Podcast transcript: Exploring new-age cybersecurity: Ethical hacking and bug bounties
26 min | 23 October 2023
In conversation with:
Rajesh Kumar D
EY India Cybersecurity Consulting Partner
Tarannum: Hello and welcome back to the EY India Insights podcast. Today, we are launching a new series called ‘Navigating cyber threats’ as part of the Cybersecurity Awareness Month special. In this series, you'll learn about navigating present cyber threats and how, as a leader, you can effectively tackle today's and tomorrow's challenges. In this premiere episode, we will explore two anticipated trends in cybersecurity that are ethical hacking and bug bounty programs.
I am your host Tarannum Khan and joining us today is Rajesh Kumar D, Cybersecurity Consulting Partner at EY India. Rajesh currently focuses on cybersecurity in the EMEIA region and brings over 25 years of cybersecurity experience across various industries.
Welcome to our show, Rajesh. How are you today?
Rajesh: Thanks, Tarannum. I am doing well.
Tarannum: Within the cybersecurity industry, there is a large and growing community of hackers who use their skills for good, making it a promising and emerging field. How can someone pursue a lucrative career in this field?
Rajesh: It depends on what stage of the career you are in. If you are someone who is trying to get into an educational institution right after school, like a UG or a PG program, then there are several colleges that offer courses on cybersecurity, and we are already seeing a surge in the (number of) institutions that are offering such courses. And especially those that include ethical hacking, forensics, and a lot more.
But if you are someone who has already made it to college or the IT field and is looking at taking cybersecurity as a specialization, there are a lot of options. There are certification bodies that offer courses on cybersecurity, including labs where you can practice on EC-Council, SANS, etc. These are paid ones obviously; some of them are a bit expensive, but there are also a lot of free options that are available for users, such as Security Academy or WSP, which is a well-known industry forum for application security. Some of them also offer these courses for free and they also offer courses with labs.
We also have cloud providers, including Microsoft and AWS, which offer some of their security programs free of cost. But the fact is that today you will find a lot of material on social media. While most of the programs offer theoretical content, the challenge is where the knowledge can be practiced. I think that is one area that is of big importance because it not only allows you to learn about the cybersecurity field, but you also get to practice your skills on some of the real-time applications including giants like Facebook, Google, and Microsoft. And the best part is you also get paid while you find some vulnerabilities on their platforms.
Bug bounty has led to a significant career change for most security researchers. For example, you get an option to work remotely; that is one of the main areas where we see that most security analysts prefer bug bounty. So, you can be in any part of the world, and you can participate in bug bounty programs. The other interesting fact is that you don't have to even be in the cybersecurity field. You can be a system administrator, you can be an application developer, but you can take cybersecurity as your hobby, and in your available time, you can find vulnerabilities in some of the programs, and you can get paid. In cybersecurity, we are currently seeing lots of attacks (cyber) going on, and there is a big demand for skills. I think the industry is going in the right direction in that area.
Tarannum: How can aspiring ethical hackers expand beyond traditional software and increase the integration of AI and automation?
Rajesh: We need to understand what is happening in the industry. Today, for every software, every component that gets added to an application, there is an enormous amount of vulnerability that comes with the software components. Relying on just humans and without any automation, finding out vulnerabilities is going to be a big challenge. To some extent, we have already leveraged scanners which do automation to find out some vulnerabilities and help with the workload of the human element, but with the introduction of artificial intelligence (AI) and machine learning, I think that is going to be a big game changer here.
For example, we can use automation of the vulnerability prioritization platform. So, when we have a big landscape of vulnerabilities, we can use AI to see which are the actionable threats that you need to work upon.
If you also look at the security landscape, automated scanners have already started using AI, but the human element is still recruited to identify vulnerabilities. It is not one versus the other; both are currently being employed in the industry. But if you look at the human element, there are a good number of bespoke vulnerabilities that an automated scanner cannot find, and that is where the human element is being used. If we can leverage AI and help reduce the human element, ethical hackers will have more time to focus on complex and novel security issues. Reverse engineering, for example, takes a good amount of time for a security analyst. What if we can use AI techniques to do reverse engineering? That will be a big game-changer.
