Computer code on a screen with a skull representing a computer virus / malware attack
© Getty Images/iStockphoto

In late 2019, Dawn Isabel was on the hunt for glitches and vulnerabilities in a particular mobile application. She was taking part in the app maker’s “bug bounty” programme — the development stage when a business hires hackers to find weaknesses in its systems.

“On TV, it looks exciting, with lots of bright green text, and six screens,” Isabel says, of the way this work is sometimes portrayed. “In reality, it’s me hunched at my laptop for hours straight, scrolling.”

But, eventually, Isabel — who also works full time as the director of research at mobile security company NowSecure — “hit the jackpot”. She discovered a devastating vulnerability in the app and soon collected a tidy five-figure sum as a reward.

Dawn Isabel, director of research at mobile security company NowSecure
Dawn Isabel, director of research at mobile security company NowSecure

It is this work by so-called ethical hackers that helps to protect the companies — from Big Tech giants such as Google, Microsoft and Facebook through to bootstrapped start-ups — against nefarious digital actors. And it has proven increasingly lucrative for those taking on the task.

“Companies have been opening up more and more,” says Tanner Emek, a 32-year-old ethical hacker. Over the past four years, he estimates to have made $1mn in bug bounties.

These typically range from the thousands to the hundreds of thousands of dollars. “Not only are more companies running bug bounty programmes, the scope seems to be getting wider as well,” he adds.

According to Bill Conner, chief executive of cyber security group SonicWall, ethical hacking, which has existed since the 1970s, is evolving.

It used to focus on a “single purpose”. This might be, for example, a penetration test — a simulated cyber attack on a computer system to expose flaws — or vulnerability hunting in products. “But now it’s also gone to [testing] your business network, your internal network for vulnerabilities,” Conner adds. “It’s gone to phishing and email testing. It’s gone to cloud testing. It’s become a fully fledged business.”

This development comes as cyber crime has continued to grow rapidly during the shift to remote working. In particular, ransomware attacks — whereby hackers lock up data or computer systems until they are given a pay off — have become one of the biggest cyber security headaches for the private and public sectors in the past two years.

IT and supply chain industries have been targeted, as well as critical infrastructure — such as the Colonial Pipeline, which was hacked last year, disrupting US fuel supplies for several days. Applications connected to the “Internet of Things” have proved vulnerable, too.

Nation state cyber attacks also continue apace, with attacks rising particularly amid the conflict between Russia and Ukraine.

An out of service bag covers a pump handle at a gas station in Fayetteville, North Carolina
© Sean Rayford/Getty Images

Marten Mickos, chief executive of HackerOne — which matches companies with potential ethical hackers — says his business has 1.5mn hackers signed up to its platform.

“There are a lot of young people who are growing up pretty disillusioned with this world,” explains Mickos, “and they’ve been gamers all their youth.” It turns out that “they are the best experts”, he says.

He considers HackerOne, one of the biggest bug bounty platforms alongside cyber security group Bugcrowd, to be a “conveyor of trust”, which vets and then vouches for the skills and reputations of the hackers who sign up.

Mickos believes the sector is becoming “more professional”. Ethical hacking education and certifications are emerging as features of it, with governments also encouraging programmes.

On top of individual ethical hackers that sign up with platforms, there are also teams within cyber security organisations that do similar work on behalf of clients.

Charles Henderson, global head of IBM’s hacking unit X-Force Red
Charles Henderson, global head of IBM’s hacking unit X-Force Red

Charles Henderson, global head of IBM’s hacking unit X-Force Red, says his team recorded a 33 per cent rise in the number of network compromises caused by vulnerability exploitation in 2021, compared with the previous year.

He argues, however, that the focus should not “just be about keeping attackers out, but testing that you can detect hackers once they’re in”. 

This is a different art. Hackers may quickly fire out attacks but, once they are inside a network, they will move slowly and deliberately to avoid being noticed. “When they are in, are you going to know they’re there?” Henderson says.

Making it harder for adversaries to move within systems requires strong authentication tools to ensure that employees are who they say they are, and are not given unfettered access to systems and data they do not need. This is particularly important as some companies will allow third parties in their sprawling supply chains to access their systems.

“Threat actors in ransomware exploits look at the attack surface, and how well things are hidden behind Chinese Walls,” says Ondrej Krehel, head of digital forensics and incident response at cyber security monitoring platform SecurityScorecard. “And they will also look at how authentication and authorisation will work.”

But offensive cyber security has limits and grey areas, warns Maya Horowitz, research director of Check Point, a cyber security provider. Some advocate “hacking the hackers” — also known as hacking back — but this is against the law in most countries, she notes.

It is also possible that ethical hackers could leak information on vulnerabilities to the press, or other hackers, before a company has time to fix it. The risk of hackers being drawn in by lucrative criminal activity remains real. “Hacking tools are sold on the dark web,” Horowitz notes, which, for hackers, can enable activities that are “more profitable than bug bounty programmes”.

Copyright The Financial Times Limited 2022. All rights reserved.
Reuse this content (opens in new window) CommentsJump to comments section

Follow the topics in this article