Why Crowd-sourced Pentesting Isn’t All it’s Cracked Up to Be

pentesting, Risk Requests, risk management framework
pentesting, Risk Requests, risk management framework

Crowds have always been a powerful thing, but before the Internet came along, it was difficult to harness them. Now things have changed: almost anything can be powered by crowds these days, from funding initiatives to news coverage, research and more. But is crowd-sourcing the right approach to penetration tests? Some people think so.

According to a report by Bugcrowd, there are literally thousands of crowd-sourced security programs today, attracting clients that range in size from small businesses to publicly traded enterprises like Motorola Mobility. And while these programs offer a number of services, the most popular one is “penetration testing” – or at least, something which goes by that name.

The fact is, crowd-sourced penetration testing isn’t like the non-crowd-sourced version at all. And while there are advantages to each approach, there are also good reasons to choose the latter over the former. To understand why, we have to start by explaining the differences between them.

Crowd-sourced vs. Traditional Pentesting

The goal of a penetration test (or pentest) is to find, document and score vulnerabilities in an information system before they are used by hackers or other malicious agents to gain unauthorized access. To do this, a pentester approaches a system just like a hacker would, from conducting reconnaissance to attempting simulated “attacks” that confirm whether a detected vulnerability is really exploitable.

Traditionally, an organization defines the goal of a pentest and hires a team of security professionals to conduct it over a limited period of time. During a crowd-sourced pentest, an organization offers a bounty to anyone who can discover a vulnerability on their systems, often through an agency with access to thousands of white-hat hackers who may or may not be professionals.

There are some advantages to the crowd-sourced model:

  • Timeframe – crowd-sourced pentests take place over an undefined timeframe and may carry on indefinitely. This allows new vulnerabilities to be discovered as an organization continues to develop and improve its systems.
  • Cost – a crowd-sourced pentest istypically cheaper than the traditional kind, since organizations are paying for each discovered vulnerability rather than for the test itself.

In many ways, crowd-sourced pentesting is similar to the bug bounty programs that companies have used for years to find flaws in their online platforms – and, in fact, many startups in the security industry started out as bug bounty agencies. But what works well in one context may not work well in another, and that brings us to the problems in the crowd-sourced model.

The Dangers of Crowd-sourced Pentesting

Crowd-sourced pentesting – no matter how it’s advertised – is the organized practice of inviting real hackers to hack your company and helping them to get started. Because websites are public-facing assets, offering a bug bounty does not expose them to any vulnerabilities they didn’t face before. Meanwhile, crowd-sourced pentesting requires organizations to actually connect internal systems with public channels, potentially exposing sensitive data and intellectual property to a group of individuals who suffer from:

  • A lack of ethical obligations – traditional pentesters are held to a high ethical standard because their careers depend on it. They cannot hide from suspicion or blame when something goes wrong. Meanwhile, crowd-sourced hackers are often anonymous to their clients, and – while they may be required to sign a contract – in practice nothing can stop them from hiding their discoveries, or using what they find in a malicious way.
  • A lack of professionalism – since crowd-sourced pentesting agencies require a large volume of talent, the quality and experience of the “hackers” they contract is wildly inconsistent. Moreover, today’s hackers often work in groups, and that’s why traditional pentesters do likewise; crowd-sourced pentesters may be lone-wolves that compete with one another for profit, generating conflict when two individuals find one vulnerability at the same time.
  • A lack of focus – when an organization defines a pentest engagement they typically have a clear view of what they want to address in the test and have defined rules-of-engagement.  The crowd-sourced approach tends to lack that focus and the results may be very inconsistent with the organization’s objectives.

In short, crowd-sourced pentesting removes the vital element of control that organizations normally exercise over their security operations. For this reason, companies who do invest in crowd-sourced programs – including Google, Mozilla and Facebook – also retain traditional pentesters to protect their most vital internal systems, and only use crowds where the danger does not outweigh the cost savings.

Why Crowd-sourcing is Really Popular

Aside from the low cost and flexibility that it provides, crowd-sourced pentesting is gaining in popularity due to a perception that professional pentesters aren’t “real hackers”. It is an understandable assumption: as time goes by, pentesting as a field has become dominated by automation which simply cannot rise to the human capacity for creativity and disruption.

We’re not here to deconstruct the term “real hacker” or call it a meaningless construct, because it’s not.

Hackers are not predictable. Unlike security professionals in many other fields, they do not take a linear or hierarchical view of information systems. They do not work from a CVE list, manual or rule book. Therefore, hiring a company that claims to provide “real hackers” might seem like a good solution. But real hackers are also as likely to be found working as traditional pentesters as they are anywhere else.

A Better Solution

The best hackers in the world know how to use their talents to make a sustained and comfortable living. They neither spend their days running from the law, nor do they troll the web looking for quick profit or glory. The best hackers are genuinely invisible, hiding in the very places where many assume they can’t be found.

At Securicon, we take pride in our exclusive team of bright-minded hackers from commercial, DoD and federal security backgrounds. We turn down 90% of applicants, because our pentesting program is reserved for the best and brightest in the business. We only accept talents with the right mindset for this unique occupation: they can find windows of opportunity where scanners and lesser minds see a blank wall.

The Bottom Line

At best, crowd-sourced pentesting works in a limited range of scenarios. It can help to secure production systems and other addresses that are not directly linked with your organization. However, it’s far from the best way to find vulnerabilities in your vital assets: trained penetration testers are hackers who have the intelligence, experience and creativity that it takes to find problems by working together, and the ethics to report them responsibly.

Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cybersecurity, we are here to help you manage the risks for Industrial Control Systems. Contact us for more information.

