The Rise of Ethical Hacking: Debates and Future Trends

The growing importance of ethical hacking has led to debate around how this model can be made most effective

The word ‘hacker’ often has negative connotations, associated with nefarious activities such as stealing sensitive data. Movies like Hackers (1995) and WarGames (1983) have helped cement the image of hackers as outsiders who use their computer skills to inflict harm and commit crime.

Yet it is being increasingly recognised within the cybersecurity industry that there is a large and growing community of hackers using their skills for good – uncovering serious unknown vulnerabilities in organisations, enabling them to be fixed before they are exploited by cyber-criminals. These individuals are commonly referred to as ‘white hat’ and ‘ethical’ hackers.

As such, ethical hacking has become a thriving industry and one it is possible to pursue a lucrative career in. A survey by crowdsourced cybersecurity platform Bugcrowd in July 2023 found that 29% of ethical hackers undertake this type of work full-time, and 33% aim to do so in the future.

This article will examine the current state of the field of ethical hacking and its different facets.

The most conventional form of ethical hacking is penetration testing, a method of uncovering as many exploitable vulnerabilities as possible in an organisation’s network. This process can be undertaken either in-house or by an external pen testing provider.

A form of pen testing is ‘red teaming.’ Here, a team of IT experts launch a simulated attack to achieve a specific objective, such as gaining access to a specific folder or set of data.

Red teaming exercises also offer an opportunity for defenders, known as ‘blue teamers,’ to hone their response processes and investigation skills by trying to stop the attackers.

In an article for Infosecurity Magazine, Kenny On, cyber security specialist, at CYE noted that red teaming can be a more accessible alternative to pen testing for small organisations with limited budgets.

An area of ethical hacking that has grown in prominence in recent years is crowdsourced security, often known as bug bounty programmes. This is the concept of using a wide range of independent hackers to discover security vulnerabilities in an organisation’s system. When the ‘bounty hunters’ report valid bugs, they are paid a fee by the company in question.

This approach has become widely used in recent years, including by government departments and high-profile private sector companies. These include the US Department of Homeland Security (DHS), the US Army and PlayStation.

Many organisations are willing to pay substantial rewards for being informed of severe vulnerabilities before they can be exploited. In December 2022, social media giant Meta revealed it had awarded $2m in its bug bounty programme throughout 2022.

In December 2020, it was reported that an ethical hacker from Romania became the first person to earn $2m in bug bounties through the bug bounty platform HackerOne.

The success of bug bounty programmes has led some in the cybersecurity community to question the relevancy of pen testing. In 2018, Adrian Sanabria, director of research at Savage Security, argued that it is time to “kill” the pen test in its current form. While he acknowledged that the concept of pen testing does and will continue to have value, the design and execution of many current network pen test methods make them ineffective for the modern threat landscape.

In an article for Infosecurity Magazine in 2018, Alex Haynes, CISO at IBS Software, explained the benefits of a crowdsourced approach compared to traditional pen testing. “While a single pen tester will have one skillset, one methodology and one way of looking at things, a crowd simply scales on those strengths to cover the weaknesses that have crept into pen testing over the years,” he noted.

Ben Sadeghipour, head of hacker education at HackerOne, similarly outlined benefits around the use of bug bounty programmes. He said ethical hackers tend to see things differently to IT security experts, making them suited to vulnerability discovery. “Their ability to think like attackers makes them a most powerful defence,” he explained.

However, in a piece penned five years later in 2023, Haynes acknowledged that the “displacement” of pentesting companies hasn’t happened, mainly because crowdsourced security cannot compete at the same price point. He also identified issues around how hackers are paid and treated in bug bounty programmes, stating that this approach “propagates a highly unethical Orwellian gig economy where the majority of people are effectively working for free, and are not paid at all for their effort.”

Additionally, MIT research published in 2019 found that many organisations are better off hiring pen testers and in-house security researchers directly than running bug bounty programmes.

The report claimed that, contrary to industry hype, organisations running these programmes don’t benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. 

ADVERTISEMENT

As with all aspects of cybersecurity, the rise of generative AI technologies, such as ChatGPT, is set to have a significant impact on white hat hacking. In the Bugcrowd research from July 2023, 55% of respondents believe that these technologies have increased the value of ethical hacking and security research or will increase its value in the future.

In addition, over three-quarters (78%) believe that AI will disrupt the way hackers work on penetration testing or bug bounty programmes in the next five years.

In an article published in July 2023, Phil Robinson, principal security consultant and founder at Prism Infosec, wrote that AI will have a positive impact on red teaming, helping to evolve attack scenarios and enabling clients to realise more value from the exercise. For example, testers use ChatGPT during reconnaissance to determine potential CVEs to exploit or avenues to explore to attack particular systems. This has been shown to dramatically reduce lead time on bespoke payload creation and reduce development time in general, Robinson explained.

The field of ethical hacking has cemented itself as a crucial component of cybersecurity. However, it continues to evolve, and this has led to much discussion around the most effective model that should be used. Additionally, the growth of emerging technologies, such as AI, makes this area one to keep a close eye on in the coming months and years.

Enjoyed this article? Make sure to share it!

Looking for something else?