What does a black-hat hacker look like? The word probably conjures up a picture of a hoodie-wearing computer genius hacking away in a dark room. While dramatic, this image does not say much about hackers’ methods and motives. To change that and help you improve our security, we explain how black-hat hackers think and how understanding them can guide your security strategy.
When we attend security events, we always get plenty of questions about black-hat hackers. “How do hackers approach potential targets?” “Do they only attack large companies?” “Why would they want to hack me?” Although hackers are by no means a homogenous group, understanding how they approach targets is crucial. Knowing how black-hat hackers work can help you improve your security and make it harder for malicious attackers to breach your site.
No target is too small for a black-hat hacker
Political cyber attacks that make the headlines give the impression that hackers like to focus on governments and large corporations. Targeted attacks are, in fact, extremely rare, but the attention they receive can lull smaller organisations into a false sense of security.
Black-hat hackers use automation to increase their chances of success and seldom spend time looking for a specific organisation to target. Rather than industry or company size, the common denominator in attacks is usually a vulnerability that affects a large number of websites.
A popular black-hat hacker strategy is checking security patch notes for different technologies. Patch notes contain details about vulnerabilities that have been remediated in the latest update. Hackers know that many users update their platforms and services sporadically and could still be vulnerable. Once they have selected a suitable vulnerability in a popular technology, the attacker can write a script that scans the web for affected sites and exploits the vulnerability.
What you can do: Adopt a proactive approach to security. Keep all third party services up-to-date, remove the ones you are not using, and monitor your site’s security on a regular basis.
What is secure today could be vulnerable tomorrow
Security changes every day and nothing can ever be 100% secure. Vulnerabilities are often discovered in technologies that have been in use for many years and might seem stable and secure.
It is not unusual for security issues to go unnoticed for a long time, like a recently discovered vulnerability in the Linux kernel that was first patched after 11 years. Black-hat hackers know this and are always on the hunt for new vulnerabilities. Even if an ethical security researcher discovers an issue first, malicious hackers will eventually find out about it and try to exploit it in systems that haven’t been updated.
Don’t let this discourage you from working with security! There is a growing movement of white-hat hackers, ethical security researchers who work hard to discover and report vulnerabilities responsibly. These talented ethical hackers help companies stay one step ahead of black hats. You can always ask the white hat community for help by implementing a responsible disclosure policy and utilising crowdsourced security.
What you can do: Consider implementing a responsible disclosure policy to stay on top of the latest threats.
Skill is not a requirement
The image of the black-hat hacker genius is one of the most common misconceptions about black hats. While complex exploit chains can’t be designed by just anyone, many types of attacks require neither a high level of skill nor an advanced knowledge of coding. Combining a simple attack with automation is something a bored high schooler could easily do in an afternoon.
The recent increase in the number of cryptominers installed on governmental and media websites is partly due to the fact that anyone can do it. All an attacker needs is an understanding of S3 bucket misconfigurations, something they can easily learn by reading articles online. Similarly, anyone with a taste for chaos and enough money to buy a botnet can carry out a DDoS attack. Linus Särud, Detectify security researcher, explains how easy it is to DDoS a website: “All you need for a DDoS attack is Google and a few dollars.”
What you can do: Learn about different types of vulnerabilities to gain a better understanding of what it takes to exploit them.
Simple vulnerabilities are a way in
Black-hat hackers like to target simple, seemingly harmless vulnerabilities. Developers often dismiss low severity vulnerabilities that have the potential to open the doors for chain.
Using automation to find minor vulnerabilities on a large number of sites gives attackers a starting point for manual work. Seemingly innocent flaws like exposed admin panels, login/logout CSRF, or a Server-side request forgery all help hackers find a way in to your system.
This does not mean that black hats never look for rare and critical vulnerabilities. However, it is important to be aware of the fact that the average black-hat hacker targets minor vulnerabilities that can be part of a chain attack.
What you can do: Make sure low severity vulnerabilities (low and notice severity in Detectify reports) don’t end up at the bottom of your backlog. Critical issues should always be prioritised, but it is important to tackle minor flaws as well.
Social engineering and hacking go hand in hand
While it’s easy to imagine a black-hat hacker as a hoodie-clad loner coding away in a dark room, this is seldom the case. Black hats are often skilled in the art of social engineering – in other words, fraud. Social engineering includes everything from persuading victims to visit a website with a malicious payload (common practice in XSS and CSRF exploits) to gaining access to a company’s office and hacking on-site.
In 2010, the Apache foundation infrastructure was attacked by hackers who used social engineering to gain access to employees’ passwords. The attackers logged password change requests and sent out password reset emails. As a result, Apache employees changed their passwords, unknowingly handing them over to the attackers. Although it was just one part of a complex attack, social engineering offered the hackers a shortcut and made it much easier for them to gain full root access to the machine they were targeting.
What you can do: Read up on phishing, educate your team, and be vigilant. Don’t forget about service desk staff – they have access to many different systems, and make an attractive target.
Money is not always the motivation
Although financial gains and even organised crime are often the reason behind malicious hackers’ activities, this is not always the case. Some black hats see hacking as a challenge while others simply do it for the thrill of exploiting security flaws.
Detectify security researcher Linus Särud explains: “Some people just want to see the world burn. Black-hat hackers don’t always need a reason to hack a website. Sometimes they just want to play around and see what they can get away with.” This is why it is important to secure your site even if you are confident that you have nothing worth stealing.
What you can do: Implement security measures on your entire website, not just pages that process payment information and sensitive personal data.
What does it all mean?
The only prerequisite for becoming a target is simply having a website, which puts all businesses with an online presence at risk. Luckily, threat awareness and a proactive approach to security can go a long way in keeping your site secure. The community of white-hat hackers is growing and companies are no longer alone in their fight against black hats.
While black-hat hackers are not going to stop trying to hack, it is definitely possible to make their attempts less successful. The future of web security looks bright and if you’ve read this article, you’re taking security seriously and are on the right track!