Always Expect the Worst: Anticipating Threats with Cyber Hunt

Once upon a time, security was about mitigating risks to an organization by following best practices and responding effectively to incidents when they arose.

This compliance and risk-based mindset is no longer enough: the past several years have seen escalating breaches and organized cyber-crime, showing that safety is now the exception and not the rule. A threat-based mindset is the only solution.

First, organizations asked themselves, “will we be attacked?” Later, “when will we be attacked?” Now the most logical question is: “when will we realize we’ve already been attacked?”

This is the philosophy behind cyber hunt: “the bad-guys are already here, and now we must find them.”

What is(n’t) Cyber Hunt?

Despite the fancy name, cyber hunt is a methodology that many organizations follow – in whole or in part – without actually calling it that. Simply put, hunting entails proactively searching for, anticipating, and eliminating threats to an organization’s security using tools, techniques and procedures designed to find and eradicate suspicious activity.  Many of these tools are the same as those used by the adversaries themselves.

Unfortunately, a lot of misconceptions surround cyber hunt, and sometimes – like the Tao – it’s easier to explain by explaining what it’s not. For instance, cyber hunt is not…

1. Incident Response

With the number of breaches that have already occurred in 2019 alone, it’s easy to understand why organizations go searching for a band-aid. But the point of cyber hunt is to eliminate threats before they have consequences.

Fixing a security breach is reactive; cyber hunt is proactive.

2. Spy vs. Spy

The term “hunt” means “track and kill,” which lends itself to the impression that cyber hunt entails “hacking the hackers”. But while this notion may occasionally apply in government contexts, it does not apply in the commercial space.

cyber hunt, anticipating security threats

First of all, laws apply to ethical hackers in the vast majority of cases. Secondly, cyber hunt is about tracking and eradicating threats, which means pushing malicious actors out of a system; it doesn’t mean going after them or “hacking back”.

3. Pen Testing

It’s easy to understand why pen testing gets mixed up with cyber hunt. The two practices overlap in many ways, and – as we will see – pen testing is part of the cyber hunt toolkit. Pen testing is useful for diagnostics and discovery, while novel threats and attack vectors generally lie outside the scope of effort. On the other hand, they do not lie outside the scope of cyber hunt.

How The Game is Played

At Securicon, we have refined our cyber hunt methodology for over a decade in conjunction with branches of the U.S military and public corporations. Every step of a full hunt is not always necessary – the point is to fit an organization’s unique security needs.

1. Mission Analysis

Unlike generalized areas of risk-management, cyber hunt is focused to identify and protect critical systems or assets that are essential to an organization’s success, such as financial systems, manufacturing systems and applications or Industrial Control Systems. With this understanding, our cyber hunt teams conduct thorough interviews to assess,

  • Mission Objective – establishes the core functions and objectives of an organization. In the private sector, this is likely the successful delivery of a product or service.
  • Key Terrain – applies to all systems critical for accomplishing the mission objective, including systems, applications, servers, firewalls, etc. Systems related to non-core functions such as company email are generally not considered key terrain.
  • Threat Profile – every industry, business and government branch will have a history of threats which can be analyzed to identify the most vulnerable areas of an organization, and the style of attacks which it is likely to face. We also work to determine who likely threat-actors may be based on known adversarial intent and ability to exploit vulnerabilities specific to the organization we are supporting.

2. Vulnerability Analysis

Searching for threats begins by checking for known vulnerabilities. This is the area where pen-testing and cyber hunt intersect, although many sources of information will be considered including:

  • Scans for anomalous network activity and other indicators of compromise
  • “Dropped” files (signs of a system intrusion)
  • Keyloggers, trojans, backdoors and other forms of malware

Some organizations will go so far as deploying a Red Team to simulate an actual attack on systems, which can take guesswork out of determining what can really be compromised.

The discovery of a vulnerability is only the first step in a longer process of aggressively seeking out threats. Items found during an initial sweep are often superficial in terms of risk factor but discovering them can lead down deeper rabbit holes, leading to the fun stage.

3. Monitor and Remediate

After threats are discovered, they are – of course – remediated. But the work of a cyber hunt team isn’t finished: if there was a motive to strike once, there will be a motive to strike once more, and systems will continue to be monitored.

Forensic analysis may be conducted on malware, network activity and other traces of an attack to find more information about the perpetrators. This information can be used to uncover more threats and identify them more quickly in the future.

A Level Playing Field

A rise in threat-oriented mentality is a result of the rise in cyber threats, which in turn has much to do with several trends, including:

  • Political motives for cyber-terrorism
  • Thriving black markets for personally identifiable information (PII)
  • Increased availability and low cost of hacking tools and hardware
  • Rise in organized, advanced persistent threats (APTs)

Yesterday’s landscape of threats mainly persisted of small-time black-hats, script kiddies and the occasional nation-state actor. Today, formidable threats can arise anywhere at any time.

We hear all about the attackers: it’s time to arm the victims. By using the tools and methods that create threats to eliminate them, cyber hunt finally levels the playing field for everyone.

Dave Carpenter leads a team of skilled security and risk management professionals. He has managed several major cybersecurity initiatives enhancing the overall security posture of our clients.

Prior to Securicon, Dave supported the Information Assurance team at Spirit Aerosystems, where he developed, implemented, and coordinated a Global Risk Management Program based on RMF, and was on the Business Management team for New Programs. Additionally, he was a Security Consultant at ICF International, creating and enforcing security and privacy policies, and TSA’s Registered Traveler Program.

David served in the U.S. Air Force, both Active Duty and Reserve.  He serves in the Maryland ANG, managing, training, and equipping a Cyber Operations Force and recently led a Cyber Vulnerability and Analysis Hunt team.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!