Geo Focus: Asia , Geo-Specific , Governance & Risk Management
India's Ethical Hackers: From Outcasts to New Age Unicorns
Embattled Ethical Hackers See Glimmers of Success, But a Long Battle Lies AheadIndia's 200,000-strong ethical hacking community has faced many roadblocks to success, including indifference from cybersecurity leaders, but new-age hacking communities armed with cutting-edge skills and passion are slowly but surely bridging the long-entrenched trust deficit with organizations.
See Also: OnDemand Webinar | Third-Party Risk, ChatGPT & Deepfakes: Defending Against Today's Threats
In the summer of 2022, a fledgling cybersecurity startup donned headlines across India's business publications after securing a $500,000 seed fund from several angel investors. Raised by two 20-year-old cybersecurity enthusiasts, BugBase's success represented a significant culture shift among the country's diverse ethical hacking workforce, which previously had few success stories.
Dhruva Goyal, the firm's co-founder who dropped out of college to pursue his passion for cybersecurity, said the firm hopes to "facilitate fruitful interactions between ethical hackers and companies." According to veteran ethical hackers who have labored hard to find success in the field, Goyal's goal mirrors that of the community.
"I come from an era when ethical hacking did not exist," said Sunny Vaghela, a veteran risk analyst who started off as a cybercrime consultant and has conducted hundreds of workshops on ethical hacking and cyber forensics. "The environment has improved somewhat, but the community struggles to elicit much response from enterprise cybersecurity leaders who have several concerns of their own."
A lot of chief information security officers in India struggle to allocate resources to vulnerability assessments or penetration testing, Vaghela lamented. They focus on the most critical aspects of the business, and this affects routine engagement with the white hat community. "Out of 50 organizations we approach for VAPT programs, possibly one or two agree to put their software to test."
A Marriage of Convenience
Until very recently, the ethical hacking community received an indifferent, often hostile, reception from organizations. Indian hackers topped vulnerability submissions and payouts at global platforms such as HackerOne and BugCrowd, but as recently as in 2021, fewer than 10 companies in India ran active bug bounty programs (see: No Bounty for Bug Hunters in India).
The number grew significantly in the next three years, but the overall lack of engagement continues to prevail for several reasons. "Many Indian organizations are still hesitant to engage with ethical hackers and participate in bug bounty programs due to a lack of understanding of how these programs can benefit them," Shifa Cyclewala, chief executive officer of ethical hacking community Breachpoint told Information Security Media Group.
Another reason is that CISOs are simply overwhelmed by the sheer number of vulnerability reports populating their inboxes. BugBase's Goyal told ISMG that the Indian ethical hacking community features about 200,000 eager, skilled and motivated security enthusiasts, and the average CISO get about 20 to 30 emails about vulnerabilities every day. "CISOs ignore hacker reports in general," he said.
For the ethical hacking community, the feeling is mutual. Hackers believe they have much to offer to the cybersecurity industry and have the skills the industry needs to fight cybercrime in its various forms, but do not like how the industry operates.
Cyclewala said ethical hackers face various stumbling blocks when building relationships with organizations. These include long response times from organizations that delay the remediation process and discourage further participation; a lack of structured vulnerability disclosure policies that lead to uncertainty on how to report bugs; legal and procedural hurdles; and low or inconsistent bug bounty rewards that demotivate hackers.
According to Vaghela, cybersecurity decision-makers must hone their ability to quantify risks in terms of the maximum possible impact a vulnerability exploitation could have on the business. In the absence of risk quantification, it is difficult to take vulnerability reports seriously.
Sai Satish, a veteran ethical hacker who now runs a leading hacking awareness forum and trains government officials, police officers and college students on cybersecurity, told ISMG that recent improvements in companies' engagement with ethical hackers have been spurred by privacy-oriented regulations like GDPR, data protection laws and related polities.
"Many organizations have started recruiting hackers to pentest their resources, but it's still a relatively small number," he says. "There's a lot of potential for more collaboration between cybersecurity professionals and organizations, and it's something that needs to keep growing."
It Is Not for Everyone
Experts within the ethical hacking industry believe the community must showcase real-world skills, honesty, integrity and a track record of successes to convince CISOs that they can be trusted partners when it comes to securing networks and sensitive business information.
Goyal, who along with fellow co-founder Kathan Desai, grew BugBase to a 200-strong community of ethical hackers within four years, told ISMG the community faced several challenges but he believes hard work, honesty and accumulated experience will help him overcome them.
