Not just through an attacker’s eyes

“If you just go and kick down the door, point and laugh at them, then leave — that doesn’t do anyone any good. You’re forgetting that you’re on their side. You’re part of your customer’s team. If you don’t follow up and help them fix these things then you’re just going to come back a few years later and do the same thing — and there’s nothing more disappointing.”

Quinn Carman (Cybersecurity Leader, National Security Agency) knows what it’s like to attack an organisation. Because he’s done it – a lot. At #BHMEA22, he pointed out that it’s important for organisations to understand how an attacker looks at vulnerabilities. But he also urged hackers to try to understand the attack experience from the organisation’s perspective.

The purpose of a hack

“I started this line of work because I thought it would be great to hack things. I’ve also done a lot of close access work,” breaking into buildings to test physical security. And across all forms of attack, “it’s really the people we take advantage of.”

For those running a network engagement – hackers, pen testers, red teams – this means that getting into the network to demonstrate its weak points is only one part of the job. Hackers might get into this line of work because of the excitement, and they might feel proud of their achievements – but it’s meaningless if they can’t translate the information they’ve collected into a language their customers can understand.

“Our purpose is to leave that organisation more secure than when we found it,” Carman said. “And that’s really the hard part of running these sorts of events. It’s to engage and be able to communicate effectively the vulnerabilities; to not just hack and break things.”

How do you communicate vulnerabilities to a customer?

If you’re a hacker and your client organisation is not full of cybersecurity experts, you have to create methods that allow you to connect with them, make them understand what you do, and enable them to act on your findings. The first challenge here is for the attackers themselves to stay focused on what needs to be protected, and which elements of the organisation are easy to attack – stay close to what’s critical and don’t get distracted by flashing lights.

“It’s very easy to attack a network,” Carman said, “but that’s not the important part. The important part is what you deliver to the customer when you’re done. If you don’t tell them all of the details, there’s no point in doing it in the first place.”

Hackers need to get on a level with their customer – and that isn’t easy, when the customer might be:

• Apathetic. They just care about the hack you’ve just accomplished, because they don’t really know why it’s relevant to them.
• Emotional. They might feel really angry about what you’ve done, and unable to cool down enough to actually take in the useful information you’re trying to give them.
• Disbelieving. If you did your job really well and got in and out of their network without anyone noticing a thing, they might not believe you did it at all.
• Confused. They just don’t understand what you’re saying – relatable language and the ability to show them why they should care is absolutely crucial here.

As Carman put it, “Saying something isn’t communication.”

“We have a challenge with that when we’re a bunch of cyber nerds out there, and we hack a network or a building, we have to then communicate this to, maybe, a General who’s used to commanding tanks, and try to speak the same language and impress upon them why they need to pay attention and why what you’re saying is important. This is the same in the corporate world, especially if you’re doing penetration tests across a variety of organisations.”

Every organisation you work with might have a different language. A different culture.

So that, perhaps, is the greatest challenge in cybersecurity right now. Developing communication skills that make the work worth doing – because engagements like pen testing are useless if the customer doesn’t understand the results.

The good news? Carman wasn’t the only person talking about communication at Black Hat 2022. It was a theme that came up time and time again; and the fact that it’s a hot topic of conversation among industry experts tells us that change is possible.