Skip to main content

Inside the mind of a hacker

Download full article

Why do hackers hack? Understanding their motivations is vital for securing networks

A conversation with Holly Grace Williams, ethical hacker

9-minute read

What kind of person becomes a hacker, and what drives them to attack a network? If we believe the Hollywood stereotype, the average hacker is a bored teenager in a basement, looking for ingenious ways to remotely bypass system security – either for the thrill of it, or to show off.

But while bored teen hackers certainly exist, they’re far from the biggest risk to CSPs and their customers, says Holly Grace Williams, managing director of cybersecurity consultancy Secarma.

“One of the biggest problems with security is that organizations think that all hackers are motivated in the same way. That they all have the same backgrounds and reasons for doing what they’re doing,” she says. “And of course, that’s not true at all.”

Shadowing nation-state attackers in the British Army

Williams knows better than most the diverse forms that hacking – and hackers – can take. As a former security officer with the British Army’s Royal Signals Corps, she was responsible for implementing physical and cyber defenses against some of the world’s most well-resourced hackers: nation state attackers looking to steal government secrets, academic research or the workings of critical national infrastructure. “Basically, anything that can give them leverage against the UK,” she says.

Since leaving the army, Williams has brought her security expertise and knowledge of hacking techniques to private sector organizations. She and her team work as ‘ethical hackers’, using the same techniques as malicious actors to find chinks in companies’ defenses – whether physical, virtual, or psychological. The vulnerabilities she uncovers allows companies to tighten their security. “The easiest way to describe it is that I break into buildings and computers for a living,” she says.

“The easiest way to describe it is that I break into buildings and computers for a living”

From foreign agents to lone opportunists - why hackers hack

It’s a wide remit because the techniques used by hackers are as broad as their motivations. Williams explains that as well as bored teenagers and foreign intelligence agents, there are politically-motivated hackers “who want to disrupt systems if they disagree with the owners of those systems or their recent actions. Those tend to be sabotage attacks, like taking down a website, or destroying data.”

Then there’s an array of financially-motivated attackers, whose aims could be anything from getting rich quick to funding organized crime or terrorism. They’ll use techniques ranging from deploying ransomware, to co-opting IoT-connected devices into crypto-coin mining botnets, to bribing company employees to carry out certain actions. Many hacks involve social engineering, and this is a risk that’s often overlooked. “Paying members of staff [to carry out an action] is a threat that a lot of organizations don’t consider,” Williams says.

Five things you might not know about hackers

  1. The actual definition of a hacker is “One who enjoys the intellectual challenge of creatively overcoming limitations” 
  2. A hacker attack takes place every 39 seconds 
  3. 68% of hackers hack for the challenge and 49% hack to have fun 
  4. Hackers create 300,000 new pieces of malware daily. 
  5. 63% of ethical hackers who have found a vulnerability, have not reported it for fear of retaliation

Source: The 2020 Hacker Report and The 4th Hacker-Powered Security Report, HackerOne, McAfee, Security magazine

“Social engineering attacks can often be surprisingly simple”

"Don't presume the system is secure by default"

5G creates new risks - but new solutions, too

In many ways, she says, 5G will help with that, as it offers security enhancements over previous generations. One such feature is network slicing, a technique that allows operators to give portions of their networks over to specific customer uses, such as IoT, smart homes or automated cars.

Slicing is a way of optimizing systems for speed and latency, but in some cases, the network can also be partitioned to allow devices to be isolated from one another. That brings security benefits, as Williams explains: “If we can prevent attackers from moving from one area of the network to another, then that can increase security by making the propagation across the system more difficult. A software-defined network can allow us to be more granular about how the system operates."

Segmenting the network should also help with traceability, she adds, saying that as more connected devices are assigned individual IP addresses, it can be harder for operators to trace the origin of hacks like DDoS attacks.

“That can make it hard to do things like incident response, because working out specifically what path the attacker took to connect to the device can become more complex.”

As with any new technology, it helps to read the manual. Williams says CSPs will need to research the security capabilities of 5G equipment and decide how to make the most of them. “There are a lot of security protections available, but they’re not always automatically enabled,” she says. “It’s often a case of turning the right options on, rather than presuming the system is secure by default.”

Advice to CSPs - Put yourself in a hacker’s shoes, then design layers of defense

Williams advises CSPs to take an outside-in approach when designing network defenses. “Don’t just consider hackers as a single entity, because they’re not” she says. “Look at the threat modeling side of things. Ask yourself why a hacker might target your organization, and what they have in terms of capability. Then, what’s the best way to prevent those attacks from taking place?”

Having understood the risks, CSPs should think not only about how to keep attackers out, but also how to slow them down if they do manage to breach an initial defense. This is a concept known as defense in depth, as Williams explains: “It’s the idea that we don’t rely on a single perimeter, but we apply security protections at different layers, such that if one technology has a vulnerability or is compromised in some way, there’s still additional layers for the threat actor to get through.”

The net effect gives security teams more time and more data to detect and eradicate the attack. “If an attacker can move through all your systems very quickly, it can be difficult to respond to,” she says. “So when it comes to security, we shouldn’t just be thinking along the lines of protection, but also detection and response.”

Williams has one final piece of advice for CSPs, which may sound counter-intuitive - and that’s to be open with customers about their efforts to tackle security issues. “When organizations are putting a lot of effort into security, they should talk about it,” she says.

“There’s a historical view that you shouldn’t mention vulnerabilities or security because you ‘don’t want to give ideas to the hackers’. But if we’re developing new technologies, then we should be publishing those things. After all, security isn’t always about things being broken – it’s about things being fixed, as well.”

Three reasons to work with an ethical hacker

  1. Hackers have reported more than 180,000 valid vulnerabilities, with one-third of those reported in the last year
  2. The average cost of a data breach is $3.86 million. The average cost of a hacker finding a valid vulnerability is $979
  3. Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs globally by 2021

Source: The 4th Hacker-Powered Security Report, HackerOne (data collected May 2019 – April 2020) and cybersecurityventures.com

Holly Grace Williams

About Holly Grace Williams

 

As managing director of cybersecurity consultancy Secarma, Holly Grace Williams has 13 years’ experience in leading information security teams. Her early career was spent in the military working in roles such as Site Security Officer, although she now works with a wide range of organizations. She holds a Master’s degree (MSc) in Information Security from Cardiff University.