Vulnerability hunters are cut from a different cloth – they’re naturally inquisitive

Graphic of a hacker walking through a digital corridor
(Image credit: Bigstock)

When you’ve been around the information security business for as long as I have (more than 30 years now) it’s not surprising to get a lot of emails from desperate people looking for help. Sadly, I simply can’t respond to most of them, or I wouldn’t have time to do my job.

Some don’t deserve my guilt for not replying. I’m talking about those who seem to think I’ll either hand out step-by-step instructions for accessing someone else’s social media account or simply do a job because they’ve said “please”. The reasoning behind these requests is most often transparently bogus: “I’ve been locked out of my account and Twitter support won’t help me, my partner is critically ill and I need access to their email for [insert spurious reason here], my partner has been cheating on me and I need proof”.

Wannabe hackers are the bane of my working life, truth be told; unless, that is, they want to become a hacker, an ethical hacker or vulnerability hunter, Odd, then, that I tend to receive very few of these genuine requests for guidance. The ones I do will be pointed in the general direction of great resources that can help them to help themselves. Teaching yourself to hack may seem a bit of a stretch, but you’d be surprised how commonplace this is.

I’m self-taught, not least as there were no accessible educational routes into the game back when I started out. The latest annual report from Bugcrowd, a crowdsourced bug bounty and vulnerability disclosure platform, revealed a staggering 79% of the hackers using the platform were self-taught. I’ll let that sink in for a bit.

These days there are more traditional educational pathways to becoming an information security professional than you can shake a stick at. If you did shake that stick, I daresay a ream of certifications would fall out of the learning tree as well. Vulnerability hunters, the kind of hackers who love tracking down security problems in hardware, software and services, however, tend to be cut from a different cloth. They’re naturally inquisitive, always interested in learning more, and the successful ones have an inert ability to approach problems from a left-field perspective.

RELATED RESOURCE

The best defence against ransomware

How ransomware is evolving and how to defend against it

FREE DOWNLOAD

With this in mind, it’s no surprise the Bugcrowd report found one in five of their hackers identified as neurodivergent. Obviously, a coding background – be that as a “hobbyist” programmer or someone who has been through the system and come out the other end with some qualifications – is a bonus for anyone beginning on the hacker journey. On the assumption you’re at least code-literate to some degree, though, where do you actually start? This is something I gave a fair bit of thought to recently and, with the help of hacker friends, information security professionals and, indeed, I’ve come up with a learning-to-hack resource list.

Before I get onto the list itself, it bears mentioning that “hacking” is a very broad church with multifarious specialisms. It’s possible to decide in advance that you want to find vulnerabilities in applications, devices, web-based services, cars and so on. A grounding in the basics, however, knowing the essentials of hacking methodology, should be a given across all of these. Start to learn first, specialise later.

Bug bounty and vulnerability hunting platforms themselves will often be a good place to start. Bugcrowd University is one highly recommended resource. It’s free to use, open-source, and has multiple content modules with slides, videos and labs, covering everything from introductions to tooling through to recon and discovery. It goes further than this, though, in that it extends out to other online learning resources on bug hunting methodology, data-driven web hacking, social engineering and so on.

Doing is better than reading, at least for me. It’s how I started my hacking journey decades ago, although largely driven by a lack of reading material (with the exception of the excellent Hacker’s Handbook series). Anyway, with a practical learning experience in mind, it’s hard to ignore the likes of the gamified learning resource that is Try Hack Me or the browser-based and highly interactive Hack The Box Academy. Both cater for varying skill levels, and you can’t fail but learn if you embrace them.

Talking of practicalities, the right tooling is one of the most important parts of your hacking armoury and Burp Suite is right up there. The PortSwigger Web Security Academy is free and from the people who created Burp Suite. It features interactive labs, with the author of The Web Application Hacker’s Handbook leading the team of experts here.

A number of my hacking acquaintances, including some with successful careers in the bug bounty world, recommend scouring the web, conference presentations, info security Twitter, for walkthroughs and explanations of proof-of-concept (PoC) exploits. These can be a highly informative way of understanding how the theoretical stuff works in practice once you’ve got far enough along the learning curve.

Bug bounty platform HackerOne, for example, has a community feed called Hacktivity that showcases the latest hacking activity and enables users to search through the various reports for the ones they’re interested in. There’s even a Hacktivity Con, now in its second year, where hackers of all skill levels can learn from each other.

This is far from an exhaustive collection of hacking resources for the beginner, but it should be enough to provide food for thought as well as, somewhere among these options, a place to start that suits your personality.

There are some ‘don’t’ to be aware of, and they are very important ones so take heed. Don’t go using any of the readily available search tools that will find open hosts and give you immediate root access and so on. You can practise using Kali (an advanced penetration testing Linux distribution) or whatever on your own stuff, but be absolutely sure that it’s only your own stuff and that you don’t stray into opaque territory when it comes to networks used. Hacking any ‘live’ target is a no-no, a big legal no-no, that could see you landing in very hot water indeed.

You’ll find there are plenty of targets to practise on and stay within the law if you use those practical, gamified, learning resources. My personal recommendation is to stick to those resources if you want to be 101% sure you’re on the right side of the law.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.