What Is It Like to Be an Ethical Hacker?

There is a world war going on that people hardly talk about. While there aren't any physical explosions or military engagements, the threat is genuine and here to stay. This makes it important to take a page out of Sun Tzu's Art of War and think like the enemy or, in this case, black hat hackers.

In the current threat landscape, hacking grids, water plants, and leading businesses have become the norm. Furthermore, research suggests that cybercrime will cost the global economy a whopping $10.5 trillion annually by 2025.

This makes it critical to get creative and take a proactive approach to security. This is where ethical hacking or white hat hacking comes in. To better understand the life of an ethical hacker, we talked to a few in the business, namely, Martin Hanic, ethical hacker and board member at Citadelo; Laura Kankaala, security consultant at F-Secure; Yunus Yilmaz, security engineer at Insider; and an anonymous hacker who goes by the handle @uceka.

How Does One Embark on an Ethical Hacking Journey?

To think like a threat actor takes time. It doesn't happen overnight. It usually starts quite early, often when one is a teenager. For Hanic, it was the Hacker Manifesto (by The Mentor) that got him hooked. For Kankaala, it was a general curiosity with computers that piqued her interest in hacking. Others like Yilmaz enjoyed breaking things, while @uceka liked to bypass standard security protocols during the high school years. 

Before embarking on an ethical hacking career, Hanic worked in the corporate world for 15 years. "I became an ethical hacker because I wanted to use my skills to help and have fun in the process. I was also unhappy about the state of security, especially when it came to the technology and products me and my friends used," he added.

Yilmaz fell into hacking mainly because of curiosity. "I went to grad school but didn't learn as much technical information as I would have liked, so I went into the consulting game after graduation. Most of my knowledge came from pursuing increasingly technical roles for my professional career coupled with self-guided learning." 

Kankaala got a bachelor's degree in IT, but the entertainment industry triggered her interest in ethical hacking. "I used to watch a lot of YouTube videos, read articles and how-to guides, and play gamified hacking challenges (capture the flags). I wanted to know if hacking was really as cool as it is in Hollywood movies. [It] turns out it is, but not in the flashy, explosive kind of way."

What's a Typical Day Like for a White Hat Hacker?

For @uceka, hacking is part of the daily routine. @uceka follows a "eat, hack, family time, hack, [and] sleep" routine. There also seems to be a lot of caffeine involved in ethical hacking.

According to Hanic, "on a typical day, I'll read the news, have a cup of coffee, and stare at the screen and try to understand how the testing target works. Then I'll drink more coffee, read more documentation, and start poking the app with a stick. I'll make some notes, drink more coffee, make even more notes, and stare at the screen some more. Then you would have a eureka moment where you start shouting when you find and exploit a vulnerability. Then this whole process repeats."

Kankaala added, "[I drink] lots of coffee. [I am] also sitting at the computer most of the day, working on assessments, talking with clients, and writing reports. Assessments, in this case, mean either trying to break into a system or reviewing source code or architecture for security weaknesses."

Yilmaz has a busy schedule but still makes time for ethical hacking. "A typical day with bug hunting starts with me firing up my testing VMs and tools. I pick a target that looks interesting, especially those that don't have many findings that fit into my core strengths, and I just get to it. For my day job, I'm in engineering, so I spend my day doing code and architecture reviews, security tooling creation and evaluation, and mentoring."

What Surprised You the Most While Working as an Ethical Hacker?

Like most technology-focused careers, ethical hacking demands a lot of dedication and effort to protect both businesses and their customers, but the work of white hat hackers often goes unnoticed. However, that's not what's surprising about the job. 

According to Hanic, "what surprised me the most in my career is that a lot of people don't care about security at all. Many people don't understand what security is, or they think it's something you can buy in a box and install later."

For Kankaala, what was surprising was the amount of writing involved. "A major aspect of our work is about presentation skills and how good we are at translating security issues into developer or project manager language. We, as security professionals, also need to listen and learn from the non-infosec people we work with. Without finding common ground and the same language, we end up solving nothing."

Yilmaz didn't expect all the confusion surrounding ethical hacking. "[I'm surprised by] the level of misunderstanding everyone who doesn't do this has about the work. The media often portrays hackers and hacking inaccurately, so people need to get through the nonsense that's out there and learn about it from people who actually do it." However, @uceka added, "as I get more involved, I am surprised by nothing."

What Advice Would You Give Those Who Want to Become Threat Hunters?

To even consider a career in ethical hacking, it’ll help if you have a background in IT. You have to have a general idea about how different technologies work. Like any other career, it’ll also help if you focus on a particular niche. Knowing how to code in Python is essential as it’ll help with automation. Other programming languages include Bash and (of course) Java.

"Hacking is not always easy and straightforward. It takes a lot of patience. It's actually sometimes very frustrating and time-consuming," Kankaala advised. If you're thinking of making a career change, Hanic believes it's important to consider ethical hacking seriously. "Then consider it again before you join what I call the dark side. Try out your skills on the offensive security side and become a pentester," he advised. 

Hanic added, "Hackathons help a lot. In many ways, it helps us test ideas, improve them, and helps with team building. I would advise companies to just organize one and see for themselves.” 

Yilmaz agreed, "I think they're a great way to bounce ideas off of other people focusing on hacking the same targets as me. There's certainly a level of collaboration that only really occurs in a real-time situation like this."

@uceka strongly recommends getting some SANS 401 training. @uceka said, "I took this training in 2012, and it's very useful training for the beginning. Besides, they can search for Burp Suite Bug Bounty and HackTheBox from YouTube. There are many resources on Google for these."

Yilmaz believes that you have to be passionate about white hat hacking and protection. He added, "if you're not passionate and only doing it for the money, you're going to burn out quickly. It's also incredibly important to be patient. Many people expect to become millionaires overnight, [but] this stuff takes a lot of work and patience to succeed. Above all, understand that hacking is considered a felony if you don't have explicit permission to do it. Stay [with]in scope."