Good Hacker, Bad Hacker

There were no public reports about exactly how the malware managed to infect the system of a mechanical engineering firm in Munich. The malicious ransomware could have landed in an employee’s inbox as an email attachment disguised as a supposed invoice or advertisement. Once it was opened, no doubt chaos broke out all over the company. What is certain, however, is that the company was hit with a cyber attack in November 2018. With grave consequen­ces: the control systems in production and assembly couldn’t be restarted because the ransomware had encrypted the necessary computer data, rendering it unusable. The company’s production capacity was severely limited for weeks on end. To be on the safe side, email connections to customers and suppliers had to be cut off, and a number of IT servers shut down so that the attack wouldn’t spread even further. The perpetrators allegedly demanded a ransom. No information about the financial losses was made public. At any rate, a massive amount of work was required to get the company back up and running again.

Volker Baier deals with cases like these every day when he reads about the newest cybercrime weapons in the internet forums of the hacker scene. “I’m a hacker myself,” he says. Baier is the chief information security officer at sec-IT, a TÜV SÜD subsidiary. In contrast to the criminal hackers, known as black hats, Baier doesn’t use his knowledge to harm people or organizations. Instead he actually fights cybercriminals by finding and closing security gaps in companies’ IT and computer systems. Baier is what as known as a white-hat hacker, one who hasn’t gone over to the dark side.

Pirates and Ninjas and Spies: Oh My!

“To realistically test a company’s security, I have to think and approach it just like a criminal hacker would,” Moradi explains. He coordinates sample cyber attacks by the good guys as team leader for Penetration Testing. The white hats use a variety of methods for their attacks: “During Penetration Testing, we hijack many security gaps and capture as much data as possible—kind of like pirates,” he notes. During “Red Team Exercises,” in contrast, he and his colleagues sneak in very quietly, like ninjas, and attack a very specific location, for instance a customer database or production controls.

Sometimes the white hats even work like traditional spies. Disguised as alleged visitors or suppliers, they sneak into a company and set out data storage devices, like USB sticks, containing malware. If an unsuspecting employee inserts one of those USB sticks into their computer, it triggers the cyber attack—naturally all completely legal and only with the customer’s consent. “Hackers may be using technology, but “ultimately what is always comes down to is people attacking other people,” says Moradi.

Mind the (Security) Gap

Even if “white” hacking uses the same methods criminals do, the white hats have completely opposite goals—for a company’s benefit. “Our approach is planned in advance with the clients,” Baier explains. In workshops after the “attack,” the white hats provide recommendations about how the security gaps they found can be sealed, for instance by making changes to software systems or by training employees about cyber security. The planned countermeasures in the event of a cyber attack can often also be better orchestrated. As a result, a white-hat attack can help bring a company’s IT security up to an optimal level.

Statistics show how necessary this is: in Germany, nearly half of all medium-sized enterprises have been victims of stolen data, exposed secrets or espionage. Despite this, companies still underestimate the dangers. “Our tests discovered that thousands of industrial facilities are linked to the internet using simple DSL connections,” Moradi says. “These are an open gateway for criminals.” So there’s plenty for him and his colleagues to do from their offices in Germany, China, India, Singapore and the United States. Even when a company has made improvements, it doesn’t mean that the white hats can’t find new weaknesses. As Moradi explains, “We find security gaps that nobody thought of.”