Taking Back the Internet

“These are not opportunistic hackers — one guy sitting in a basement, hoping for a big payday,” said Keren Elazari, an Israeli security analyst and cybersecurity consultant to a list of blue-chip clients. “These are organizations. They’re clever. They’re innovative. They’re agile. And they’re very incentivized.

“The past year,” Elazari said, “has really created a cybercrime renaissance for them.” It’s an opportunity, she added, that everyone seems eager to cash in on.

Elazari’s clients are leading security firms, Fortune 500 companies, and government agencies. They depend on her to accurately predict cybercriminals’ next moves so they can plan ahead and respond accordingly. She has been closely monitoring criminal activity on the dark web, finding that the lockdown had cut the criminals’ access to lucrative, traditional organized crime activities such as human trafficking, the drug trade, prostitution, and more — all activities that depend on the free movement and interaction of people. The one constant that remained accessible to them through it all, she said, was the internet. So, they focused their time, energy, and resources on cybercrime enterprises.

From the attackers’ standpoint, the global lockdown produced unprecedented opportunities to achieve a quick payday. “They can gain access through many more devices,” Elazari said. “They don’t need to go past a big, scary firewall. All they need to do is attack a single router in an employee’s home.”

Adopting a useful metaphor

Elazari is one of a number of women deeply engaged in efforts to fight cybercrime. Taking a decidedly nonconventional approach, back in 2014, she gave a TED Talk that changed how the world views hackers and how hackers view themselves. In her now famous talk, which has been seen more than 2.7 million times and translated into 30 languages, Elazari drew a clear distinction between “malicious” hackers — cybercriminals, who run online scams and steal millions — and “ethical hackers” like herself, people who are compelled to explore active, online code to satisfy their intense curiosity about how things work.

She stressed that while “ethical” hackers don’t always follow the rules and sometimes “wind up on the other side of the fence,” they clearly are not criminals. Instead, she proposed that they might be uniquely qualified by natural ability, temperament, and inclination to collectively serve as the “immune system for the Information Age.”

Elazari provided an honest, unapologetic assessment of hacker conduct. She described their decidedly egalitarian impulses, their fierce online “hactivism,” their intense curiosity, their technical genius, their collective sense of humor, and, most importantly, their two overriding compulsions: their desire to take complex things apart to see how they work and their intense need to fix — or exploit — whatever they find that is broken. She presented them, more or less, as a misunderstood force for good.

Throughout her talk, Elazari inserted stories about well-intentioned hackers who had tried, and failed, to alert tech companies and government organizations about the presence of serious vulnerabilities in their code — errors that they had discovered while hacking into their websites and computer networks without permission, something that was technically illegal. (In other words, they had put themselves at risk, trying to do the right thing.)

Generally speaking, there are two reasons hackers fail to deliver their messages. Either the organizations involved lack formal vulnerability disclosure programs (VDPs) — procedures for hackers to use to voluntarily report vulnerabilities, without any thought of compensation — or they deeply distrust hackers who freely invade their digital space.

Elazari’s “immune system” metaphor quickly caught on, both inside and outside the hacker community, and it helped guide the conversation about the evolving role ethical hackers should play in cybersecurity. It is frequently invoked by cybersecurity industry leaders, bloggers, and others as an effective shorthand to describe how ethical hackers contribute to the internet’s well-being.

The term’s growing influence was why Elazari was the only woman hacker included in a February 2020 article in Cybersecurity Magazine about the 20 most influential hackers of all time.

Yet, back in 2014, a hacker-driven global “immune system” seemed far-fetched. A handful of online startups — then in their infancy — were trying to build sustainable business models around the notion. But compared with the relentless daily assault on the internet by criminal actors, the scale of these startup operations was puny.

Two of the most popular hacker communities were San Francisco-based Bugcrowd and HackerOne. These online “hacker platforms” ran bug bounty programs (BBPs) that paid ethical hackers cash for each vulnerability or “bug” that they found in code running on their sponsoring organizations’ websites and computer networks. By finding and fixing the bugs before cybercriminals could exploit them, the hackers were helping harden those individual pieces of the internet — and their connected computer networks — against cyberattack.

In its early years, HackerOne’s global online community numbered a few thousand hackers. While its members could immunize hundreds of individual websites at a time, they lacked the collective strength, or scale, needed to counter the actions of cybercriminals overall. Yet during the next seven years, HackerOne’s ranks would swell to include 1.3 million registered hackers, a 28,700% increase. According to company spokespeople, the community has become far more diverse, far more global, in nature, and astonishingly productive. Collectively, its hacker community has now identified more than 200,000 bugs and earned more than $160 million in bug bounty fees.

