Developments in cyber security travel at the speed of light. How do (ethical) hackers keep up with these developments and how eager are they to adopt new tools that help them find weaknesses in digital environments? This was one of the subjects discussed with serial winners of Hâck The Hague, Rik van Duijn and Wesley Neelen. Below a summary of their thoughts on this subject.
The use of certain tools and techniques really depend on the scope of the Hackathon, or competition, you participate in or the assignments you work on. It also depends on what you encounter. First you want to find out what you are dealing with and then determine what tools are best suited for what you want to achieve. For example, an important questions to ask yourself during the competition, is if you are dealing with on-premise applications or cloud solutions. Cloud entails entirely different issues and risks, such as subdomain takeovers.
It’s true that the web is constantly changing, but on the other hand, if you look closely, most bugs remain the same, albeit that you may find them in different settings. That means that you can use the same tools to find them. For example, the Top 10 Web Application Security Risks can still be addressed with the same tools, it mainly depends on the context in which you use them. More and more things will be virtualized, we put containers in containers and build entire browsers in an app. It’s not so much about a different type of attack, but more how you (ab-)use existing attack methods in a different way. Compare it to Lego bricks: it’s the same bricks, you just assemble them in another way.
One thing that you will see often nowadays with Docker is that if you get access to a system with an old bug, you end up in a docker container instead of the control system. Another thing is the serverless functions which are very different. You communicate with one big cloud service whilst the underlying system is managed by a cloud provider. Those are new techniques you are going to see in tests.
In the end, it depends on the person how quickly and easily you incorporate new tools and techniques in your day-to-day work as an ethical hacker. You might turn out to be someone who is curious enough to investigate new developments or that you prefer to hold on to what you already know. Thing is, you do need a certain dose of patience and perseverance in order to incorporate new techniques and tools into your daily routine. But in the end, getting to know new tools and/or ways of attacking systems can also bring many advantages to your work as an ethical hacker.
Interested to see the entire interview with Rik and Wesley?