Quick Links
Not all hackers are bad guys. To properly defend a network you need to know the type of attack you're going to face. So does a hacker make the best type of defender too?
What Exactly Is a Hacker?
Hacker is a word that has been repurposed and its original meaning almost completely erased. It used to mean a gifted, driven programmer. The stereotypical hacker was practically obsessed with programming, often to the exclusion of any kind of regular social life. Instead, they'd pursue low-level knowledge of the inner workings of computers, networks, and---above all else---the software that controlled it all. Apart from the lack of social interaction, hacking wasn't considered a bad thing, per se.
With the spread of IT, cybercrime became a possibility and then a reality. The only people with the skills to have perpetrated the crimes were hackers, and so the term hacker became tainted. It became what it means to most people today. Ask someone to explain what a hacker is and they'll describe someone with extensive knowledge of computers, operating systems, and programming and the criminal intent to access computer systems they shouldn't have access to.
But even within this new definition of hackers, there are different types of hackers. Some people who try to compromise a network are the good guys. Using a trick from the black-and-white silent westerns, the good and the bad are told apart by the color hat they wear.
- A black hat hacker is the real bad guy. They're the ones who compromise networks and perform cybercrime. They try to make money through their illegal activities.
- A white hat hacker has permission to try to compromise a network. They're hired to test a company's security.
In life, though, things are rarely black and white.
- A gray hat hacker behaves like a white hat hacker, but they don't seek permission in advance. They test a company's security and make a report to the business in the hope of subsequent payment. They break the law---hacking a network without permission is illegal, period---even if the company is grateful and makes a payment. Legally, gray hats operate on thin ice.
- A blue hat hacker is someone that isn't skilled, but they have managed to download a low-skill attack software such as a distributed denial-of-service program. They use it against a single business that---for whatever reason---they wish to inconvenience. A disgruntled ex-employee might resort to such tactics, for example.
- A red hat hacker is the lone vigilante of the hacking world. They're hackers who target black hat hackers. Like the gray hat, the red hat is using legally questionable methods. Like Marvel's Punisher, they operate outside of the law and without official sanction, dispensing their own brand of justice.
- A green hat hacker is someone aspiring to become a hacker. They are black hat wannabees.
Black hat and white hat are terms that are racially insensitive and we look forward to them being replaced in the same way black list and white list are being replaced. Threat actor and ethical hacker are perfectly good substitutes.
Criminal Hackers and Professional Hackers
Professional hackers may be self-employed ethical hackers, available to test the defenses of any company that wants their security tested and measured. They may be ethical hackers who work for larger security companies, performing the same role but with the security of regular employment.
Organizations may directly employ their own ethical hackers. They work alongside their counterparts in IT support to continually probe, test, and improve the organization's cybersecurity.
A red team is charged with trying to gain unauthorized access to their own organization, and a blue team is devoted to trying to keep them out. Sometimes the personnel in these teams is always one color. You're either a red teamer or a blue teamer. Other organizations like to shake things up with staff effectively moving between teams and taking the opposing stance for the next exercise.
Sometimes threat actors transition into the mainstream security profession. Colorful industry characters such as Kevin Mitnick---once the world's most wanted hacker---run their own security consulting companies.
Other famous hackers have been headhunted into mainstream jobs, such as Peiter Zatko, a one-time member of the hacking collective Cult of the Dead Cow. In November 2020 he joined Twitter as head of security following tenures at Stripe, Google, and the Pentagon's Defense Advanced Research and Projects Agency.
Charlie Miller, known for exposing vulnerabilities in the Apple products and hacking the steering and acceleration systems in a Jeep Cherokee, has worked in senior security positions At the NSA, Uber, and Cruise Automation.
Poacher turned gamekeeper stories are always fun, but they shouldn't lead anyone to conclude that illegal or questionable hacking is the fastpath to a career in cybersecurity. There are many cases where people cannot get jobs in cybersecurity because of mistakes they made in their formative years.
Some professional hackers work for---and were trained by---government intelligence agencies or their military counterparts. This complicates matters further. Government-sanctioned teams of operatives tasked with performing intelligence gathering, defensive, and offensive cyber activities to ensure national security and fight terrorism are a necessity. It's the state of the modern world.
These highly-skilled individuals with a wealth of sensitive knowledge are eventually discharged. Where do they go when they leave? They have an employable skillset and they need to make a living. Who's hiring them, and should we care?
Shadow World Alumni
All technically capable countries have cyber-intelligence units. They gather, decrypt, and analyze strategic, operational, and tactical military and non-military intelligence. They provide the attack and surveillance software for those who conduct espionage missions on behalf of the state. They are the players in a shadowy game where the enemy is trying to do the exact same thing to you. They want to penetrate your systems just like you want to access theirs. Your counterparts are developing defensive and offensive software tools and trying to discover and leverage zero-day attacks, just like you are.
If you are going to hire a poacher to be your gamekeeper, why not hire one of the elite poachers? That's a sound idea. But what happens if one of your crème de la crème former hackers chooses to work overseas or makes some other controversial career move?
It turns out that's nothing new, and it's going on all the time. Shift5 is a cybersecurity startup founded by two former National Security Agency personnel. Not only did they work in the NSA, but they also worked in the Tailored Access Operations unit. This is one of the NSA's most clandestine divisions. Shift5 promises to deliver technology to help protect critical U.S. infrastructure. Think electricity supplies, communications, and oil pipelines. They announced a $20 million funding round in October 2021. That's U.S. home-grown talent protecting the U.S. which seems perfectly reasonable.
The Israeli Defense Force's equivalent to the NSA is Unit 8200. Unit 82---or "the Unit"---is their famed military signal intelligence group. Alumni from the Unit, and its own secretive inner team called Unit 81, have founded or co-founded some of the most successful technology companies. Check Point Software, Palo Alto Networks, and CyberArk all have ex-Unit founding members. To be clear, there's nothing at all to suggest that they have a hidden agenda, questionable allegiances, or controversial practices. These are successful companies with spotless records led by brilliant technical brains. So that's fine too.
Complications arise when former U.S. intelligence agents are employed overseas. Their skillset and job function can constitute a defense service requiring a special license from the State Department's Directorate of Defense Trade Controls. Two U.S. nationals and a former U.S. national hit the headlines recently as it was revealed that they had been employed by the DarkMatter group, which was founded in the United Arab Emirates. DarkMatter ran the infamous Project Raven surveillance program for the Emirati government.
In September 2021, Marc Baier, Ryan Adams, Daniel Gericke entered into a deferred prosecution agreement that limits their future employment activities and requires a joint payment of $1.68 million penalties.
Attractive Skills in a Restricted Market
Companies hire skilled former hackers for their expertise and attractive skillsets. But if you're involved in cybersecurity activities for a state or military agency, you need to understand the limits and controls that are in place to make sure you provide your services to acceptable organizations and for acceptable purposes.
If you're concerned about being the target of hackers, there are several things you can do to keep your PC as secure as possible.