In April 2020, the first complete month of lockdowns for much of the world, HackerOne onboarded 75,000 new members, at a growth rate of 900,000 people a year. Luke Tucker, the company’s vice president of community, credited much of this new interest to “unintended consequences” of the lockdowns.

“A lot of social calendars screeched to a halt,” Tucker explained, leaving people who were newly unemployed or suddenly working from home with extra time on their hands to sign up for, and start learning about, hacking. “In the early part of COVID, we saw record signups, and we had record engagement as well,” Tucker said. During the July 1, 2020, fiscal year, HackerOne gained 405,000 new members, almost as many people as the platform had signed up through its first six years of operations. The company added an additional 150,000 members during the first six weeks of the 2021 fiscal year.

Yet, even before COVID, HackerOne co-founder Michiel Prins pointed out that security strategies must be continuously tested and updated.

“Organizations in both the public and private sectors must continue to evolve their security strategy beyond point-in-time solutions and increase their standards for how they test their security. Ethical hackers offer a layer of continuous testing from experts that are just as savvy as the cybercriminals that businesses are defending themselves against.”

– Michiel Prins, HackerOne co-founder

An interesting and perhaps unexpected outcome for some practitioners is the role ethical hacking plays as a steppingstone to something else. Tucker said member surveys show that just under two-thirds of the site’s members (62%) say they hack to advance their careers. “That usually means one of two things,” Tucker explained. “Either they want to go hack on a beach in Thailand doing bug bounties — and whatever they want [in their spare time] or they want to get a job as an app sec [application security] engineer or as a Red Teamer [penetration tester] within a company.”

Today, according to HackerOne’s annual 2021 Hacker Report, “there are more hackers, with more skills, from more countries than ever before.” Through them, the HackerOne platform boasts that it now offers its customers “continuous coverage [24/7] for continuous development.”

Conventional, sanctioned approaches also key

Valentine Mairet and five other intelligence analysts on McAfee’s Advanced Threat Research (ATR) team have front-row seats on cybercrime. Every day, from their base in the Netherlands, they connect remotely to McAfee servers to check news feeds about the latest active threats as the details of thousands of individual cyberattacks pour into their knowledgebase for processing and eventual storage in a massive database.

That database, Mairet said, contains “everything you need to know” about cybercrime campaigns, including individual attacks — both past and present — even warnings about potential future threats. It’s all there, she said, along with an endless sea of granular detail about the attackers’ identities, locations, preferred tools, days and times of attack, types and choice of targets, favored techniques — you name it.

“So, we get all this data,” she explained, “and we have to somehow make sense of it, and apply it, in our own infrastructure and our customers’, to see if they’ve been affected by these kinds of attacks.” (The customers she’s referring to subscribe to McAfee’s endpoint protection solution, a program that deploys threat-monitoring equipment directly on the customers’ digital networks and then enhances those capabilities with the ATR’s latest intelligence.)

Mairet uses graphs to present the data she analyzes in a way that, she said, “makes sense to everyone.” She uses software with advanced analytic and graphic capabilities, including a palate of versatile algorithmic filters that she applies to get the data to reveal its secrets. She is guided in her work by instincts developed working as a red team (attack) hacker and then as a blue team (defense) responder at a Dutch telecom company.

Together, she and the other analysts gradually piece together an accurate picture of ongoing developments on the ground, but the work can be tedious at times. Mairet’s graphs display color-coded datapoints separated by interconnecting lines denoting relationships. Owing to the sheer volume of attack data, analyzing more than a few variables at a time can quickly produce images with data so densely packed together that the graphs become impenetrable, and indecipherable, information explosions.

ATR intel has helped law enforcement solve cybercrime cases, and, on occasion, the team has helped Europol with the tracking of major cybercrime gangs, Mairet said. “They have their own intelligence, and we add to it,” she explained. “Anything they don’t have, they’ll get from us.”

Mairet notes that despite dire cybercrime statistics, a false sense of security still persists along with a general reluctance on the part of many companies and organizations to spend proactively on security.

“It’s often a money issue to be honest,” Mairet said. “People or companies … are willing to invest a lot of money [in security], if and only if, something goes wrong. They fire a bunch of people … they invest in the security thing, and then they forget about it, and it happens all over again. The same cycle happens again.” And, through it all, she said, they never adopt a persistent security program.

Ransomeware ups the ante

Perhaps that reluctance will change with the increase in ransomware attacks. It is said to be the fastest growing type of cybercrime, and the size of the ransom demands have grown astonishingly bold. Two years ago, the average ransom demand was $5,000. Today, it’s often $1 million or more — an increase of roughly 19,900%.

