Skip to main content

Black Hat Thinking for White Hat Wins

· 4 min read
Eason Taylor
Eason Taylor
AppSec Specialist

Does knowing how to commit crime make you better at detecting it? If you've heard stories of individuals like Frank Abagnale, who committed massive fraud and stole millions of dollars and was later contracted as a consultant for the U.S. government, you may be inclined to say: "Yes!" But not everyone would agree...

Why are some criminals good detectives?

I read a LinkedIn post recently in which the poster argued pretty vehemently that anyone who thinks hacking is an important skill for cybersecurity is seriously mistaken. He drew an analogy to accounting and said that no accountant needs to be good at committing fraud in order to detect it. At first, I was intrigued by his argument and wanted to understand how it could make sense. But the longer I thought about it, the more I felt like he was making the wrong argument. I don't think it's really about knowing how to commit crime; It's about knowing how criminals think.

I regularly attend penetration testing workshops taught by a Penetration Tester who works for AWS (Amazon Web Services). In these workshops, he explains pentesting concepts and walks through techniques for finding and remediating vulnerabilities in applications. Sometimes, he also shares stories of vulnerabilities he has found in real-life engagments and lessons they taught him.

In one recent workshop, he explained how he found a cross-site scripting vulnerability in an application and demonstrated how he could inject malicious code into the web page by using <script> HTML tags. When he reported this vulnerability to the application developers, their response was to write code that 'sanitized' user input by erasing any instances of the tag <script> from user input, like so:

function sanitize($input) {
    return str_replace(['<script>'], '', $input);
}

The developers failed to consider the myriad of other methods a hacker might use to inject malicious code to their website, such as enclosing the malicious code in another type of HTML tag, or using any of the following variations on the <script> tag:

  • <SCRIPT>
  • <ScRiPt>
  • <scr<script>ipt>

What this example demonstrates is not that the developers didn't know HOW to hack. I'm sure any one of them would have been capable of writing a malicious script and injecting it into the web page... But it's clear that none of them were thinking like hackers. They didn't consider the mindset of an attacker who, upon meeting an obstacle, immediately looks for creative ways to evade the obstacle.

Detecting crime vs preventing it

To refer to the LinkedIn post I mentioned at the beginning, I'll give the author some credit... He may be onto something when he says 'you don't need to know how to commit crime to detect it.' But then again, cybersecurity isn't just about detecting cybercrime, is it?... It's also about preventing cybercrime!

After all, what good is it to 'detect' theft if you can't prevent it from occurring in the first place? If you can't do that, the theft will likely continue. You can't stop someone from breaking a rule until you know how they're breaking it. For example, maybe someone has been stealing snacks from your vending machine, and you want to stop it. You might assume that they're shaking or tilting the machine - and decide to anchor the machine to the ground. But if all they're doing is attaching a string to their money so they can pull it back out after purchasing a snack, your 'theft detection' hasn't done you any good.

An adversarial mindset informs & improves defensive tactics

Knowing how to hack may not make you significantly better at 'detecting' cybercrime... but knowing how to think like a hacker can certainly make you a better defender! Employing an adversarial mindset (thinking like an attacker) helps you consider tactics, techniques, and procedures an attacker might use against you. Jayson E. Street once shared the following:

"Every place that I tried to secure. I first assessed how I would steal from it."

When defenders can learn how to think like attackers, they'll be much more prepared to proactively prevent intrusions and reduce vulnerabilities. And I can't think of a better way to learn how a hacker thinks than learning how to hack.

So yes, hacking skills are important for cybersecurity. And not every security professional needs to be good at hacking, but we definitely need hackers to help us stay ahead in the perpetual game of cat and mouse that keeps us all on our toes every day.