We have white hats, we have black hats and we even have grey hats. However, what is the true meaning of a grey hat hacker? These individuals are typically not malicious by nature and do not necessarily intentionally cause harm, yet at the same time they may not act ethically.
A prime example of a grey hat in action is when a lone researcher discloses vulnerabilities before the vendor has the opportunity to patch it. The goal is to stake a flag and show they knew about the vulnerability first, thus proving they possess the best security research knowledge. Unfortunately, in most cases, this is an attempt to gain notoriety in the industry. For example, a lone researcher in the UK, who was upset that the development site was vulnerable, was behind the recent Apple developer site hack. He claims his intention was not hacking but bug finding and testing if he could extract data from the site. Another example of grey hat activity is the recent hack of Zuckerberg's Facebook page.
This prompts the argument of when to disclose. If the vendor fails to respond to the disclosure and the vulnerability is actively in the wild, does the individual or group who identified the vulnerability disclose this publically? Doing the right thing then becomes a difficult decision. I think we need to decide how much we can share and in what timeframe.
So where do we sit...are grey hat hackers good for the infosec industry? I believe grey hats come in many shades and a code of conduct is necessary. Below are set of proposed parameters for anyone wanting to partake in these activities. Any deviation from this indicates you are performing malicious activity.
- Engagement - before performing any task including a basic vulnerability scan, you must agree first and obtain the asset owner's buy-in.
- Disclosure - any vulnerability found must be disclosed to the vendor/owner. If attacks are in the wild, government agencies must be informed. Ethical disclosure is paramount.
- Remediation - never attempt to remediate or attempt to test your findings (such as attempting to exfiltrate data). Ethical hacking requires control and basic principles of notification only.
To summarise, we can consider ourselves at a pivot point with grey hats. They have access to resources and we share content in the community that can aid them. They use shared intelligence and available resources--while also using their own skills to identify bugs and flaws in our networks and websites. Make no mistake; I believe ethical disclosures are great.
As a quick side note, one of my favourite security books is still "Gray Hat Hacking: The Ethical Hacker's Handbook" which references ethical disclosure, pen testing and tools, exploiting vulnerabilities and malware analysis. It focuses on the same common tactics used in relation to attacks on organisations. Chapter 16 focuses on content security and information protection. The attack scenarios still resonate today, even though several years have passed.
Web and email remain the primary two channels used to launch an enterprise attack. Yet they remain the weakest ingress and egress points on the network. Alarmingly, most organisations still run basic spam and web filter products running AV engines. The book explains how easy it is to bypass these legacy controls. It's important to have a comprehensive security solution that protects both the web and email channels from data loss and data theft.
Do you have an opinion on grey hat hackers? Feel free to leave a comment and let's discuss.