Support 416-591-6711 option 1 or Email Us

Incident Response Lessons from White Hat Hackers

Wed, 12 Jun 2019

71 percent of cybercriminals claim they can breach the perimeter of a target within ten hours.[i] The best hackers can get into your network even faster. Matthew Beddoes, who went by the alias “Black Dragon,” was arrested and jailed in 2013 for hacking into the United Nations’ network and stealing £6.5million worth of carbon credits. Once released from prison, Beddoes went from wearing a black hat to wearing a white hat and started his own security company.[ii] Using his experiences hacking into companies, he now assesses systems, conducts penetration testing, and helps with incident response preparations, to keep the companies he once hacked, safe. It’s called ethical, or white hat, hacking. 

Incident Response Lessons from White Hat Hackers There's a vast ethical community hacking for fun, for the challenge, to make the world safer, and for money. White hat hacker, Daniel Weis, says “The good thing about being an ethical hacker is we still get to do the fun stuff, but with a ‘get out of jail free card’ by having legal documents and agreements between the team and the organisation and partners that we have been engaged to assess.”[iii] White Hats also have an interesting perspective on cybersecurity, incident response planning and some great advice to offer. 

Ignorance is Your Greatest Cyber-Weakness

You can have ample cybersecurity measures in place, and it is all meaningless if your employees open the door for a hacker to enter. Weis says, “I can come up against the toughest organisations with all sorts of security controls, but it can often be easily bypassed just through a well-rounded phishing email or an obvious password, which usually provides me an entry point.”[iv] Weis specializes in social engineering, as that is the basis for so many cyber attacks. Social engineering resembles spy work, relying on deception. Weis phishes via email or calls network users asking for sensitive data or information. The users more often than not provide the information making it possible to bypass all cybersecurity defences. Weis has also physically accessed organizations, dressing as a repairman and approaching reception, and even imitating a real employee.

Awareness is Greater Than Knowledge

Knowledge can make us hurt ourselves. When we say, ‘I should have known better.’ No, you shouldn’t have. How could you have - if this was a completely foreign concept to you? As Chris Nickerson, hacker and cybersecurity awareness speaker advises, “Instead, just be aware.”[v] Teach your employees to be aware, the importance of good cyber hygiene, what phishing scams look like, about secure passwords. Teach them to be aware of their cyber environment and look for details. 

Nickerson says to, “Look at all the things.”[vi] Look for oddities, normalcies, be aware of what is happening around you, around your system. Security is easy if you walk through cyber life with your eyes open. Know what’s easy to attack. Look around your office for wireless stuff – it’s all susceptible. Lithium batteries, wireless tech, cell phones, security tags – none of this stuff is hard to hack. So, you need to be aware. Don’t be lulled into a false sense of security. Have an awareness and then make your incident response plans accordingly.

Endpoints are Just the Beginning

Beddoes describes his approach as big picture offence. When evaluating the security of a business and creating incident response strategy, he looks at it like an attacker would but doesn’t worry about getting into the system because endpoints are just the beginning. Instead, he thinks, “What can I do with my target once I’ve gained access?”[vii] Using this methodology, he is better able to understand how different areas of an organization may be valuable to a threat actor, knowledge which can then be used to build a targeted incident response plan for that individual company.

Incident Response Begins Before the Incident Occurs

Weis advises that you look at your network, asking the following "Are there legacy systems? Are there lots of ways into the network? Are staff trained on cybersecurity? Are their passwords inadequate? Has a security assessment been performed? Is there a plan to cope with a cybersecurity breach?"

The “plan to cope” is actually an incident response plan, and it begins long before a breach occurs. A cybersecurity incident response plan is a set of guidelines that empower IT staff to recognize, react to, and recover from network security incidents and breaches. Incident response plans address issues like cybercrime, information loss, and service outages that can take your system offline or cause disruption or financial damages to your company.

Any cyber incident that isn't properly contained and dealt with can - and often will - escalate into a more serious issue, potentially leading to a serious information breach or system collapse. An incident response plan allows an organization to react to an incident quickly and in a controlled manner. Swift incident response will enable an association to limit financial losses, repair abused vulnerabilities, re-establish services and processes, and reduce the likelihood of future incidents and the damages they may cause.

There are necessary steps that need to be taken in creating an incident response strategy. All seven steps towards incident response are centred on knowing your institution, your employees, and are reflective of Weis’ questions above. 

  1. Clearly outline roles and responsibilities so that there is no time wasted in confusion or duplication of work.
  2. Have a full picture of everything in your cyber environment, all endpoints, all systems, and network assets.
  3. Know where your critical assets are located.
  4. Increase logging and monitoring. Log everything from firewall acceptances and denials to internal web proxy logs.
  5. Use tools to search your entire environment for indicators of compromise. If you don’t have that capability, because few companies do, then regularly check your environment for abnormal activity.
  6. Conduct vulnerability assessment or penetration testing on your network. These tests can be very telling. Knowing where your network’s weaknesses are can help you defend it.
  7. Ensure all software is updated. Patch everything promptly. Patches are created when software vulnerabilities, bug and errors are discovered. They are released to strengthen the software and are a vital part of cybersecurity.

Experience is a Patch to Human Nature

Cybersecurity and incident response planning may be on your “to do” list, but they aren’t a priority. You keep meaning to change them, but you use the same password across all devices and accounts. You don’t patch very often – it takes too much time. You didn’t want to spend the money on cybersecurity, it’s not visible. You keep meaning to hire a security specialist, but haven’t got around to it yet.

Then the day comes when your company network is breached. You have no incident response plan in place. Your files become encrypted due to malware, or your company is knocked offline, or all your data is stolen. With that terrible experience comes the realization of how critical cybersecurity is, and how costly a lack of cybersecurity and incident response planning can be. Take a lesson from the white hat hackers and play offence in the cybersecurity game.


‹ Back