At first glance, the term “ethical hacking” may seem like an oxymoron. That’s because criminal “hacker” has become a pejorative that’s closely tied to the bad guys — black hat threat actors looking to steal or corrupt data or other assets within digital reach.

The truth is, there are plenty of good guys in the hacking business: professional penetration testers whose job it is to poke holes in a client’s system for insights on how to make systems more secure.  Let’s take a closer look at how ethical hacking is indeed a valuable activity — assuming it’s done right.

The Ethical Hacker’s Playbook

The truth is, ethical hacking is not only a known concept, but one that’s enshrined in cyber security training and practice. There are even Certified Ethical Hacker programs and curricula across the industry — all designed to leverage the improvisation and resourcefulness of a hacker with the conscience and mission of a CISO or a SOC analyst.

Part of this is understanding that good intentions are not enough. Penetration tests by well-meaning whistleblowers may contribute to our understanding of vulnerabilities, but that doesn’t mean the incursions were ethical. Getting permission is a core requirement, and it’s not the only one. Remaining ethical in your work is also about matching the right skills to the nature of the job, and knowing how to find vulnerabilities without inadvertently damaging systems.

Following the Right Methodology

Simulated hacking reaps more insight than simply running a vulnerability scan on your systems. So what’s the process? Some of it involves basic rules of engagement with a client for ethical hacking — including documentation, reporting and selecting areas that are within, or off limits, for penetration testing. But you’ll also typically see specific methodological steps.

These steps include footprinting and reconnaissance, involving the gathering of information about a target using open-source intelligence — scouring search engines and related sources using tools like Nikto, the Harvester and Maltego. The target normally has no clue you are looking in this phase. Next comes scanning and enumeration: Here you are touching the target in some capacity.  This might be the common practice of running an NMAP scan and performing things like banner grabbing — all looking for vulnerabilities to exploit in this phase.

Once we gain access through the vulnerabilities we’ve found — or even social engineering, like leaving USBs in a parking lot in hopes that an employee will pick it up and plug it in at work —  we need to maintain that access, so we can accomplish our goals. Many ethical and criminal hackers maintain access by setting up hidden entry paths through backdoors in the system. Finally, the ethical hacker’s job is to exfiltrate the target data and escape without anyone knowing the ersatz bad deed was done.  This phase might include things like corrupting log files or deleting them.

Feeding the Workforce Pipeline

True threat actors obviously have expertise in these methodological areas. But despite the popular stereotype about the black hat actor who gets caught and ultimately become a white hat penetration tester, personal integrity is a core requirement for the job, and very few former criminals end up as ethical hackers.  Especially with valuable enterprise data and systems in the balance, it’s much safer to train an ethical person to be a hacker than to train a criminal hacker to be ethical.

Teaching the right methodologies and skills is crucial, but just as important is setting expectations. Folks drawn to the field for the James Bond-style excitement need to remember that — for every critical moment in a high-stakes penetration test, there may be hours of mundane paperwork, meetings and drawing up contracts.  As for finding the right people, some come from development backgrounds, others from networking backgrounds.  Regardless of their particular origins, the shared mindset is typically one of problem solving, critical thinking and perseverance.

Ultimately, ethical hacking is an essential tool in keeping up with cyber threats. And there’s a  growing appreciation for the professionals who harness the creativity of a black hat actor in order for us all to come up with defenses that are as creative as their digital adversaries.