Why do hackers hack? Understanding their motivations is vital for securing networks
A conversation with Holly Grace Williams, ethical hacker
What kind of person becomes a hacker, and what drives them to attack a network? If we believe the Hollywood stereotype, the average hacker is a bored teenager in a basement, looking for ingenious ways to remotely bypass system security – either for the thrill of it, or to show off.
But while bored teen hackers certainly exist, they’re far from the biggest risk to CSPs and their customers, says Holly Grace Williams, managing director of cybersecurity consultancy Secarma.
“One of the biggest problems with security is that organizations think that all hackers are motivated in the same way. That they all have the same backgrounds and reasons for doing what they’re doing,” she says. “And of course, that’s not true at all.”
Shadowing nation-state attackers in the British Army
Williams knows better than most the diverse forms that hacking – and hackers – can take. As a former security officer with the British Army’s Royal Signals Corps, she was responsible for implementing physical and cyber defenses against some of the world’s most well-resourced hackers: nation state attackers looking to steal government secrets, academic research or the workings of critical national infrastructure. “Basically, anything that can give them leverage against the UK,” she says.
“The easiest way to describe it is that I break into buildings and computers for a living”
Since leaving the army, Williams has brought her security expertise and knowledge of hacking techniques to private sector organizations. She and her team work as ‘ethical hackers’, using the same techniques as malicious actors to find chinks in companies’ defenses – whether physical, virtual, or psychological. The vulnerabilities she uncovers allows companies to tighten their security. “The easiest way to describe it is that I break into buildings and computers for a living,” she says.
From foreign agents to lone opportunists - why hackers hack
It’s a wide remit because the techniques used by hackers are as broad as their motivations. Williams explains that as well as bored teenagers and foreign intelligence agents, there are politically-motivated hackers “who want to disrupt systems if they disagree with the owners of those systems or their recent actions. Those tend to be sabotage attacks, like taking down a website, or destroying data.”
Then there’s an array of financially-motivated attackers, whose aims could be anything from getting rich quick to funding organized crime or terrorism. They’ll use techniques ranging from deploying ransomware, to co-opting IoT-connected devices into crypto-coin mining botnets, to bribing company employees to carry out certain actions. Many hacks involve social engineering, and this is a risk that’s often overlooked. “Paying members of staff [to carry out an action] is a threat that a lot of organizations don’t consider,” Williams says.
Five things you might not know about hackers
- The actual definition of a hacker is “One who enjoys the intellectual challenge of creatively overcoming limitations”
- A hacker attack takes place every 39 seconds
- 68% of hackers hack for the challenge and 49% hack to have fun
- Hackers create 300,000 new pieces of malware daily.
- 63% of ethical hackers who have found a vulnerability, have not reported it for fear of retaliation
Source: The 2020 Hacker Report and The 4th Hacker-Powered Security Report, HackerOne, McAfee, Security magazine
Decoding hacker logic - difficult bad, easy good
While many hacks evolved from people to systems, that’s not always the pattern. The key thing to realize about hackers, Williams says, is that they won’t try something difficult if an easy way exists. “In a lot of cases they’re not looking to do something interesting, or show off. For attackers that are financially-motivated especially, they might just do the most simple attack they can.”
“Social engineering attacks can often be surprisingly simple”
And for all the modern focus on cybersecurity defenses, the simplest way for a hacker is to co-opt an employee - either by exploiting their goodwill or sense of duty or by offering them money. “Social engineering attacks can often be surprisingly simple,” Williams says. “Send an email to the right person worded in the right way, and they might just perform an action for you.”
Popular culture believes that hackers are always coming up with ingenious new ways to game systems and bypass security measures. But Williams says one of the most surprising things about hackers is not that they’re endlessly inventive, but that they still use decades-old techniques.
The reason for that is that those techniques still work, and hacker logic dictates that there’s no need to try something new if a solution already exists. “Ransomware attacks are incredibly common at the moment, but the first ransomware attack was in 1989,” she says, “It’s over 30 years old, but it’s still effective.” As evidence, she points to the foreign-exchange company Travelex, which handed over $2.3m to hackers who executed a ransomware attack against the firm on New Year’s Eve 2019.
New technologies present new attack opportunities
At the same time, she says, advances in technology do create new opportunities for hackers. The Internet of Things is a prime example, simply because it vastly increases the number of access points to a network. “As we connect more and more devices to the internet, the threat [from hackers] could increase just because the attack surface has increased - even though the motivations remain the same.”
