Hackers vs. Attackers: It’s Not Always Black and White

Fire – good or bad? What about the internet? Taxes? Technology? If your answer is, “it depends,” you’re right, of course. And it’s the same for those with keen hacking skills - it all depends on how they are used. 

We all know about the Black Hats – those nefarious internet hooligans who keep all of us in the security game employed. And then there’s the White Hats – the good guys that do the dirty work so when the bad guys show up at some organization’s doorstep, they’re already prepared to engage. 

In today’s article, we’re going to take a peek at the good, the bad and the ugly around hacking talents and how they are used for good and abused for profit. 

The Black Hats

We all know these are the ‘bad actors’ who troll cyberspace making a living off pilfered data and ransom payouts from attacks and other forms of compromise. Attackers break and enter for a living and are often very skilled at what they do. 

Known as the UFO hacker, Garry McKinnon (aka “Solo”) orchestrated what was known as the largest military computer hack of all time, breaching 100 NASA and US Army servers to allegedly find evidence of extraterrestrials. 

Another government hacker, Jonathan James infiltrated NASA at fifteen and stole over $1.7 million worth of software. Vladimir Levin managed to transfer over $10 million out of Citibank accounts (and to himself) by a primitive but ingenious phone dialing scheme before his arrest in 1998. 

Kevin Poulsen was the first American banned from the internet, caught for invading phone lines in the early 1990s to win radio station contests. He now contributes to The Daily Beast. 

As long as there are valuables left out in the open (or in a reasonably accessible location), there will be those willing to take them. However, those skills can be used both for good and bad. Sometimes what makes the best White Hat is a good ex-Black Hat.

To Catch Convert a Criminal

It takes a hacker to catch a hacker, some might say. As ransomware groups share tactics, infrastructure and information on potential targets, it's useful to have someone who understands that world warn you of its methods and where it could be likely to attack.

As a teenager, Marcus Hutchins honed his obsession with computers and developed a reputation for being a capable malware developer. Having been holed up in his bedroom working on code for most of his high school years, he would be celebrated as the guy who saved the internet before being handcuffed by the FBI for his work on the banking trojan Kronos. 

Later, he would reverse engineer botnets and post them on his MalwareTech blog where none of [his readers] seemed to know that MalwareTech's insights stemmed from an active history of writing malware himself. 

Eventually, he would go on to use that same deductive logic to shut down the worldwide WannaCry ransomware attack back in 2016, saving an untold number of organizations countless hours and dollars in remediation efforts.

Kevin Mitnick had a similar encounter when his innocent-ish escapades (rigging the LA public transportation system so he could ride for free) ended up in deeper water, and he turned to stealing software from DES systems and snooping into the internal systems of Motorola and Sun Microsystems. While he was the first hacker to make the FBI’s most wanted list, he now works as a security consultant and is a frequent security conference speaker. 

A much lesser known, but no-less-wanted Marc Maiffret was also raided by the FBI (at seventeen) for his Black Hat activities, then decided to turn his criminal past into a bright future. He has since co-founded the company responsible for exposing the Code Red worm in Microsoft.

The White Hats

The term ‘ethical hacking’ was coined in 1995 by IBM’s John Patrick. Since then, it’s become a profession in its own right. Ethical hackers have the skills, the resources, the mindset, the end goal of ‘real hackers’ - minus the million-dollar payouts. 

Their job is scoping an organization (often in secret) to plumb for vulnerabilities and then letting them know so they can shore up defenses before an attacker finds and exploits them. 

Richard Stallman is an ethical hacker who went from MIT’s Artificial Intelligence Labs to inventing Copyleft, a legal mechanism that allows you to modify and redistribute a program’s code. 

Joanna Rutkowska is a security researcher who exposed attacks on virtual systems and made the map after presenting on vulnerabilities in the Vista kernel at Black Hat in 2006.

Tsutomo Shimomura is the computational physics research scientist who worked at the NSA and played a key role in bringing Mitnick to justice. He sounded the alarm for the need for more cybersecurity measures in mobile phones, and founded Neofocal systems, continuing to use his security expertise ethically.

Often, companies will pay big money for the chance to be hacked by the best, such as the federal government’s ‘Hack the NSA’ event. You figure – it's going to happen anyway, so might as well do it on our terms, with our whole team on alert, with friendly fire so whatever vulnerabilities are out there get flagged, fixed and squashed.

Out-Hacking Attackers

Since we can’t stop attackers from attacking, we can at least stop them from succeeding in their attacks. Fortunately, organizations don’t need to go toe-to-toe with attackers on their own. 

They have the option to go with an AI-driven XDR solution that can deliver the complete attack story in real-time and extend continuous threat detection, along with automated response, beyond endpoints to protect applications, identity and access tools, containerized cloud workloads and more.

AI-driven XDR allows organizations to automatically correlate telemetry from across these different assets to deliver the complete attack story in real-time. This functionality frees security analysts from needing to triage every generated alert, enabling them to address actual threats faster.

AI-driven XDR also leverages behavioral analytics and Indicators of Behavior (IOBs) to provide a more in-depth perspective on how attackers conduct their campaigns. This operation-centric approach is far superior at detecting attacks earlier–especially highly targeted attacks that employ never before seen tools and tactics that evade traditional endpoint security software.

Finding one component of an attack via chains of potentially malicious behavior allows defenders to see the entire operation from the root cause across every impacted user, device, and application. This is where AI-driven XDR is essential to automatically correlate data at a rate of millions of events per second versus analysts manually querying data to validate individual alerts over several hours or even days. 

Visibility and actionable intelligence enables security teams to respond to an event before it becomes a major security issue and introduce measures designed to increase the burden on attackers going forward.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, to everywhere the battle is taking place. Learn more about Cybereason AI-driven  XDR here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security for increased efficiency and efficacy.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed