As criminal hackers become more sophisticated and ruthless, security-conscious companies are increasingly recruiting people to help fight a covert war.
On the front lines of the fight stand many “grey hat” hackers — security experts who have online street smarts but aren’t mixed up in the racket themselves. A small number may have dabbled in “black hat,” or underground hacking, in the past, but most just know how to communicate with the other side.
Dave Millier, CEO of Sentry Metrics, a Toronto-based security consulting firm and managed services provider, says that in the past two years his company has fielded an increased number of requests from organizations that want to find out what sensitive information of theirs may have fallen into the wrong hands. And it’s grey hats who are most likely to get the job.
“We’re being asked to not just do the traditional `do a penetration’ test or `do a vulnerability assessment and tell us about our network’ — we’re also being asked to find out information. So again, it’s the intelligence category, if you will: `find out what information there is about us out in the wild.’
“What information is circulating around in the underground network, if you will, that could potentially be reputational damage, that could be being shared by the hackers, shared by the underground community to provide backdoor access to our systems? What do they know about our systems?
“In order to get access to that information, at a minimum you need to turn to a grey hat hacker, who may have access to that side of the fence.”
But as in war, there are times when you need to reach out to the enemy side directly.
“In some cases, we certainly engaged with some black hats, specifically to help out with that information gathering.”
But James Quin, an analyst at Info-Tech Research Group in London, Ont., isn’t convinced that there is much of a difference among people who wear the various “hats.”
“Were I in a position to be hiring a black or grey hat, I would always be questioning whether there was an ulterior motive for them wanting to come work for me.”
“I have worked with guys who claimed that they were white hat hackers [security experts who legally test and evaluate system security], and in their free time they’re hacking into NASA and the FBI– just for fun and kicks. They’re not exploiting any of the information but they’re clearly doing things that are illegal.”
Quin says any company employing people who enjoy exploiting systems, for whatever reason, should be extra vigilant. Millier, however, says that he doesn’t hold his greys under particular suspicion.
“I don’t consider them to be any more of a risk exposure than anyone else, from that perspective.”
The fact remains that many firms are hiring hackers — even black hats — whether they realize it or not, Millier says. His company conducts extensive checks, including on social media and underground forums, with resident grey hats helping out with the latter. But he can’t find out everything. “There’s only so many background checks that you can do.”
“Think of Anonymous as a perfect example, you’ve got potentially hundreds of people that are involved throughout the world in the Anonymous organization—it’s `Anonymous’ for a reason. So who knows who those people are?”
For the most part, however, dyed-in-the-wool underground hackers are simply uninterested in coming over to his side. So it’s unlikely to become a problem.
“If someone’s actively working in a black-hat capacity then that’s really their focus—they’re not likely going to be out looking for work in our work in our industry…unless they’re looking to use it as a leverage stick to…as an example, be able to do some social engineering or to gain access to a system.”
While hackers of all hats tend to end up doing consulting work, Tim Collins, president of Stafflink.ca, a Toronto IT staffing firm, says he rarely gets requests from major employers for actual hackers. He recalls one case, though, in which the position title was carefully dressed up in a euphemism.
“They were calling it `security specialists.’ You know, the term hacker … it was a bit of a negative connotation.”
But companies are starting to have a better understanding of what kind of value hackers provide, he adds. They’re just more comfortable training people themselves, something that is possible now that hacking is no longer such an esoteric practice.
“I’ve been doing this for 20 years, so there was a time when people were hiring the 17-year-old hackers from their basement to come in and be the new ethical hacker for their company and try to bust systems. Now, we’re seeing more people developing those people in-house.”