, misconfigurations, flaws or other security issues discovered in the surveillance phases.
4. Continued Access: After successfully gaining access, the ethical hacker will operate like a bad actor and attempt to maintain access undiscovered until meeting specific goals. While an ethical hacker won’t intentionally cause damage, a bad actor might use this time to employ malware or take other steps to keep a foothold within a system.
5. Removing Attack Evidence: The next step an ethical hacker may take is to successfully leave the network or system without leaving any trace of evidence of an attack. This is the time when the hacker may attempt to remove, modify or corrupt logging systems, and delete any applications or other tools used during the attack.
6. Reporting: As part of the last phase of engagement, an ethical hacker should present all security findings to your organization and also offer solutions to help your teams remediate these issues and mature your security posture to prevent future similar breaches.

There are a number of benefits of ethical hacking. At a high level, utilizing an ethical hacker can help your organization identify security weaknesses you may be unaware of so you have the opportunity to remediate those issues before a bad actor can exploit them.

Another benefit of working with an ethical hacker is by undergoing penetration and other types of testing, as well as some tricks and methods bad actors may use, you can get insight into if your security controls function as they’re intended or if you need to do more to strengthen your security posture. You can find out if your organization is employing cyber hygiene best practices and where you need to do additional training and education.

Ethical hackers can also help your organization measure how well you’re doing in terms of meeting compliance and other regulatory obligations. This can help you uncover issues before you undergo an audit, fall short on a certification or get hit with fines or other enforcement issues if you’re not.

Ethical hackers are a good addition to your existing cybersecurity program. They can help you identify cyber risk you might not be aware of, help you better understand what the potential impact of a breach or exploit may be, give you insight into what you should focus on fixing first and also offer suggestions to help you address discovered exposures.

And, finally, ethical hackers can provide you with valuable information to help your organization make better business decisions, including what types of additional investments may be needed to continue to decrease your cyber risk.

There are several ways you can become an ethical hacker. Here are a few things you should know:

• Core competencies (for example, competent in knowledge of computer systems, programming, database management and networking)
• Ability to code in a variety of programming languages
  • Java
  • C++
  • Python
  • SQL
  • PHP
  • Perl
  • Ruby
• Understanding of computer networks, on-prem and in the cloud
• Understanding of computer hardware
• Database skills
• Good understanding of core information security principles
• Understanding of and ability to conduct vulnerability assessment
• Knowledge of hacking methodology
• Established hacking or workplace experience
• Understanding of the ethical and legal standards related to hacking
• Ability to think like a hacker
• Familiarity with encryption and decryption
• Ability to conduct social engineering
• Ability to reverse engineer programs and devices to understand weaknesses
• Basic certifications
  • E-C Council Ethical Hacking Program
  • CompTIA Certified Ethical Hacker (CEH)
  • CompTIA PenTest+
  • Computer Hacking Forensic Investigator (CHFI)

A bug bounty program is a program organizations offer to encourage individuals to report bugs in software and applications. These programs offer financial incentives for those who discover and report security weaknesses and vulnerabilities before bad actors have a chance to exploit them.

No. Tenable does not have a bug bounty program. Tenable also does not provide financial incentives for this type of reporting. Tenable does, however, encourage individuals to report vulnerabilities so researchers can get a better understanding of the issue and work to address them. Tenable has several guidelines to follow, for example, vulnerabilities that don’t expose a service or application to an attack aren’t considered valid issues. Full details can be found here: https://www.tenable.com/security/report.

Tenable’s Capture the Flag (CTF) is an annual event focused on showcasing security professionals’ cybersecurity skills and talents. During the competition, participants take part in a variety of CTF challenges. Points are awarded and increase as the challenge difficulty increases. In 2022, the top three winners received Amazon gift cards and the top 100 teams had the option to opt-in for limited edition Tenable CTF T-shirts.

Yes. You can use Tenable One for penetration testing, vulnerability assessment and web app scanning. Tenable One is an exposure management platform that combines risk-based vulnerability management, web application security, cloud security and identity security in a single solution. With Tenable One, you can better understand your cyber risks and make actionable decisions to address them. Learn more at: https://www.tenable.com/products/tenable-one.