Also, what about analyzing source code? Now, when you look at any application, you have millions and millions of lines of code. This is another area where we can use AI to identify the vulnerabilities. By using predictive analytics, AI can simulate attack scenarios and identify weaknesses in network infrastructure. For example, you want to create a payload right after you find a vulnerability. You can use AI to create a payload and check whether the vulnerability is really effective; it is a true positive, and it is something that needs to be acted upon.
Another area can be phishing, which is also very common. If you look at it, today, a human element has to do a lot of work, especially in phishing in different geographies. They need to know the languages, and more importantly, the right sense of grammar, etc. So, that's another area where AI can play a big role.
With more and more adoption of IoT and Connected Cars, I would say that the role of ethical hacking needs to be focused on these areas too. But the challenge is that this requires a different skill set. It is not about testing traditional application security. Where do we get to practice this? So, that becomes another challenge. That is why, I think, organizations today do a lot of tie-ups with automobile manufacturers, medical device manufacturers, etc., where they get to test some of their software at an early software development lifecycle.
Tarannum: Those are really interesting points and great to see the scope of it expanding at such speed. If we were to talk about ethical hacking, penetration testing, and red teaming is the most conventional forms of it. Could you explain the differences in their effectiveness and what would be the best approach for small organizations with limited budgets?
Rajesh: We need to first understand the purpose of performing penetration testing and red teaming. It is not one versus the other. Both have different objectives and offer different end results.
You do penetration testing as an organization when you want to identify the list of vulnerabilities across an infrastructure application. On the other hand, you do red teaming when you want to assess the monitoring and defensive controls of an organization. Red teaming assessments are done when an organization has invested in Security Incident and Event Management (SIEM) or a Security Operations Center (SOC). If your organization has not invested in SIEM or SOC, then red teaming brings little value to the organization.
That is one major difference in terms of the objectives, but it does not stop there. When you look at the focus as a pen tester, you have a different set of focus. Your job is to identify the complexity of vulnerabilities across the entire infrastructure. As a red teamer, you do not have any restrictions, you can go and identify vulnerabilities in the physical security, and you can go and identify vulnerabilities in wireless security. So, the focus is more on how I can get from the outside to the inside all the way to data exploration, typical of a real ransomware attack or another attack that happens these days.
The other difference comes in the effort and time taken, because of the complexity of doing red teaming and because red teaming is way larger than a penetration test. In a red teaming test, one is expected to simulate the behavior of an adversary group, which we call the TTPs - the tactics, techniques, and procedures. You are not only going to identify and exploit the vulnerability, but you need to persist the vulnerability, meaning if the machine restarts, the access should be there, you should be able to take control of one machine, compromise the other machines on the network and all the way to the active directory. So, the focus of the red teaming is something different.
The other big difference between penetration testing and red teaming is the noise that we create. Penetration testing is a well-announced test where most of the stakeholders in the organization know about when the test is just going on. They are well-informed. On the other hand, red teaming is one such exercise where it is kept a secret from all the stakeholders. Most of the time only the physical team is informed, and it is kept secret from the SOC team because the outcome of the team is also to evaluate the alertness of the SOC team.
I think you would have understood where red teaming is being used and where penetration testing is being used. Just to make it simpler, you do penetration testing when you want to evaluate the preventive controls in the organization. You do red teaming when you want to evaluate the monitoring and detective controls in an organization.
Now, if you are a small organization, there is no exception; penetration testing is a must. Red teaming comes at a later part when you want to evaluate if an attack is supposed to happen in your organization. Will you be prepared? Are your defenses acting properly? Are your monitoring teams getting the right alerts and are they taking the right action?
Tarannum: For our listeners, could you explain what bug bounty programs are, and how do they emphasize identifying vulnerabilities in the supply chain?
Rajesh: A bug bounty program today is being conducted by organized parties. For example, HackerOne is one of the well-known platforms. We have Bug Tracker – that is another platform. We have a couple of platforms where ethical hackers can register and participate in the bug bounty programs. Even well-known social media giants today can also participate. They can go and approach any of the bug bounty programs and say they want to get their software tested.
