Little Red Riding Hood and Climbing Beyond the Cloud (How to Become a Hacker)

(To Fabrizio Colalongo)

"Once upon a time there was the real world ..." In a hundred years with this premise we will tell a fairy tale to make our great-great grandchildren go to bed. We will start by talking about a sweet little girl to whom her grandmother gave a red velvet cape that she wore to go to the computer before entering the in cloud . cyber-domain. Little Red Riding Hood wanted to become one hacker...

“Like everyone of her race, she was a mixed breed: half machine and half nerd. She did not have a social life and did everything by herself, she understood the numbers that came down from the top of the screens, she always wore hoods and was born knowing everything ".

Starting from clichés and trivializations, this fable will teach our little ones those values ​​that will transform them into responsible adults. But then the children will grow up and ask themselves questions that we will need to be ready to answer in a simple enough way to be understood but sufficiently comprehensive to avoid embarrassing insights.

And then the little one, with his tongue peeking out from the holes left by the milk teeth, will ask: "Great-great-grandfather, what are hackers?"

“They are the ones who use their computer skills to explore computers and computer networks and to experiment with how to extend their use. Some are bad and they are called black hats, 'black hat', others are good and, of course we will call them white hats, or'white hat'1. The former are scammers, swindlers, or thieves who hack computer systems for malicious purposes. Sometimes they just steal data, other times they enrich themselves at the expense of unsuspecting owners' current accounts, still other times they intrude into automated systems for the purpose of terrorism. Those are the baddest of all because they sometimes set fire to factories and pollute rivers. Other times they crash planes2 or cause accidents among our autonomous cars3".

After a short stop for a sip of fresh water, the grandfather continues ...

“We had to run for cover and, in the first two decades of the last century (note: I am referring to the 2001st century, the one that goes from 2100 AD to XNUMX AD), companies began to protect themselves. Cyber ​​emergency response groups were created4 and populated them with the best professionalism: the 'blue team'of cyber-security. They are the ones who use monitoring systems and help administrators keep network and system security measures up to date5. Any strange or suspicious activity is intercepted by their powerful tools6 that scan billions of digital packets and find any anomalies that represent a clue to an infection set up by black hats. If there is an accident, the blue teams are the first to intervene. They carry out investigations to identify the attacker and uncover the flaws that allowed the blow to be delivered. The cloud is a safer place when they're at work. They are the armed guards of the network ".

The reality is that unfortunately, too often, one has to be content with closing the barn when the oxen have already fled. It would be better to prevent but, to do so, it would be necessary to be able to foresee.

It is obvious that to predict the attack one must master the techniques of the attackers. But who can do it? Computer scientists are trained to operate their systems, administrators are trained to protect them and the cyber-police she is trained to defend, investigate and repress. None of them know how to attack.

So, eventually it was realized that to beat the black hat they needed some hacker who put their techniques at the service of the good. It was then that the "white hats" appeared.

white hat they are those who breach computer systems in order to inform owners of vulnerabilities. They are like thieves hired by the bank owner who, in order to test the security systems, try to enter the safe and exit with simulated stolen goods. In this way, whoever has the task of keeping the wall solid studies the best construction techniques; the locksmith who builds the safe equips it with an anti-break-in door with a strong key; the guard at the entrance trains to recognize suspicious behavior; the police learn to intervene to stop the crime before it is too late and the director adopts rules to minimize the risk and manage the crisis. Outside the metaphor, i white hat verify that programmers and network administrators have made their systems robust7, keys and cryptographic protocols are unassailable8, the blue team train themselves to recognize malicious activities, managers learn to calculate risks, allocate resources and develop company policies suitable for managing incidents.

When i white hat they become part of an organization, they form a red team. They study and document themselves continuously. They always have to stay one step ahead of everyone because in cyber domain to finish second is to finish last. For this, they develop dynamic and flexible procedures. They have a very short chain of command and control to prevent their secrets from reaching those who must not know.

But this opens up to a big risk. Juvenal would ask "Quis custodiet ipsos custodes?" or "Who controls the controllers?The answer would be complex but to a child we explain it simple9. Nobody can do it10. So, the red team he must have undisputed levels of morality and enjoy the utmost trust of the leaders.

In order to postpone the time when the light goes out a little longer, our grandchildren will inevitably ask us another question: "Great-great-grandfather, how do you become a white hat?"

We will talk about a legend that tells of black hat who leave the dark side to return to the light but this, perhaps, was possible at the beginning. Today, no one willingly authorizes the self-styled-repentant thief to force his own lock and, with market demand, the offer has begun to organize itself to train professionals in the sector. With this spirit the courses of Ethical Hacker. The problem is that these certifications are based on semantic knowledge. A famous meme reads: “I put 93 crosses out of 100 well! This makes me an Ethical Hacker! ". I'm sorry to break such a beautiful dream but no, unfortunately things are more complicated than that.

Since when cyber-security has reached greater maturity there are courses and certifications that lead to learning the rudiments and assessing the skills of professionals.