Things came to a head in the U.S. this spring, when, for the first time, ransomware gangs targeted firms that either control important infrastructure and/or serve as vital links in the nation’s supply chain. Colonial, the first of the hackers’ victims, runs the nation’s largest fuel pipeline network and supplies 45% of the transportation fuels consumed on the East Coast. The ransomware attack stopped the flow of gasoline for nearly a week, causing prices to spike at the pump, and consumers to recklessly hoard fuel. Some gas station owners were accused of price gouging and threatened with fines. The company ultimately paid a $4.4 million ransom to protect internal financial documents and customer information taken in the attack from being released to the public.

After the dust settled, the National Transportation Security Administration, which oversees pipeline operations, acknowledged that Colonial’s cybersecurity measures did not meet the agency’s voluntary standards. Illustrating Mairet’s point regarding false notions of security, had they been fully compliant, the NTSA said, the entire incident might have been avoided.

Three weeks after the Colonial attack, another group of hackers targeted JBS USA Holdings Inc. — the nation’s largest meat processer, halting work at several of its meat packing plants. JBS ultimately paid an $11 million ransom to settle the matter and avoid further disruption to its customers’ businesses. Then, over the July 4th weekend, attackers went after the software supply chain with an attack on Kaseya Ltd., an upstream managed service provider to multiple resellers.

The ransomware spread through the supply chain and ultimately affected more than 1,500 subscriber companies.

 According to Frank Dickson, program vice president for International Data Corporation (IDC) — a global market intelligence firm serving clients in the IT, telecom, and consumer technology markets, vulnerabilities are inevitable. In the 20 years between 1999 and 2019, he noted in a paper about vulnerability disclosures that IDC released last fall, more than 161,000 coding vulnerabilities had been identified. More than half of those discoveries occurred in the final five years of the period he studied. In other words, the vulnerability discovery rate tripled in the period after 2015. Dickson predicted that trend “will only continue to increase in the future.”

One key driver, he explained, was the ever-increasing power and complexity of technology and the demands it puts on the firmware required to run it.

Offering another, longer-term perspective, Dawn Isabel has spent the past 20 years in cybersecurity. She focused, first, on computer systems and the internet and, then later, on mobile technology. Isabel currently works for NowSecure, a company that develops software to automate the search for vulnerabilities in mobile apps.

“If you picked a developer out at random,” Isabel said, “and asked her if she had ever heard of SQL injection or cross-site scripting, today’s likely response would be, ‘Duh! Of course, I have.’ Whereas 20 years ago, most developers didn’t have a clue. They didn’t know how to address it. They didn’t know how to prevent it, so I think that, in that respect, we’re doing far better. And I think that security, as a community, has a lot more respect.”

“Do I think we’re in a better place today than we were 10 or 20 years ago? In some respects, yes, I do. Because I think developer education around security is far more robust.”

– Dawn Isabel, Cybersecurity expert, NowSecure

Isabel said she’s noticed that even when the mobile technology she works with changes, the same types of challenges keep rearing their heads. “We see a lot of the same problems that we litigated 10 or 20 years ago. There’s a kind of cyclical nature to security.”

“I’ve always enjoyed it because the mobile space is changing all the time. As soon as you get comfortable with something, and you feel like you’ve closed off some avenues for attack, something new evolves and pops up.”

She takes a philosophical view on cyberattacks. “Any company of any size is going to get attacked a lot … that has just become the background noise that we live with on the internet now.”

Asked how secure she thinks our digital world currently is, Isabel paused to consider. “Um, well, I have job security for a long time,” she said at last. “Let’s just put it that way.”

Working for the greater good

Back to Keren Elazari, who through her TED Talk became the nonthreatening, nonstereotypical, unofficial representative and spokesperson for a misunderstood tech subculture of hacking that was, in fact, overwhelmingly male, extremely young, and far less eloquent than she.

That day she concluded her talk by pointing out: “It’s going to take time and adapting,” for the public and private sectors “to embrace hacker culture and the creative chaos that it brings with it. But I think it’s worth the effort, because the alternative — to blindly fight all hackers — is to go against a power you cannot control at the cost of stifling innovation and regulating knowledge.”

And the digital immune system metaphor she offered that day is needed now more than ever. But Elazari has realized that all of us now have an important contribution to make to ensure our collective security. We all need to act in a way that minimizes the creation of new vulnerabilities. “It’s about the choices you and I and every employee make every day.” Here, she said, we can borrow from the preventive steps we took to help limit the spread of COVID — social distancing, wearing masks, and getting vaccinated — and apply those lessons in the area of cyber hygiene, by frequently changing our passwords, not sharing access to applications and services, updating software as soon as we receive patches, recognizing, and avoiding, phishing schemes, and much more. “There’s opportunity here to take greater responsibility in the personal choices that we make,” she explained, “for our own benefit, but also for the greater good.”