Obviously, you can put your rules of the engagement - what can be tested, what cannot be tested, and you can also list down the awards. For example, if somebody can do a particular exploit or gain access to an administrator access, this is the amount that somebody will be paid. You have different levels of bounties that are paid across different types of vulnerabilities that people identify.
Now, coming back to the supply chain. Before I talk about cybersecurity in the supply chain, we need to understand some of the challenges that we have. For example, as an organization today, we employ a lot of software within our products, and there is a lack of visibility on where the vulnerability lies because the organization typically tries to make all the effort to secure its own code base but hidden in the code base are also libraries and other software components, which are coming from the supply chain. Some of them include FOSS, which stands for free and open-source software. Even those components need to be analyzed for software and other data software. Now, even if you manage to identify a vulnerability in a third-party component and if it happens to be an open-source component, you go back to the open-source component vendor and say I have done a testing of the product and I have identified a few vulnerabilities. But the challenge here is we do not have an agreement with the open-source vendor, so they will obviously accept the vulnerability, but when they are going to fix the vulnerability, it becomes a challenge because you do not have an agreed SLA (service-level agreement) with the vendor.
That is where some of the bug bounty programs have taken a step upward. For example, HackerOne, one of the vendor programs, has already expanded the bug bounty program and they call it the Internet Bug Bounty program. This is another form of a bug bounty program that is focused on open-source software. So, security researchers now get a chance to test open-source software. They could have tested before as well, but what were the rewards offered? You don't get paid. But now you also get a chance to test and at the same time also get paid for the vulnerabilities that you are identifying on the open-source software.
A search engine pioneer also has an open-source bug bounty program. So, this includes well-known components like Angular and Golang. The other interesting aspect of the search engine giant is the way they do the rewards on the supply chain. If as an ethical hacker, you identify a vulnerability, but you do not want to take the merit or reward, but you want to pass it to any charity or donate, the company will double this for you. As an alternative, if you are an organization where you are using a lot of open-source components, but now you want to ensure that whatever open-source components you use within the organization are being secured, you can now use one of these bug bounty programs and say - can this software also be listed there? That is also possible today because HackerOne is one such program that is already doing this.
Talking about the vulnerabilities in the supply chain specifically, I think that is one area where organizations have taken a big step. We have all used the term security code review. So, this was there for a long period of time. Now, with all the recent attacks on the supply chain, what we are seeing is a different approach or probably the expansion of the scope. There is another scope called a source code composition analysis. So, before I even identify a vulnerability, as an organization I want to know what components I am using in my software. That’s another area that is predominately being employed by organizations and the objective is again not only to identify the components which we call the software builder materials, but also to identify the vulnerabilities along with the licensing right. For example, you might use a third-party component, which you may not do in your production applications, or you may not be free to share the source code with other developers or other third parties. So, there are a lot of licensing rights as well.
This is where the source code composition analysis makes a big change in terms of supply chain security.
Tarannum: I am certain it helps set things in context for a lot of our listeners as well. Lastly, we would like to understand from you as technology advances and new attack vectors emerge, what opportunities and challenges does the future of ethical hacking hold?
Rajesh: It is very interesting because we are seeing technology innovations, such as cloud computing - I will not call it an innovation because every company today we speak with is already on cloud - and the other area is the Internet of Things (IoT). Today, we are seeing a lot of production of IoT and connected devices. You would have heard about connected cars. Today, every automobile has a connected component.
There is a good number of technological advances that are happening. The question is whether we see a shift in ethical hacking or whether are we getting the right set of skill sets for people. That's one area where we are seeing a big shift in terms of organization. But when it comes to bug bounty programs, it is going to be a challenge. If you recollect, when we talked about how you learn cybersecurity, we talked about a lot of programs that you get to learn, you get to practice and everything, but when it comes to this type of cloud computing, IoT, connected devices, one of the biggest challenges is that you can learn, but where do you get to practice? Because you need a connected device with this component. Not only the car component itself, but even the utility to add these devices comes in from hardware, and some of them are very expensive and some of them you do not get in certain geographics. So that is definitely a challenge there. So, you will see organizations today tying up with automobile manufacturers for cybersecurity programs. So, there is a shift there.
