Hackers - often called black hats - have frequently been portrayed in the media as shadowy hooded figures motivated by greed or a desire to damage or bring down the establishment. This may be true for many hackers, but there is another side to hacking. White hat hackers are not motivated by greed or disillusionment but by a desire to defend systems from cyber attacks.
Indeed, many leading businesses actively employ ethical hackers to test their networks and other systems for vulnerabilities, defending them from potentially damaging attacks. With cyber crime continuing to expand, ethical hackers are in great demand. With the rise of AI, securing these systems from attack has become a top priority for all businesses.
Ethical hackers use various tools and techniques to carry out their work. These methods often mirror those of malicious hackers but are employed within a legal and authorized context. Some standard methods include penetration testing, identifying system flaws and programming errors, defending against phishing attacks, and analyzing systems for network sniffing.
Ethical hacking: What color is your hat?
In the cyber security community, hackers are typically categorized into three groups: black hat, grey hat, and white hat. Black hats hack targets for personal gain, such as financial profit, revenge, or to cause chaos.
In contrast, white hat hackers aim to enhance security by identifying flaws and notifying the affected parties, allowing them to address the issues before malicious hackers can exploit them. This is often coordinated through bug bounty programmes.
Grey hat hackers fall somewhere in between, often engaging in morally ambiguous activities, such as hacking groups they oppose ideologically or conducting hacktivist protests. Both white and grey hat hackers can be considered ethical hackers, as their actions generally aim to improve security, albeit sometimes through unconventional methods.
Understanding the role of an ethical hacker
To gain insight into how white hat hackers are transforming how businesses defend themselves against cyber attacks, ITPro spoke with Laurie Mercer, security architect at HackerOne. ITPro began by asking, with rising cyber crime, have ethical hackers ever been more in demand?
"Cyber crime continues to rise simultaneously as CISOs are being challenged to do more with less," Laurie responded. "In 2023, one-third of companies had made security budget cuts, with 67% saying they believed reducing budget and headcount in security would negatively affect their ability to handle cyber security incidents.
"In this climate, organisations are more at risk if they ignore the benefits a huge community of talented, ethical hackers can bring to their security. Thousands of the world's most influential brands and government bodies, such as the UK's MoD and the USA's DoD, trust hackers to deliver impactful findings and vulnerabilities. Our latest report shows that 70% of organisations state hacker efforts have helped them avoid significant cyber incidents."
How are businesses using the skills of ethical hackers?
"One-third of organizations say they monitor less than 75% of their attack surface, and 20% believe over half is unknown or not observable. By engaging the ethical hacker community, organizations gain a deeper skillset and broader range of perspectives that extend their team and help avoid burnout. Hackers continuously probe for weaknesses, uncovering vulnerabilities that automated scans and internal teams miss. 92% of hackers are confident they can find vulnerabilities, and scanners and automation can't.
"Organisations typically engage hackers through continuous programs like bug bounty programs, where hackers surface vulnerabilities for monetary bounty rewards. However, we've found that more and more CISOs are recognising the value of hacker ingenuity across their cybersecurity strategy, including for pentesting since hackers often surface more in-depth insights faster than more traditional pentesting methods. There has been a 54% increase in pentests between 2022 and 2023 and a 16% increase in the number of vulnerabilities being surfaced by pentests, with 15% of vulnerabilities found being rated as high or critical severity, showing the need for organisations to continue engaging with the ethical hacking community for an all-around cybersecurity strategy."
As the chronic skills shortages continue across the tech sector, are you seeing an increase in ethical hacking training?
"It's definitely a growing trend - as organisations start to recognize the value of ethical hacking and create robust VDPs (Vulnerability Disclosure Programs), this attracts high-calibre researchers. Moreover, we are seeing a surge in young hackers, too - nearly 55% of the hacking community is under 25 years old. The majority of the community defines themselves as part-time hackers, with only one-quarter of hackers hacking full-time. However, hacking opens up other career opportunities - 33% have leveraged their skills to secure a job and 23% plan to continue their career in information security within an internal security team."
"But hacking doesn't just require cyber security professionals to be self-taught - there is a surge in specific skills that require higher certifications, and for many hacking beginners, competition is becoming tough. For example, to become a qualified pentester, you might need qualifications such as GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) or CompTIA PenTest+. Where graduating from school and having a university degree doesn't play a big role anymore, organisations are more likely to trust a researcher who completed certain certifications and proved to be most skilled in their field."
How do you see ethical hacking evolving in the future? Will AI have an impact?
"It's no secret that security leaders are trying to understand how to leverage generative AI (GenAI) technology while ensuring protection from inherent security issues and threats. This challenge includes avoiding adversaries who may discover and exploit malicious uses before organizations can address them. When ranking their concerns about the risks GenAI poses in our latest report, 28% of hackers were most concerned about criminal exploitation of the tool, 22% about disinformation, and 18% about an increase in insecure code. Moreover, while 38% of hackers say they think GenAI will reduce the number of vulnerabilities in code, 43% say it will increase vulnerabilities.
"Ethical hackers have been experimenting with GenAI since 2022 and are already becoming the experts, businesses need on their side. In fact, GenAI has become a "significant tool" for 14% of hackers, and 53% of hackers are using it to write code, while 61% said they plan to use and develop hacking tools that employ GenAI to find more vulnerabilities. With that in mind, many ethical hackers are already specialising in a red teaming exercise for AI security to uncover vulnerabilities and stop malicious actors from manipulating AI to compromise the confidentiality, integrity, or availability of an application or system."
What motivates ethical hackers?
Most ethical hackers are motivated by curiosity, and ethical hackers are no exception. They're often motivated by a desire to see what makes things tick, poking around in security systems just for the challenge of finding a way around them. Responsibly reporting their findings is the best way to indulge this desire while staying on the right side of the law.
Many are also driven by a genuine desire to make the world more private and secure. Exposing flaws in widely used services and applications reduces their likelihood of being used to harm innocent people.
Another significant motivating factor for ethical hackers is, of course, cash. A career in pen-testing or red-teaming can be extremely lucrative and often allows hackers to make a great deal more money than they would as cyber criminals without fear of reprisals.
Similarly, bug bounty programs can provide incredibly generous payouts for discovering major flaws. The current record bounty is $647,000, paid by Google in 2022 for detecting a bug that affected the Android operating system.
"It's no secret that bug bounty payouts are a great motivation," explains Mercer. "Ethical hackers can make substantial sums, with the average cost of a bug bounty being $3,700 (this can rise to an average of $12,000 for the 90th percentile for high and critical bounties). However, many hackers are driven by a solid ethical conviction to do the right thing. Protecting the security of systems used by friends, family, and the public provides a strong sense of purpose, and 47% of hackers say they hack to defend businesses and end-users."
"Interestingly, 78% of hackers also say they hack to learn, driven by a deep-seated curiosity about how systems work and a desire to solve complex problems," adds Mercer. "This often starts from a young age and motivates them to seek out and identify vulnerabilities. Hackers also enjoy a strong sense of community and camaraderie with peers in their field, which includes sharing tips, competing in challenges, and aiming for recognition on leader boards."
How do I become an ethical hacker?
If you're a hacker who wants to become a white hat, the good news is that you're already halfway there.
A solid educational background in computer science, information technology, or a related field is crucial. Courses in programming, networking, and cyber security provide the necessary technical knowledge. Familiarity with multiple operating systems, especially Linux, is important, as many hacking tools are designed for Unix-based systems. Understanding Windows and MacOS is also necessary for comprehensive penetration testing.
For more information, head to our separate guide on how to become an ethical hacker.
