Google ‘ransomware attack’ or ‘breach’ and sift through the recent results. Note how often these attacks are described as “unprecedented” - in scope and size, and even in target. From schools, financial firms, and hospitals to Hollywood studios - no one is safe from the predation of cybercriminals and ransomware groups.
This is because the average organization’s attack surface is larger than it's ever been - broadened by the rise of multi-cloud computing, the proliferation of third-party SaaS platforms, and the continued expansion of the Internet of Things. Increasingly, though, it also has to do with the rise of GenAI, which has the potential to expand attack surfaces quickly and scale the ways in which attackers infiltrate organizations.
There is a viable solution to this metastasizing problem, one that more and more organizations are turning to daily. It's called ethical hacking, and it represents the best chance organizations have to get ahead of the bad actors - and get back to the work that matters.
What is ethical hacking?
Put simply, an ethical hacker is someone who finds flaws in systems and reports those gaps to help secure the internet. They know all the tricks; they know how these criminals think, they’re creative and bring a natural curiosity that makes them uniquely equipped to find the most impactful vulnerabilities. Increasingly, it seems they’re the best shot we have at clawing back some measure of safety and sanity in this overwhelming threat environment.
Hackers are masters of drilling into the “unknown unknowns,” also known as zero-day vulnerabilities - this is a crucial part of their skill set. These zero-day vulnerabilities represent the greatest threat to organizations, and they can be almost impossible to find by conventional means. Automated tools struggle to find them because automated tools are programmed to find patterns - and zero-day vulnerabilities don’t necessarily conform to known patterns. Today’s internal cybersecurity personnel are overstretched and benefit greatly from a global community that not only scales the capabilities of internal teams but offers a set of diverse perspectives - essential to finding hard-to-spot weaknesses.
The hacker, in this context, is an unbiased outsider - a pair of fresh eyes. These experts proactively identify security vulnerabilities, enhancing your organization's overall security posture while drastically reducing the risk of cyberattacks. In fact, most hackers are confident they can find vulnerabilities that automated solutions fail to identify.
Some who have not yet embraced the global hacker community fear they will access unauthorized parts of their systems. After all, if you don’t know who they are, how can you trust them? But this is misplaced; the reality is cybercriminals are already trying to attack you. You can only invite in the good actors - the bad actors don’t ask for permission.
In today's cybersecurity environment, the importance of this function cannot be overstated. According to Google's most recent Threat Analysis Group (TAG) report, 41 zero-day vulnerabilities were exploited and disclosed in 2022. Though a decline from the previous year's number, this still represented the second-worst year for zero-day vulnerabilities since TAG began tracking them ten years ago. And with AI expanding the threat landscape, we can only expect this problem to get worse.
In recent years, this figure has entered the mainstream of cybersecurity defense: critical institutions like the Department of Defense now routinely engage in bug bounty programs. Meanwhile, key methods powered by hacker expertise, like penetration testing, have become de rigueur at organizations of every size, both to prevent security breaches and to help organizations stay in compliance with rapidly expanding government regulations around cybersecurity.
It's no surprise, then, that many organizations feel better positioned to resist cyberattacks thanks to hackers - the simple fact is that ethical hackers work. In the wake of Log4Shell, hackers quickly helped organizations find instances of the vulnerability so internal teams could make preemptive fixes before bad actors exploited the widespread zero day. Hackers also regularly identify pervasive vulnerabilities, like cross-site scripting, that continue to elude automated scanners and internal security teams.
Why ethical hackers matter
As GenAI technology continues to rapidly advance, the attacks we’ve been discussing here will only increase. We can see prime evidence of this by looking at how the good actors use it. According to research conducted by HackerOne, the majority of hackers - 61% - are already developing hacking tools that employ GenAI to find more vulnerabilities, and 53% are already using it in some way. If hackers are using it, you can be more than confident that cybercriminals are using it too.
It’s important to keep the stakes in mind here. Even a relatively contained attack can lead to weeks of downtime and millions in lost revenue, not to mention stolen customer data and subsequent loss of trust. Overlaying all of these factors, there is the matter of compliance: especially for organizations in highly regulated industries, laws surrounding data have proliferated in recent years, with compliance failures on this front potentially leading to punishing fines - and even criminal prosecution. And regulatory momentum in favor of vulnerability disclosure continues to grow: the National Institute of Standards Technology’s (NIST) latest framework requires SaaS vendors to establish a public policy to receive vulnerabilities, like a vulnerability disclosure program, so the public and ethical hackers can disclose vulnerabilities.
In addition to ongoing testing, hackers can help organizations through more formal assessments. By performing security assessments - such as penetration tests - for in-depth security testing, they can ensure that businesses remain compliant and adhere to established industry cybersecurity standards. Hackers provide stronger results than most traditional consultancies because hackers are invited to participate only based on evidence of strength. You know who you are getting, and it’s someone with proven hacking expertise.
Given all this, it’s no surprise we’ve seen a surge of interest in business leaders to engage hackers in recent years. For one thing, they have definitively proven their effectiveness in both the public and private sectors. And they have done this at a time when their services are needed more than ever, especially in the government sector. For instance: last November, Michael Duffy, associate director for capacity building in the cybersecurity division of the Cybersecurity and Infrastructure Security Agency (CISA), said that the agency had seen "a really high increase in zero-day activity" across the globe, which had impacted networks "throughout the federal government."
The defensive advantages that hackers provide can be ignored only at an organization's peril. This is quickly becoming consensus wisdom, with businesses as diverse as Coinbase, General Motors, Goldman Sachs, Hyatt, Visa, and more all deploying ethical hackers. In a perilous threat landscape, these hackers serve as an indispensable force multiplier - flagging vulnerabilities that software could never hope to find, and doing so cost-effectively and at scale. Failing to embrace this skillset of global cybersecurity experts is ignorant at best - and negligent at worst.
