Earlier this year when international cyber-gang Lapsus$ attacked major tech brands including Samsung, Microsoft, Nvidia and password manager Okta, an ethical line seemed to have been crossed for many cybercriminals.
Even by their murky standards, the extent of the breach, the disruption caused, and the profile of the businesses involved was just too much. So, the cybercrime community came together to punish Lapsus$ by leaking information on the group, a move that ultimately led to their arrest and breakup.
So maybe there's honor amongst thieves after all? Now, don't get me wrong; this isn't a pat on the back for cybercriminals, but it does indicate that at least some professional code is being followed.
Which raises a question for the wider law-abiding hacking community: Should we have our own ethical code of conduct? And if so, what might that look like?
What Is Ethical Hacking?
First let's define ethical hacking. It is the process of assessing a computer system, network, infrastructure, or application with good intentions, to find vulnerabilities and security flaws that developers might have overlooked. Essentially, it's finding the weak spots before the bad guys do and alerting the organization, so it can avoid any big reputational or financial loss.
Ethical hacking requires, at a bare minimum, the knowledge and permission of the business or organization which is the subject of your attempted infiltration.
Here are five other guiding principles for activity to be considered ethical hacking.
Hack To Secure
An ethical and white-hat hacker coming to assess the security of any company will look for vulnerabilities, not only in the system but also in the reporting and information handling processes. The goal these hackers is to discover vulnerabilities, provide detailed insights, and make recommendations for building a secure environment. Ultimately, they're looking to make the organization more secure.
Hackers must ensure they have permission, outlining clearly the extent of access the company is giving, as well as the scope of the work they are doing. This is very important. Target knowledge, and a clear scope, help prevent any accidental compromises and establish solid lines of communication if the hacker uncovers anything alarming. Responsibility, timely communication, and openness are vital ethical principles to abide by, and clearly distinguish a hacker from a cybercriminal and from the rest of the security team.
All good hackers keep detailed notes of everything they do during an assessment and log all command and tool output. First and foremost, this is to protect themselves. For example, if an issue occurs during a penetration test, the employer will look to the hacker first. Having a timestamped log of the activities performed, be it exploiting a system or scanning for malware, gives piece of mind to organizations by reminding them that hackers work with them, not against them.
Good notes uphold the ethical and legal side of things; they are also the basis of the report hackers will produce, even when there are no major findings. The notes will allow them to highlight the issues they have identified, the steps needed to reproduce the issues, and detailed suggestions on how to fix them.
Keep Communications Active
Open and timely communications should be clearly defined in the contract. Staying in communication throughout an assessment is key. Good practice is to always notify when assessments are running; a daily email with the assessment run times is vital.
While the hacker might not need to report all the vulnerabilities they find immediately to their client contact, they still should flag any critical, show-stopping flaw during an external penetration test. This could be an exploitable unauthenticated RCE or SQLi, a malicious code execution, or sensitive data disclosure vulnerability. When encountering these, hackers stop testing, issue a written vulnerability notification via email, and follow up with a phone call. This gives teams on the business side the chance to pause and fix the issue immediately if they choose. It's irresponsible to let a flaw of this magnitude go unflagged until the report is issued weeks later.
Hackers should keep their main points of contact aware of their progress and any major issues they discover as they proceed. This ensures everyone is aware of any issues ahead of the final report.
Have a Hacker Mindset
The term hacking was used even before information security grew in importance. It just means to use things in unintended ways. For this, hackers first seek to understand all the intended use cases of a system and take into consideration all its components.
Hackers must keep developing this mindset and never stop learning. This allows them to think both from a defensive and an offensive perspective and is useful when looking at something you have never experienced before. By creating best practices, understanding the target, and creating attack paths, a hacker can deliver amazing results.