The most requested certification is the one given by Offensive Security which, at the end of the course from the purely practical mold11 submits to an examination lasting 24 hours. It's a kind of flag-stealing game. It is practiced in a specially prepared virtual environment. In short, you must be able to bypass the security measures of some remote computers and read the secret code string. It is a difficult exam in which technical skills and fatigue resilience are demonstrated. We race against time. However, the course only gives the rudiments and then, from there on, you have to bang your head and find the solution of the puzzles. Their motto is “try harder” or “try harder”. The philosophy is that there is everything on the internet, you just need to know how to find the solution to the problem12. This is the “do to understand” approach.

From a completely opposite idea, “understanding to do”, the courses of GLUTEN (GIAC certifications) and the eLearnSecurity. But the similarities between the latter two companies end there. The courses of the GLUTEN13 they are more traditional. They are structured in two phases, one frontal in presence and one based on manuals. The eLearnSecurity, on the other hand, is only online. First you learn the theory through thousands of slides containing a couple of concepts each, then you watch the videos of those who work with the tools described and finally the practical workshops take place. In case of difficulty there are internal forums to search or ask for answers.

By doing so, a cultural background is built which translates into a working method. It is true that there is everything on the internet but there is also the opposite of everything and if you don't know the best tools and best practices, anyone can get lost in the cloud.

In its intent to accompany learners in their choices, the eLearnSecurity advises dei Training Paths, or training courses that allow professionals of the cyber-security to reach a certain maturity. The proposed pathways range from corporate defense and incident response (Blue team), to the Network e Web Application Pentester14 (Red Team).

“Being Little Riding Hood in love with the color 'red', she decided that the first course she would take would be the Penetration Testing Student. After reading and rereading all the material, he decided to buy the laboratories and the exam to test and certify the skills acquired ".

It is not an easy course but it can be followed and passed by anyone who wants to commit for a few months, watch videos and tutorial, try educational workshops. The exam takes place in a realistic environment and lasts three days, it is elementary but not obvious, challenging but not frustrating. We go in a hurry but without haste. A way must be found to violate a web server badly configured and use this "door" to access the private area. Once inside the perimeter, find vulnerabilities and extract sensitive data.

She had been a diligent student and, thanks to the many notes taken, the knowledge of the theory and the competence given by the tests in the laboratories, Little Red Riding Hood had obtained her first prestigious certification: she had become an eJPT, or an "eLearnSecurity Junior Penetration Tester" .

Being that the world of work of the cyber-security he is hungrier than the wolf, after a few days he started receiving offers and found a job. He had experienced the activities of OSINT15, she felt like a counterintelligence agent16, had found sensitive information that, without the authorization of its customers, had been stolen. It had tested systems and networks for flaws and vulnerabilities. He had reported them to his colleagues in the blue team who had taken steps to make their slice of the virtual world more robust. With the experience gained as a young man hacker . Red Team (and a great desire to get involved), she was ready to start new challenges and undertake the eCPPT process and become a Certified Professional Penetration Tester. There she would learn new techniques and achieve new goals that will allow her to one day acquire certification from Penetration Tester eXtreme17.

Then one day Little Red Riding Hood realized she had grown up, she married a hacker repented and together they had many children ... and all lived happily ever after.

But now it's late, so to sleep my dear nephew ...

1 This distinction is very common but is considered superficial by operators in the sector.

2 No such incident has yet occurred.

3 Many media outlets have been reporting this for years.

4 Computer Emergency Response Team.

5 It is a simplification, the tasks of Blue Team they are innumerable.

6 For example SIEMs, Security Information And Event Management:

7 Phase of hardening: ideally the programming code should be free of vulnerabilities (ex. buffer overflow) and network systems must include protection tools (e.g. firewalls, policies, etc.). Unfortunately, for reasons of cost-effectiveness and functionality a certain amount of risk must always be accepted.

8 Cryptography is a rather complex branch of theoretical mathematics. Security depends on many heterogeneous factors. Perfect secrecy exists but is inapplicable in a real context therefore a certain amount of risk must be accepted that mathematicians know how to calculate. Developing your own cryptographic codes is dangerous but quite common among budding cryptographers, hackers know how to exploit these flaws. For further information, see “Jonathan Katz, Yehuda Lindell - Introduction to Modern Cryptography_ Principles and Protocols-Chapman and Hall”.

9 The science of law applied to information technology and specialized in cyber.

10 Here too a simplification is made, the red team acts under a very precise contract that defines the limits in a timely manner. Exceeding these limits can lead to civil consequences and heavy criminal penalties.

11 PWK - Penetration testing With Kali Linux.

12 The first of the certifications was taken as an example Offensive Security, i.e. the OSCP (Offensive Security Certificated Professional). The offer of this prestigious company is enriched with other even more valuable and difficult courses all oriented to offensive training, that is red team.

13 The SANS offers prestigious courses, but with a very high cost, in every field of cyber-security.

14 Short of PENetration TESTER.

15 Open Source INTelligence.

16 On the subject, see a previous article of mine: “my name is security, cyber-security. Google Hacking and Shodan: the intelligence you don't expect ”.

17 The following clarifications are required:

  • No certification itself proves the ability of the cyber-security operator, the path of the penetration tester it is mainly based on field experience;
  • There are training courses as valid as those described; the story is based on the author's personal experience and has no scientific value;
  • The purpose of the article is not advertising and there is no link between the author, the publisher and the companies that provide courses and certifications.