We pretend that 'black hat' is a dirty term in the infosec space, but half of you would not earn half as much money as you do without them. Lets be honest, the relationship between defender and attacker is a symbiotic one and it has almost always been that way. We thrive on conflict, we are human and the very best thing about cybercrime is that nobody really gets stabbed or shot. In this article we will take a closer look at the relationship between black and white.
I think it is really important to begin this subject from a law enforcement perspective who (mostly) view any communication with black hat hackers as highly valuable threat intelligence. Would you rather know and understand the motivations of the black hat community to better defend against them or not?
Knowing your enemy is a no brainer in the infosec space.
A Word From Law Enforcement
I have been lectured at length by members of the law enforcement community who know I am writing this article on black hats and so I want to start off by addressing the emotional wounds that they inflict on their victims and the financial devastation they wrought on anyone greedy enough to actually send them money, gullible enough to fall for their tricks, or with weak enough security practices to make themselves easy picking for any script kiddy with the right combination of freely downloadable tools.
Nobody is saying that black hats do not cause damage, they very clearly do and the damage they cause can affect its victims for a very long time.
The cost of recovering from an attack can be enough to cause a small business to go bankrupt, doubly so if they did not have any business continuity or data loss recovery plans in place. If personally identifiable information is exfiltrated, this means additional legal costs and fines on top of your cleanup costs. The cost to replace files, software, hardware, overtime for IT and other staff, reputation in the media are all major concerns and can kill a company. Not to mention money lost on business, payroll processing to its employees and so on. Cyber bullying/stalking and harassment has very real victims and the emotional trauma these victims go through is devastating.
Black hats are certainly criminals, even if they are not violent criminals and the truth is that they keep those law enforcement officers who lectured me in a job. Most of the LEOs I know talk to black hats all the time, at least the black hats who like flirting with danger enough to talk to them. LEOs love black hats, they will never admit it though.
White Hats Were Born In The Dark
It is far more profitable to have an open and frank dialogue with the black hat community than it is to ignore them. Many credible professionals working in the infosec space started out wearing a black hat, it is what makes them such effective defenders. At some point almost every hacker has put that black hat on their head and beneath that black hat they earned their bones. It's what makes them good white hats in fact.
The black hat and the white hat communities are symbiotically trapped in a dance which is hugely profitable to both of them and cyber crime is the best kind of crime in that it keeps me and mine in well paid work protecting others against it. We do not have to worry about our people actually getting killed or physically hurt either.
I am not talking about foreign actors sponsored by nation states on missions of cyber espionage against our industries, or information warfare adversaries trying to influence our societies using social media, they are the bad guys and they inflict billions of dollars worth of damage on our economies and negatively distort our civil discourse.
I am also not talking about terrorists who use cyberattacks to inflict damage on their victims for ideological purposes. I am talking about your everyday kind of black hats, the ones who just want your money and the ones who are curious about how your security works, practising their skills on it so they can become good white hats.
Those black hats are not real criminals. I am generalizing of course, but when I say they are not real criminals, I mean that they are not men of violence, they are not paedophiles, they are not rapists, they will not mug you in the street, they would never stick up your gas station and if you ever actually came across one down a dark alley, they would probably not even make eye contact with you.
For sure they steal money online, they defraud and con, spam, infiltrate, exfiltrate and sell your data. But did any of you sustain a physical wound from that cyberattack against your organization? Did you all make it home once you were done talking to screaming customers and employees who do not understand IT?
Let me answer those questions for you; no you didn't, and yes you did.
The very best thing that you can say about these digital pirates is that they represent a trillion dollar opportunity to the infosec industry without any violence taking place and that is a beautiful thing. Fraud and theft absolutely leaves emotional and financial scars on their victims, but they get over it eventually and nobody loses their life.
Don't @ me with your edge cases, they are the last refuge of the cynic and I am well aware of the industrial hacking deaths. They happen so infrequently, they are such a small blip on the mountain of global cyberattacks that they are still an unconfirmed edge case and besides, we call those people cyberterrorists.
Generally speaking, black hat hackers never physically hurt anyone.
Who Doesn't Love Criminals & Their Exploits?
We love seeing criminals do their crime on the big screen, we lap up any kind of entertainment involving crime, be it movies, video games, books or TV series. I am willing to bet that most of you can quote at least one line from Goodfellas, those of you who cannot probably can name at least one or two infamous criminals.
Lets be honest, we have an ongoing love affair with criminals and no matter how much we love seeing the good guys catch the bad guys, in the end we are transfixed by seeing the bad guys do their thing and do it well. We can never shake off that guilty pleasure of watching gangsters be gangsters and for some famous actors, playing notorious gangsters on the big screen has made their whole careers.
I think that the reason we love criminals and love hearing about their exploits is the same reason that we used to play pirates when we were little, there is something about those people who cock a snook at societal norms. In his book "the art of game design", Jesse Schell talks about how he created "Pirates of the Caribbean".
The Pirates of the Caribbean is not about pirates, it is about being a pirate! The whole goal of the ride is to fulfill the fantasy of what it is like to throw aside the rules of society and just start being a pirate! It might sound obvious in retrospect, but this shift in our thinking crystallized everything. This was about fulfilling the pirate fantasy that everyone has bubbling just below the surface, the fantasy of being a pirate. Piracy is all about freedom.
Jesse is absolutely right too, almost every gangster movie you have seen reinforces the idea that gangsters are independent, powerful and free to create their own worlds, in a world where everyone else it too scared not to conform.
Everybody wants to feel that way just once, even if through a movie or video game.
In this context you can understand the fascination with black hats, those digital pirates who shape the internet in their own liking, who cock a snook at the laws which prohibit anyone with the skills from pirating their way around the internet.
Black hats are the digital versions of the old school pirates, except that they would never make you walk the plank or enslave you into service aboard their ship.
Master Of The Black Hat Stories
The undisputed master of black hat stories is Jack Rhysider, creator of the Darknet Diaries, a selection of podcasts that recount true black hat stories. If you have never listened to them before, go and check them out immediately, Jack is an awesome guy and somebody who black hats trust to tell their stories without compromising them. Nobody else anywhere does this as well as Jack. When we come to make the next great hacker movie, Jack will be on the sidelines quietly advising the director through the lens of a man who has heard it all from the horses mouth.
Black Hats Make Your World Go Round
Love them or pretend to loathe them, when it comes to making the infosec world go round, the black hats do most of the spinning. Every single infosec job ever created, every technological advance in cybersecurity and every great security problem that needs solving has black hats behind it somewhere. Like it or not, black hats are the root cause of most of our industries efforts. For sure they are not behind every door, but they are almost certainly part of us, one of us, amongst us and in us.
Of course we must never admit this to anyone, it scares the civilians.