And while people are used to installing anti-malware software on their laptops and smartphones, they don’t always think the same way about a home automation system, a security camera or an interconnected fridge. That’s a risk when connected devices store personal data or have access to payment gateways. Williams says that if a threat actor gained access to a smart fridge: “There's a range of attacks they could do. They could deny service, which would stop it from operating correctly. They could remotely break it. They could purchase something unexpected, or something not for you.”
Those risks are greatly magnified when the connected device isn’t a fridge but, say, an autonomous vehicle or a city-wide traffic light network. The past few years have seen a sharp rise in distributed denial of service (DDoS) attacks against single IP addresses, which can often be traced to gamers trying to ‘boot’ a rival player out of an online game for just long enough to win a round. Hackers who know the IP address of an internet-connected device, whatever it might be, could launch similarly targeted attacks, with potentially catastrophic consequences.
That, Williams says, is something that should give communications service providers (CSPs) pause. While the attack target may be an end-user or a connected device, the way into it will be through the network. And with 5G poised to enable an explosion in the number of connected devices, CSPs will want to be sure their customers - whether consumers, businesses, or public sector organizations - are well protected.
"Don't presume the system is secure by default"
5G creates new risks - but new solutions, too
In many ways, she says, 5G will help with that, as it offers security enhancements over previous generations. One such feature is network slicing, a technique that allows operators to give portions of their networks over to specific customer uses, such as IoT, smart homes or automated cars.
Slicing is a way of optimizing systems for speed and latency, but in some cases, the network can also be partitioned to allow devices to be isolated from one another. That brings security benefits, as Williams explains: “If we can prevent attackers from moving from one area of the network to another, then that can increase security by making the propagation across the system more difficult. A software-defined network can allow us to be more granular about how the system operates."
Segmenting the network should also help with traceability, she adds, saying that as more connected devices are assigned individual IP addresses, it can be harder for operators to trace the origin of hacks like DDoS attacks.
“That can make it hard to do things like incident response, because working out specifically what path the attacker took to connect to the device can become more complex.”
As with any new technology, it helps to read the manual. Williams says CSPs will need to research the security capabilities of 5G equipment and decide how to make the most of them. “There are a lot of security protections available, but they’re not always automatically enabled,” she says. “It’s often a case of turning the right options on, rather than presuming the system is secure by default.”
Advice to CSPs - Put yourself in a hacker’s shoes, then design layers of defense
Williams advises CSPs to take an outside-in approach when designing network defenses. “Don’t just consider hackers as a single entity, because they’re not” she says. “Look at the threat modeling side of things. Ask yourself why a hacker might target your organization, and what they have in terms of capability. Then, what’s the best way to prevent those attacks from taking place?”
Having understood the risks, CSPs should think not only about how to keep attackers out, but also how to slow them down if they do manage to breach an initial defense. This is a concept known as defense in depth, as Williams explains: “It’s the idea that we don’t rely on a single perimeter, but we apply security protections at different layers, such that if one technology has a vulnerability or is compromised in some way, there’s still additional layers for the threat actor to get through.”
The net effect gives security teams more time and more data to detect and eradicate the attack. “If an attacker can move through all your systems very quickly, it can be difficult to respond to,” she says. “So when it comes to security, we shouldn’t just be thinking along the lines of protection, but also detection and response.”
Three reasons to work with an ethical hacker
- Hackers have reported more than 180,000 valid vulnerabilities, with one-third of those reported in the last year
- The average cost of a data breach is $3.86 million. The average cost of a hacker finding a valid vulnerability is $979
- Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity jobs globally by 2021
Source: The 4th Hacker-Powered Security Report, HackerOne (data collected May 2019 – April 2020) and cybersecurityventures.com
Williams has one final piece of advice for CSPs, which may sound counter-intuitive - and that’s to be open with customers about their efforts to tackle security issues. “When organizations are putting a lot of effort into security, they should talk about it,” she says.
“There’s a historical view that you shouldn’t mention vulnerabilities or security because you ‘don’t want to give ideas to the hackers’. But if we’re developing new technologies, then we should be publishing those things. After all, security isn’t always about things being broken – it’s about things being fixed, as well.”
About Holly Grace Williams
As managing director of cybersecurity consultancy Secarma, Holly Grace Williams has 13 years’ experience in leading information security teams. Her early career was spent in the military working in roles such as Site Security Officer, although she now works with a wide range of organizations. She holds a Master’s degree (MSc) in Information Security from Cardiff University.