We are also seeing a shift in skillsets of the ethical hackers because now with the AI rapidly picking up and now, we are also seeing something called HackGPT. So today if you want to acknowledge any application, you want to acknowledge any software, you want to find out vulnerabilities in software, AI is going to do most of the job. Now we want ethical hackers to move on from the traditional work and move into these niche areas, work on AI and cloud computing.
When we talk about these areas, an interesting aspect of Microsoft has recently announced something called the AI bug bounty program. It is not a normal bug bounty program; it is an AI bug bounty program that focuses on the tools which are using artificial intelligence such as Bing, the browser. The challenge with this is that the traditional skill sets that we have learned, will not be sufficient for doing the job. Because when you want to come and test some AI tools, you need to understand a couple of things. For example, you need to know about language models. You need to know about references. So those are some of the areas that you need to learn. Similarly, when you want to do the security of connected cars, you need to first understand what the ecosystem is of a connected car, what happens in a connected car, and what are the various components that are used in a connected car.
Now we are seeing a shift where domain expertise is more important. You need somebody to understand the domain first before they talk about cybersecurity. So, if you are talking about looking at vulnerabilities in an AI tool, you need to first understand AI. Similarly, when you are talking about IoT, you need to first understand what an IoT component is. Similarly, for connected cars. IoT, connected cars require some special equipment which I have already mentioned, which is a game changer, because if you are not part of an organization, then it becomes a challenge because you need money to buy some of these tools and these are very expensive.
In terms of opportunities for bug bounty, I think we are already seeing the game changing. Today, we are looking at colleges where people or students are already seeing the demand for bug bounty, and we can see students from the third year, and fourth year as part of the curriculum who take bug bounty as a profession.
This has a lot of advantages. One, you are sitting for your job. It gives the added advantage that you already have learned something in cybersecurity, and if you manage to get a vulnerability, it becomes a much more added advantage. As companies come to hire you, they already know that you have invested a lot of time learning the field and have demonstrated your capabilities by way of finding vulnerabilities. The more important part is that in college, you participate in bug bounty, and you also get paid.
We have seen in the media that some of the Indian researchers who found vulnerabilities in one of the social media giants got five-digit bounties; that is a very good amount, and as I said initially, there is a remote working option as well. So, that is another area where more and more cybersecurity searchers are planning to take their careers as they are no longer constrained by the location. They can sit in any remote part of the world and can still contribute to cybersecurity. For that matter, they do not have to be even in cybersecurity. They can work as an administrator, they can work as a software developer, but can still participate in cybersecurity. So, cybersecurity today offers a vast number of opportunities to people who are engaged in security research.
Tarannum: Thank you for such great insights, Rajesh. And I think our listeners have a lot to take back from this episode on the intricacies of ethical hacking. Thank you so much for joining us once again.
Rajesh: Thank you, Tarannum. I think with the surge of cyberattacks that we are seeing and the new innovations that are happening in the market, especially with the invention of AI, cloud technologies, and machine learning, development is required from all ends. I think we are seeing the security vendors. Most of them are using AI in their tools, including vulnerability scanners. On the other hand, we are seeing organizations employing AI in their defensive and tech controls. We are seeing ethical hackers totally shifting from traditional software hacking to the new-age software programs of hacking. There is a growing demand that is happening, and I think it will continue. It is going to be AI vs AI; it is going to be a good battle going forward.
Tarannum: Thank you for your valuable time today, Rajesh. To all our listeners, if you have any feedback for today's episode or questions for us, please do feel free to share it on our website or email us at markets.eyindia@in.ey.com. Be sure to join us in our next episode on ‘Operation Technology Security.’ Until next time, I am Tarannum, and this is a Cybersecurity Month awareness special podcast series by EY. From all of us here at EY India, thank you so much for tuning in.