Stuart Kennedy, Senior Security Analyst at Orange Cyberdefense tells SJUK why 2024 should be the year of the ethical hacker.

We are in the midst of the 2024 planning season when departmental leaders will be knocking on the door of their budget holders to plead the case for why their part of the organisation deserves increased financial support.

Security teams will, once again, be warning business leaders about the risks their organisation faces from cybercriminals. Their message will be clear – even at a time when many companies are stripping back budgets across their internal service divisions, they must continue to protect their valuable assets from aggressive third parties. he evidence for enhanced financial support will include the threat from company insiders. Firstly, the employee who is intent on damaging the company from within, and secondly the unwitting individual who may not know what good security behaviour looks like. However, there is a third kind of ‘insider’ – not an employee, but rather an individual who is invited into the organisation to test their security defences. Someone like me – an ethical hacker who poses as a threat actor to infiltrate a company’s digital estate In other words, my job is to carry out authorised cyberattacks.

Ethical hacking and the threat of cyber extortion

The importance of ethical hackers is clear. According to our Cy-Xplorer 2023 report, cyber extortion (Cy-X) activity – the criminal act of extorting a ransom from a victim – reached the highest volume ever recorded in Q1 2023 after a decline of 8% in 2022. And in Q2 2023 we saw even more, registering 1,000 organiastions which had fallen victim to Cy-X. One explanation for this is that Q2 saw the most active amount of threat actor groups/leak sites. In Q2 2022, we saw 23 different leak sites actively naming and shaming victims on their dark web blogs. In Q2 2023, we saw a 52% increase in leak sites posting victim organisations. It makes sense that when we see an increase in actors, we also register an increase in victim count.

You don’t have to rely on mere statistics to appreciate the scale of the problem, with global media reporting on the activities of well-organised cybercriminal groups on an almost daily basis. One of the most significant incidents of 2023 was the MOVEit hack which is thought to have led to hundreds of organisations which use the file transfer tool having their data stolen. When the issue came to light in June 2023, the US cybersecurity agency CISA ordered federal agencies to patch their systems within a matter of weeks. The adversary group – the Russian cybercriminal gang Cl0p – responded by telling victims to email them to enter into negotiations or face having their private data made public. This was a highly usual move, illustrating the ever-changing tactics of threat actors and the importance of organisations turning to security experts to monitor how criminal activity is evolving.

As Cy-X attacks increase in volume and severity, organisations have a serious challenge on their hands. With their business operations, financial stability, and reputation at risk, the pressure is on the C-suite to take a bigger and more proactive role in protecting their organisation. By integrating a framework of ‘Anticipate, Identify, Protect, Detect and Respond’ into their cyber risk strategy, business leaders can more effectively prepare for and respond to Cy-X attacks. Ethical hacking can be a valuable part of this framework, moving beyond the standard digital defences and adding a human touch to proactive risk prevention. In the present climate, with many firms cutting budgets, ethical hacking enables an organisation to pinpoint uncovered vulnerabilities and demonstrate where their money needs to go to foster tight security.

Some firms may think they are already devoting sufficient resources to the ‘identify’ stage through the use of a penetration testing – or pentesting – service. However, there is a key difference between the two. While all ethical hackers are penetration testers, not all penetration testers are ethical hackers. Yes, they both help businesses understand and address their vulnerabilities. However, a pentest will simply focus on specific systems or methods to ensure security and compliance, whereas a well-planned, proactive, comprehensive security assessment carried out by an experienced ethical hacking team will deliver superior results when it comes to enhancing your security posture.

Tools of the hacking trade

When I go into a business, I am typically asked one of two things – to find as many vulnerabilities as possible in a set amount of time or to investigate a specific piece of infrastructure. We then get to work, acting in the same way as any cyber adversary, trying to break through the existing human layer of protection to gain access to computer systems. The vast range of assessment capabilities a typical ethical hacker will offer includes:

• Mobile assessment: mobile applications have become an integral part of the digital strategy of most organisations, leading to an increased attack surface. Attackers exploit vulnerabilities within mobile applications to gain access to backend infrastructure, databases and other related systems. A comprehensive review by an ethical hacker will increase the chance of finding security issues before a malicious actor does;
• Cloud security assessment: digital transformation has led many businesses to adopt and include cloud infrastructure into their core business. As a result, the attack surface has changed as well, leaving different attack vectors available for exploitation by attackers. While the manifestation of risks may be different, threats such as credential disclosure facilitating lateral movement and privilege escalation are as realistic on cloud infrastructure as it is on self-hosted infrastructure.
• Red team assessment: simulating real-world, covert, multi-phase attacks as they would be performed by real and persistent criminals. These assessments are based on “goals” agreed up front which have a significant impact on the focus of the assessment. Careful thought and planning need to go into the goals, considering possible security failures in your most important business functions.

Security teams have been placed under insurmountable pressure over the past couple of years, with cyberattacks on the rise and an entirely new remote environment to protect. As they battle to detect and respond to threats that originate within their organisation’s perimeter, rather than just those that are trying to penetrate its defences, IT and security teams have been placed under a heavy burden. This burden needs to be alleviated to minimise the risk of overwork causing further human error that could have devastating consequences. So, when it comes to allocating budgets for 2024, business leaders would be wise to consider the benefits of employing an ethical hacker – finding vulnerabilities in the short term will undoubtedly lead to peace of mind for the long-term.

More UK Security News