Should you employ a former black hat hacker?

In hacking, as in life, it is not just good and bad, black and white: there is a grey area

Should businesses be employing former hackers? Converted black hat hackers have amassed the experience needed to test cybersecurity systems properly and many organisations are providing them with a clean slate to bolster defences. However, recent evidence indicates that more white hat hackers are being tempted to commit cybercrime. So although ex-criminals looking to redeem their past sins are likely to have the nous and skill to protect a company, can they be trusted? Ultimately, is it worth the risk?

FOR: hiring black hat hackers

David Warburton, senior threat evangelist at application services organisation F5 Networks, believes the knowledge amassed by cybercriminals is invaluable for businesses trying to shore up their defences. “When we employ contractors to work on our homes, we tend to look for someone with strong hands-on experience,” he says. “So while it may sound counter-intuitive to make use of ex-criminals to help plan and test our cyberdefences, the one thing they have in abundance is hands-on experience.

“Security architects have a wealth of knowledge on industry best practice, but what is often lacking is first-hand experience of how attackers perform reconnaissance, chain together multiple attacks and gain access to corporate networks. Application defenders need to consider every single possible angle of attack. With technology and vulnerabilities constantly evolving, it is a never-ending mission with no tangible finish line. Cybercriminals, by contrast, only need to find one area of weakness to get in and claim victory.”

Ben Sadeghipour, hacker operations lead at HackerOne, a growing platform that is accessed by approximately 300,000 white hat hackers, looking to gain bug bounties, agrees. “It can be hard to work with ex-cybercriminals because of the ‘baggage’ they come with,” he says, adding that it is still worth it. “The best part about working with hackers with a cybercriminal background is that, in some cases, possibly most, they understand how to demonstrate a real-world scenario in which a malicious actor could abuse a certain vulnerability or functionality.”

Luke Vile, cybersecurity expert at PA Consulting, continues this theme. “Many large organisations understand there is sometimes a great deal of value in understanding how cybercriminals think and operate in the real world,” he says. “Plus, there is a huge difference between paying individuals known to be involved in criminal work and using the specialist skills of people who have actively chosen to use their talents for the good of security.”

What is being done to keep black hat hackers on the right side?

Steps to ward off would-be black hat hackers from the dark side are being taken. Mr Vile’s employers, in collaboration with the National Crime Agency and Cyber Security Challenge UK, recently ran an Intervention Day workshop that showed young IT enthusiasts the rewards of using their cyber-skills ethically and legally. He continues: “The programme introduces the Computer Misuse Act 1990, and combines technical exercises with industry insights and careers advice.”

Furthermore, redemption should be encouraged, says Sam Curry, chief security officer at Cybereason. “For years, I believed that those who had transgressed should not be rewarded or hired at all,” he says. “They couldn’t be trusted and, most importantly, their former dark work was too often being glorified or used for gain by hirers. However, I have changed my mind in my old age.

“I’m glad I did because some of my best colleagues now used to be my adversaries, and I apologise to those I didn’t try harder to help 20 years ago and blocked form hiring in my companies because of their black hat, for-profit endeavours. Over the last 30 years, many famous, infamous and not-so-well-known black hat hackers have shown genuine remorse and contributed to the public good.”

No one-size-fits-all procedure for hiring hackers

“Every hacker is a unique case and generalisation is dangerous. What matters most, though, is that people with skills to harm learn the moral and ethical lessons of their errant ways and work towards the public good. Given time, many reform and utilising their skills is a tremendous benefit to the industry.”

If ex-black hat hackers are employed, more-than-adequate checks have to be in place, at least to begin with, urges Naaman Hart, cloud services security architect at Digital Guardian. “Initially, I can understand the need for some controls, but there should be an obvious expectation on both sides that trust is being built up with regular opportunities to prove that trust,” he says. “Lasting stigma over being an ex-criminal is proven to be more likely to lead to reoffending as a form of spite. In our system of law, we must believe in rehabilitation and be open to it, otherwise it just doesn’t work.”

