Inside the hacker’s mind

By Katharine Carlon

Zach Zaffis may be a hacker, but he’s one who rides in wearing a white hat.

Mr. Zaffis spends his days attempting to break into banks and businesses – a role the Certified Ethical Hacker calls “super fun.” It also given him keen insight into the minds of bad actors and malicious “black hatters” who seek to exploit security vulnerabilities in the name of profit.

“A hacker is somebody who has a strong grasp on technology as well as security … and they have a huge amount of confidence,” Mr. Zaffis, ProCircular’s security engineer and offensive security specialist, told attendees of the CBJ’s fifth-annual Cybersecurity Breakfast on Sept. 24. “Back in my day, hackers were people who had a thirst for knowledge, they were curious and wanted to know how things worked … but [today], people think of a person who’s an unruly, turbulent, contentious individual.”

In his presentation, “Understanding the Mind of a Hacker,” Mr. Zaffis broke down who the hackers are, their motivations and methods, and how “white hatters” like himself can ultimately take the bad guys down.

White-hat hackers include “red team” penetration testers like Mr. Zaffis, who attempt to break into networks to demonstrate weaknesses, as well as “blue team” defenders, who harden networks and help reverse engineer malware and ransomware.

On the side of chaos are threat actors.

“These are the bad guys and the intent here is disruption,” Mr. Zaffis explained. “They are there to steal, infect or gain. Their primary targets are things like – everything. Literally anything.”

Why do they hack? The answer is simple: “Money, money, money, money. It’s just that.”

According to statistics, he said, about one in five small businesses will suffer a cybersecurity breach this year; 81 percent of all breaches happen to small and medium businesses (SMBs) and as many as 97 percent could have been prevented.

“We can start to build a habit or mindset and figure out what they’re after,” Mr. Zaffis said. “If we look at the fact 81 percent of breaches happen to small and medium businesses (SMBs) and 97 percent could have been prevented, we can kind of extrapolate some things.”

One is that cyber attacks are often crimes of opportunity, with the bulk of all SMB breaches made up of automated attacks. Mr. Zaffis described these as “wide net” and “smash-and-grab” techniques that encompass everything from ransomware and drive-by downloads to bot networks, which are “constantly scanning the internet, looking for open vulnerabilities.”

“These are quick wins, that’s all they’re going for,” he added. “They’re just trying to put as much out there as they can to get quick wins.”

These next-generation hacks use artificial intelligence and machine learning to trigger automated cyberattacks that easily compromise secure systems without any human intervention.

Targeted attacks, on the other hand, involve human hackers scrutinizing businesses and their networks. Mr. Zaffis said these sorts of more personal incursions involve making profiles of businesses and finding weak points.

“They’re looking at social media sites, building a list of clients as well as employees, and trying to figure out the minutiae of how a business works,” he explained. “It kind of goes back to that [hacker’s] unquenchable thirst for knowledge.”

Mr. Zaffis said targeted attacks are relatively rare against SMBs. But defending against automated attacks is essential, as are understanding the hacker mindset and specific threat vectors that give businesses the ability to proactively defend against attacks.

“Hackers are lazy, so start building the layered approach to defending your network,” he recommended, adding that layering should involve firewalls, network separation and compartmentalization, antivirus, basic IT hygiene and “backups, backups, backups.”

Mr. Zaffis also recommended regular audits, including penetration tests and risk assessments.

“These methods seem really simple. And they are,” he said. “Realistically, that’s what you have to do.”

Defensive framework

In his job as a white-hat hacker, Mr. Zaffis makes use of the MITRE ATT&CK framework, a complex matrix of tactics and techniques used by threat hunters, red teamers and defenders to classify attacks and assess organizational risk.

The goal of the framework is to improve detection of those behind an attack after a system is compromised by illustrating the actions a threat actor may have taken, determining how they got in and how they are they moving around. CSO Online, a trade publication serving the risk and security sector, describes it as a mechanism that “organizes the steps attackers take to infiltrate your network, compromise hosts, escalate privileges, move laterally without detection and exfiltrate data.”

“What this kind of does is help us figure out how they operate and how they move,” Mr. Zaffis said, joking that explaining exactly how it works is the boring side of what can be an otherwise exciting job.

“We can blow that whole MITRE ATT&CK board up into a single kind of problem – a threat actor and a threat vector, and knowing those two things, we know they’re going to create an attack. We can use that as the basic leverage to break things down and build ourselves a defensible spot from a business perspective.”

The CBJ Cybersecurity Breakfast was presented by ProCircular, with support from Involta, MidAmerican Energy, PC Matic, RSM US LLP and TruthNorth.  CBJ