You are here

How to put crowd-hacking to work for your organization

public://pictures/evgenia.jpg
Evgenia Broshevan, Evangelist, HackenProof

The hacking business is huge, and global spending on cybersecurity is growing, increasing demand for cybersecurity specialists. At the same time, the data breach landscape will expand concurrently with the growth of the virtual population.

Technological advancement drives the development of both markets—cybersecurity and cyber attacks. Hackers tend to embrace new solutions faster than do people from cybersecurity.

Global tech giants Microsoft, Amazon, and Google realize the need to adapt to hackers' ever-evolving tactics: Artificial intelligence (AI) and machine learning (ML) are being deployed to secure their cloud services and networks. The ML algorithms help catch unauthorized logins and detect attacks. As long as a hacker is a moving target, the algorithms provide the ability to address the threat dynamically.

The pace at which hackers engage AI in their activity is the evidence of a new security crisis being born. Neural networks are deceived and systems get fooled, influencing detection or classification of the objects. Some cyber-criminals go even further, by placing hidden voice commands into digital broadcasts to control smartphones.

Hackers use AI to produce smart malware, which can poison millions of systems and not be detected. A wide range of algorithms—the Carlini & Wagner attack and the Fast Gradient Sign Method, to name a couple—can craft inputs to deceive neuronets. Specific attacks largely depend on a certain generation pipeline of machine learning a hacker employs.

What we should expect in the coming years is that attackers will successfully master and exploit AI for illicit activity. And with 5G coming online, the IoT will add to the vulnerability landscape.

Security departments will always advocate for and encourage increased investments in cybersecurity tools and systems. However, businesses in pursuit of optimization, cost-effectiveness, and maximum productivity should look beyond traditional approaches.

Here's why crowd-hacking is a good alternative, and how to get started.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

Crowd-hacking: It's time to go freelance

Many businesses across industries benefit from crowdsourcing, including BlaBlaCar, Airbnb, and Lyft. The concept is also used in cybersecurity and is known as "crowd-hacking." Crowd-hacking engages freelance researchers—ethical hackers—to find vulnerabilities in software products.

There are a number of instruments a business can use to reduce cybersecurity costs.

Bug bounty programs can be a perfect fit. They are a format of collaboration where testing is performed by ethical hackers within strictly regulated rules. A researcher gets rewarded for each detected bug. Bug bounty programs can be carried out independently or via platforms. The latter can be public or private; the private program involves a serious selection procedure to chose top-notch researchers.

Speaking of the independent bug bounty program, in April 2018 Facebook paid $15,000 to eliminate a bug that could lead to a chain of user attacks. All in all, the corporation has paid out over $4.3 million to researchers since the start of its bug bounties in 2011.

From time to time bug bounty platforms, communities of ethical hackers, and organizations engaged in the development of cybersecurity host live events with onsite marathons for hackers. A business benefits from crowd-hacking in several ways: The product receives undivided attention from trusted ethical hackers, critical bugs are detected in a short time frame, and the security awareness of the company is promoted globally.

During one of our events, 25 of the most talented hackers from all the over the world got access to a partner’s product. Their investigation resulted in submitting 73 vulnerabilities that could lead to a massive data breach.

Certain businesses continue to deny the effectiveness of the bug bounty programs simply because of their unwillingness to provide ethical hackers with rewards for their work, even though the possibility of a data breach by cybercriminals is quite high. There are many cases of companies not having a bug bounty program in place, yet ethical hackers finding a bug (sometimes by chance) and seeking ways to contact the business by reaching out to the management to report a vulnerability.

Having a bug bounty platform in place builds a bridge between ethical hackers and businesses and, therefore, works as a mediator. It is worth using a combination of different approaches, and crowd-hacking can be a good supplement to penetration testing and other traditional methods.

The risk of becoming a victim of a cyber attack is high. It is desirable to be friends with ethical hackers and to use their talents and skills for business security, given the fact that this approach is more cost-effective than other security measures.

[ Also see: Bug bounties pay off: Are they right for your company? ]

How to get started with ethical crowd-hacking

Working with ethical crowd-hacking breaks down into a chain of consecutive stages.

Assessment

In general, ethical crowd-hacking is a positive thing. However, every business must evaluate its own risks, advantages, and disadvantages of the bug bounty program contextually and define whether this is an adequate step at this point in time. In the case of the bug bounty program being vital, the assessment continues with the view to the crowd-hacking market. Finding a credible and experienced partner is essential.

Create a brief

After a perfect partner is found, a business creates a brief describing the engagement rules for ethical hackers, a.k.a. researchers. The brief covers pricing policy, what to look for and what to disregard, as well as some specific guidelines.

Program launch and start

The brief is published on the bounty page, and ethical hackers are attracted from all over the world to take part in the program. Then the testing begins: The most talented people in the field work on the product, find vulnerabilities, and report them. The reports explain how these bugs could be exploited by bad actors.

[ Also see: 32 application security stats that matter ]

Verification and fixing

An in-house cybersec triage team verifies the reported vulnerabilities and estimates the necessary security level for a company. Ultimately, the company fixes the bugs using the comprehensive report, and the researcher receives payment, as well as reputation points displayed on the bug bounty platform.

A company running a bug bounty program on its own, without proper arrangements, might find itself in a situation where hackers detect the "low-hanging fruit" that could be found by traditional scanners, and the business has to pay for this. When the rules of engagement are not clear, 20 hackers might find the same bug, multiplying the work a company will have to pay for. The rules must be comprehensible for both parties.

The major concerns are related to public bug bounty programs: They require superb management and coordination. Plus, public bug bounty programs have low signal-to-noise ratio—the majority of reports are duplicates, or not useful submissions, and will not lead to reward. Both weaknesses are tackled by bug bounty platforms: Things are much better with signal-to-noise, and platforms provide dynamic communication and a chance to actually work with findings collaboratively.

Ethical crowd-hacking has managed to save many businesses from disasters, both large and small. Hackenproof has been cooperating with Kuna, the first public crypto exchange, for over 12 months now. The company made its choice to secure its reputation and clients by launching bug bounty program, and Kuna has never regretted it.

The researchers found an array of logical realization bugs, third-party bugs, and XSS bugs. Without the bug bounty initiative, and Kuna’s choice to protect the business with crowd-hacking, unethical hackers would use these vulnerabilities for data theft, account balance manipulations, and more.

Kuna was at real risk of losing tens of thousands of dollars, credibility, and trust. The cost of crowd-hacking is not even comparable to the possible harm of a data breach, the consequences of which tend to be irreversible.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

Cybersecurity takes a village

The development of any industry relies upon its community. The underestimation of data breaches stems from a lack of awareness. The community can provide the best resources in terms of skills, practices, and solutions.

New code emerges at breakneck pace and frequency. The ethical hacker community draws its strength from conferences and classes, mentorship programs, word of mouth, networking, and live hacking events.

The world is full of bright minds with an uncertainty of where their talent and energy can be directed. When there is a robust community—a welcoming and supportive environment with clear career opportunities and growth potential—it will be much easier to make the Internet a safe place.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]