In our system of law, we must believe in rehabilitation and be open to it, otherwise it just doesn’t work

AGAINST: hiring black hat hackers

Five years ago, everyone knew about the much-lamented paucity of skilled cybersecurity professionals. That lack of talent is no longer a problem, though, and there still is no need to employ former black hat hackers as penetration testers. So says Ian Glover, president of Crest, the international not-forprofit accreditation and certification body that represents and supports the technical information security market.

“The UK cybersecurity services market is one of the most mature in the world,” he says. “We have benefited from the development of a higher education system that generates significant numbers of cybersecurity professionals, a mature training market that allows people to cross-train into the industry and well-structured career pathways to promote professional practices, underpinned by codes of conduct and ethics that are both meaningful and enforceable.

“Therefore, the need to look at using cybercriminals to support the industry is not appropriate and is not necessary. This practice of using ex-offenders is not used in other professions, so if we want and need the industry to be viewed as a profession, this should not be encouraged.”

Many black hat hackers lack the skills to work in a team

Lisa Forte, founder of Red Goat Cyber Security, contends: “The reality is that very few organisations use ex-black hat hackers at all. There is a multitude of reasons for this. Firstly, a common concern is that if it all goes wrong and they decide to attack you, it would be a PR disaster for the company. “Secondly, the skillsets required don’t quite match up. A lot of the black hat hackers I’ve encountered seem to work almost entirely as lone wolves. Working for the cybersecurity team of a big company requires a high degree of teamwork and collaboration.”

Steven Furnell, senior member of the Institute of Electrical and Electronics Engineers and professor of security at the University of Plymouth, has a similar view. “Being an ex-criminal is not a direct indication of capability; it simply means that they were breaking the law and were caught doing so,” he says.

“While the idea of poacher turned gamekeeper has some credibility if you are looking for someone to think like an attacker, it doesn’t necessarily mean they have the knowledge or skills to introduce the necessary protection.”

Besides, in this digital age when attack vectors are multiplying, if you are encouraged not to trust anyone in your organisation, why take a risk on ex-criminals? “We are seeing more instances of the malicious insider causing damage to company productivity, revenue, intellectual property and reputation,” says Marcin Kleczynski, chief executive and founder of anti-malware software organisation Malwarebytes.

“We must up-level the need for proper security financing to the executive and board level. This also means updating endpoint security solutions, and hiring and rewarding the best and brightest security professionals who manage endpoint protection, detection and remediation solutions.”

Talent and skills are hard to find, but employing an ex-black hat requires a level of trust that cannot afford to be abused

Black hat hackers can often earn much more money than cybersecurity professionals

However, given that Malwarebytes’ recent research indicates cybersecurity professionals in the UK admit to participating in criminal activity almost twice as much as the global average, engaging canny ex-convicts might not be smart.

Indeed, the August 2018 research identified the emergence of the “grey hat” hacker, those overlapping the realms of the “good” white hat and “bad” black hat hackers. The key findings include one in thirteen security professionals in the UK owned up to grey hat activity, compared with one in twenty two globally, and 46 per cent of respondents said it is straightforward to commit cybercrime without being caught. Moreover, the main driver for black hat hacker transgression is the opportunity to earn more money than security professionals, according to 54 per cent of those surveyed.

Warren Mercer, technical lead at threat intelligence group Cisco Talos, says: “It’s a tricky situation. Ex-black hat hackers are likely to have unique insights and skills which can help identify and fix specific vulnerabilities, but these people are criminals.

“The industry has typically relied on individuals having a certain level of integrity, especially given that they could be granted access to a myriad of information, whether that’s bank details, healthcare details, important conversations with loved ones or private pictures. Talent and skills are hard to find, but employing former black hat hackers requires a level of trust that cannot afford to be abused.”