"It is about curiosity and what you learn," Goyal said, adding that he believes genuine certifications and competitive hackathons play a much greater role in shaping an ethical hacker than university degrees. BugBase members participate in routine capture the flag events, simulated hacking competitions and obtain genuine certifications to hone their skills.
Certifications such as SecOps and CISSP, or Certified Information Systems Security Professional, are multiple choice questions-based assessments and hold little value, he opines. Certifications like OSCE³, or Offensive Security Certified Expert 3 offered by OffSec can truly test a hacker's ability and perseverance.
According to OffSec, OSCE³ features three advanced courses - Advanced Web Attacks and Exploitation (WEB-300), Advanced Evasion Techniques and Breaching Defenses (PEN-300), and Windows User Mode Exploit Development (EXP-301) that candidates must undergo and pass 48-hour proctored examinations for each course to demonstrate their proficiency. "The OSCE3 is a symbol of determination, knowledge, and skill," it says.
"CISOs with technical background understand the value of each hackathon and certification, and if you carry certifications that have little practical value, they'll see you coming from a mile away," Goyal says.
Aside from raising the skill levels of community members, Goyal sees value in consolidating the diverse community, giving the best of hackers the chance to collaborate and use the BugBase Continuous Vulnerability Assessment Platform to pentest enterprise platforms.
"We showcase our abilities and demonstrate to CISOs how we can continuously monitor their software and report vulnerabilities in real time," he says. "Technical CISOs won't pay until they are convinced of our abilities, and we use our skillsets and performance to negotiate a minimum bounty threshold for participating hackers which incentivizes and motivates them."
He believes communities like BugBase are showing the way, but the ethical hacking community needs to consolidate further. "CISOs are having a hard time getting approvals and budgets to run bug bounty programs. Consolidated white hat hacking groups with excellent skills and integrity, as opposed to those acting alone, will give CISOs more confidence and flexibility to run effective programs," he adds.
Vaghela, whose ethical hacking platform now offers a range of security assessment services to enterprises, also stressed the importance of continuous training and development for hackers. "We run in-house bug bounty programs, directly tie-up with universities and organizations to run vulnerability assessment and pentesting programs, and make our members attend educative conferences like NullCon. These exercises help ethical hackers develop experience, list their achievements and earn hall of fames," he said.
Making the Work Count
Vaghela said the job of an ethical hacker isn't only to partner with companies and earn an income, but to pay attention to every vulnerability and make efforts to get it fixed, even if they don't get paid for the work.
He cited the example of a 19-year-old hacker in Pune who discovered a flaw in a popular stock brokerage application and reported it. When the developer didn't respond, the hacker contacted the securities regulator, India's computer emergency response team, or CERT-In, and other agencies and ensured the developer patched the application.
Rajshekhar Pullabhatla, the director of ISAC Foundation, a cybersecurity nonprofit that runs cybersecurity community platforms and works closely with various government ministries, shared how an ethical hacker with Breachpoint, ISAC's private bug bounty platform, reported a critical software vulnerability that, if exploited, could seriously compromise a leading insurance company.
"When the software provider didn't respond, the hacker proactively contacted CERT-In and worked with authorities to get the vendor involved and patch the vulnerability," Rajshekhar said. "Impressed with his work, the vendor engaged him contractually to run future cybersecurity projects more granular than vulnerability assessments."
The Government's Helping Hand
According to Sai Satish, the government can play a significant role in enhancing engagement between organizations and the ethical hacking community for the benefit of both groups.
"Bug bounty programs in India are still very limited. The government could take inspiration from initiatives like the Smart India Hackathon and encourage more penetration testing on their resources," he said. "Most private organizations aren't even aware of these programs, and there's a lot of scope to increase awareness. The government should regularly organize and promote vulnerability disclosure programs to create more opportunities for ethical hackers."
Rajshekhar said CERT-In, led by director general Sanjay Bahl, has played an effective role so far to prevent and mitigate cybersecurity events. "Without the foundation laid by CERT-In, the growth of researchers, bug bounty platforms and the broader cybersecurity landscape in India would not have reached its current potential," he says.
The government of India in February launched an initiative through the National Critical Information Infrastructure Protection Center to let ethical hackers test the country's critical information infrastructure in a controlled environment. Rajshekhar said such exercises involving the cybersecurity community at large can help bolster cyber defenses and nurture a safe digital space.