SINGAPORE: In the world of online multiplayer video game Defence of the Ancients (DOTA), Gondar is the infamous bounty hunter who infiltrates rebel terrain to bring criminals to justice – all while being invisible.
The tales of Gondar’s prowess stretch on with each feat more impressive than the last, and for the right price, even the most devious assassin may find fear in the shadows.
Drawing parallels to today’s world, could the most effective cybersecurity allies come in the form of hackers themselves?
FRIEND OR FOE?
Going back a chapter, the rapidly growing number of hackers fall into two main camps working on opposing ends of the law: White hats and black hats.
The former are more commonly known as ethical hackers while the latter serve to wreak havoc for personal gain, and in some cases to fuel a wider hacktivist agenda – using tech know-how to protest against perceived political, legal, or societal injustices.
Think of the vulnerability market as a worldwide ecosystem of buyers and sellers, motivated by the forces of supply and demand.
Security researchers and hackers now have a multitude of options, unlike in the early days, when hackers traded and sold exploits amongst themselves for fame, disruption of traditional IT and software development pipelines, and once in a while for unscrupulous profit.
In a nutshell: The abundance of bad actors with ill intent are not going anywhere. The more technology individuals and enterprises alike use and become connected with, the more avenues there are for intruders to exploit system vulnerabilities.
In fact, as long as you’re connected to the web, a perpetrator can use a phishing website to launch a ransomware attack and lock down your device via the WiFi access points around you.
But imagine if businesses could use this intel for good?
Case in point. In 2017, the Zero Day Initiative – the world’s largest bug bounty programme – published 1,009 vulnerabilities in total.
Threat intelligence gained through exhuming these vulnerabilities from different software programmes, IT systems, or connected devices enabled the protection of customers, on average, 72 days before an official patch was released from the vendor.
Vulnerability research is a modern-day arms race between the black hats, cybercriminals looking for a quick buck and the white hats, researchers working with vendors to produce a patch that tightens the reins around vulnerable systems.
Globally, such bounty programmes uncovered a total of 1,522 vulnerabilities last year, out of which, 61 per cent were marked “critical-severity” and “high-severity”. Imagine the kind of damage that could have been inflicted should these vulnerabilities be uncovered by cybercriminals first.
HACKING OUTSIDE THE BOX
Perhaps more than anything, the critical missing link for organisations is not just in the form of building layered network defences, having round-the-clock threat visibility, or adopting newfangled solutions. Instead, organisations should focus on exploring how hackers themselves can become the solution for a safer Internet.
Through the lens of ethical hacking, it is riveting to witness how there exists a global community committed to identifying security flaws in IT systems or software programmes for the purpose of strengthening the cyber world instead of exploiting it.
So much so that the work of these individuals has earned a nod from government bodies such as the US Department of Defence, enlisting their help to put national cybersecurity defences to the test.
We’re seeing this play out around the world as well. Take Pwn2Own, an annual computer hacking contest for instance. The winning white hat team in 2018 exploited a series of codes to gain control of a vendor’s web browser and revealed four new points of entry that could potentially facilitate the complete removal of a device’s operating system.
Not only do initiatives like this reveal the vulnerability of devices and software in widespread use, they also serve as a checkpoint on the progress made in security from the year before.
What businesses and government bodies alike need is to adopt a total change in paradigm to expose cybersecurity systems to the outside, enlist hackers to exploit vulnerabilities, and then reward them for responsibly disclosing vulnerabilities.
Singapore is already making strides in this direction with the inception of the Government Bug Bounty Programme slated to roll out later this year in a bid to identify blind spots in our connected infrastructures, and build a more innovative and inclusive cyber ecosystem.
To that end, Deputy Prime Minister Teo Chee Hean added that through this process, the government could “bring together a community of cyber defenders, who share the common goal of making cyberspace safer and more resilient”.
Only then can a sense of shared ownership be fostered to protect our critical information infrastructure – a vital element that will underpin Singapore’s Smart Nation vision.
Some businesses may view this concept with eyebrows raised, fearing the worst repercussions for their digital assets and a beating to customer confidence levels. Would they be inadvertently handing over the keys to a group of masked intruders?
Not at all. Security experts have reached an inflection point: To protect data, they needed support beyond their existing in-house coders and security teams can offer.
An outside perspective is required to help win this raging war on the inside against cybercrime – in the form of perpetrators themselves. A change in mindset to create an open cybersecurity ecosystem needs to be set in stone for this to come to fruition.
Just like how DOTA heroes manoeuvre effortlessly between lawlessness and justice, white hat hackers and security researchers tasked with infiltrating systems and profiting in the form of new defence intelligence for good can bring promise of greater infrastructure security.
As the market evolves with the introduction of more programmes to incentivise research, a well-rounded defence agenda will need to work in tandem with global independent researchers to disclose security bugs and safeguard intellectual property.
Only then can Singapore truly benefit from a hacker’s books – or networks – to turn the tide against the real intruders.
Nilesh Jain is Trend Micro vice-president for Southeast Asia and India.