We have white hats, we have black hats, we even have grey hats. However, what is the true meaning of a grey hat hacker? These individuals are typically not malicious by nature and do not intentionally cause harm, yet at the same time they may not act ethically.
One of my favourite security books is still “Gray Hat Hacking: The Ethical Hacker’s Handbook” which references ethical disclosure, pen testing and tools, exploiting vulnerabilities and malware analysis. It focuses on the same common tactic used in relation to attacks on organisations. Chapter 16 of this book covers content security as an example with its focus on protecting information, and the attacks we see today still resonate from when this book was published many years ago.
Web and email are still the primary two channels, used to launch an enterprise attack, yet remain the weakest ingress and egress points on the network, with most organisations still having basic spam and web filter products running AV engines. The book explained how easy it is to bypass these controls back in 2010 and continues to be a discussion point raised by grey hats. A common question asked is “Why do we struggle to protect our networks and websites when the majority of attacks can be stopped?”
Another example of grey hats is security vendors or lone researchers disclosing vulnerabilities prior to vendors patching, with the aim of staking a flag and demonstrating their security research efforts. In most cases, this is incorrect. They were simply first in lowering their standards with pressures offered by marketing teams or financial rewards to come up with the latest story and to assist with their visibility in the industry. You also have individuals with the intention to gain notoriety in the industry. A recent example resonates with the Apple Developer site hack which has been attributed to a lone researcher in the UK who was upset that the development site was vulnerable. He claims his intention was not hacking but bug finding and testing if he could exploit the vulnerability by extracting data from the site. He was quick to announce his involvement once the site was taken down.
This prompts the argument of when to disclose, if the vendor fails to respond to these disclosures and the vulnerability is being used actively in the wild, does the individual or group who identified the vulnerability disclose this publicly? Doing the right thing then becomes a difficult decision. We need to decide how much we can share and in what timeframe.
So where do we stand…are grey hat hackers good for the InfoSec industry? I believe a code of conduct should be followed and parameters set for anyone wanting to partake in these activities. Any deviation from this underlines you are performing malicious activity.
Parameters
- Engagement – before performing any task including a basic vulnerability scan, you must agree first and obtain the asset owner’s buy-in.
- Disclosure – any vulnerability found must be disclosed to the vendor/owner, if attacks are being found in the wild, government agencies must be informed. Ethical disclosure is paramount.
- Remediation – never attempt to remediate or attempt to test your findings such as attempting to exfiltrate data…ethical hacking requires control and basic principles of notification only.
To summarise, we can consider ourselves at a pivot point with grey hats. They have access to resources and rewards, we share content in the community that can aid them, they use this shared information and their own intelligence to identify bugs and flaws in our networks and websites which when ethically disclosed is great. In rare cases however they are similar to Mr Grey, they can become very passionate individuals that sometimes get a bit too carried away.
security-exposed.com 