Ethical hacking is the process of accessing a system with authorization from the owners. This is different from malicious hacking, which is the process of accessing a system without authorization.
Ethical hacking involves using computer science knowledge to identify security problems or interacting with artificial intelligence to better understand a program. Cybersecurity professionals often encounter situations where ethical hacking can help detect weak points in a system, allowing them to efficiently increase its security.
Local cybersecurity professionals conduct research from a lab called SecLab based in UC Santa Barbara. According to their website, the team’s mission is learning the science behind hacking and protecting computer systems with that knowledge.
“An individual hacker might just try to hack into a website, and the impact doesn’t go beyond that website,” said graduate student Stijn Pletinckx. “What we will do in the field of cybersecurity from an academic point of view is [ask if] we can generalize some concepts of such a hack.”
“We’re not going for a single instance of a problem,” said Ilya Grishchenko, a post-doctorate researcher. “We’re going into systematic characterization of the problem and designing a particular approach to find this [attack] at scale to have more impact on the business and the people.”
Both Pletinckx and Grishchenko are members of SecLab. Pletinckx has been studying computer science at UCSB for a year and a half. Meanwhile, Grishchenko received his Master’s degree in Germany before coming to California. They were individually drawn to the program from outside of UCSB after frequently hearing the SecLab professors’ names in research papers.
“The two professors we have – Chris and Giovanni – they’re very well known in the academic field of cybersecurity,” Pletinckx said. “They’re among the top professors in the field. They’ve published state-of-the-art work years ago that is still relevant today.”
“These guys were writing papers like crazy,” Grishchenko said. “I [went] to my adviser, and I asked him ‘Do you know these guys?’ He was like ‘Who doesn’t?’ So, apparently, they were rockstars in the field.”
“That’s how I got in touch with UCSB,” Pletinckx said. “So far, I don’t regret it.”
Like their introduction to SecLab and UCSB, the beginning of Pletinckx and Grishchenko’s interest in hacking came from a similar source: influences from the Matrix. Imagery from the film caused them to become fascinated with the exaggerated lifestyle of hackers well before pursuing a career in security. However, their individual stories are much deeper than that.
“[I became interested] from first seeing the typical movie depiction of a hacker,” Pletinckx said. “You see the terminal and all the numbers, sort of Matrix-style, flying by. I just thought it looked cool.’”
As time went on, Pletinckx kept up with news about cybersecurity, and discovered that there were a large number of companies being hacked, cyber-warfare between countries, and cases of technology being used to spy on citizens. He didn’t agree with this, and wanted to find a way to “protect the people rather than attack the people.”
While Grishchenko was also influenced by the “beautiful movie” known as the Matrix, he remained disconnected from hacking and cybersecurity for many years. However, this did not stop his interest from growing.
“There was no community around me,” Grishchenko said. “For many years, it was a slow-burning fire.”
What allowed Pletinckx and Grishchenko to actually pursue their interests was reaching out to mentors, like their current professors, for opportunities. Having a complex background in hacking is not a strict requirement to follow in their footsteps. According to Grishchenko and Pletinckx, having a desire to learn is the most important piece to building a career in the field.
“Where it starts from is to have a heart in the proper place and to have a passion for [ethical hacking],” Grishchenko said. “Everything else one can get while engaging on the path already … What we’re dealing with is a very fast-paced field, so we cannot use the same two [hacks] all over again. We keep on learning new things, new technologies, new techniques, so one needs to be always on track with the current advancements.”
A way to keep up with these “current advancements” is to study programming and artificial intelligence, which is recommended by Pletinckx. This education doesn’t have to come from a university – having any programming experience and knowledge of AI would be helpful. In addition to technical skills, he stresses that puzzle and problem solving skills are essential to entering the field.
“There’s an intended way of using a system,” Pletinckx said. “How can [you] find an unintended way? From even the ethical point of view, whether you’re trying to defend or trying to attack, you also need to have that mindset. Think out of the box.”
As Pletinckx mentioned, AI is a crucial component to ethical hacking. AI can assist hackers with understanding the inner workings of programs, sorting through an abundance of data, and much more. With its increase in public accessibility, ethical hackers can use AI to retrieve information quickly and effectively.
“The thing about AI – especially now with the large language models that we see, such as “ChatGPT” – [is they] are very well trained on a big knowledge base of concepts within hacking [and] within computer science,” Pletinckx said. “So these models are able to aid practitioners to sort of use them as a knowledge base.”
With the benefits of AI comes concerns. If the technology is open for anyone to use, this means malicious hackers will also have access to its knowledge. Cybersecurity researchers keep this fact in mind when searching for effective ways to prevent security breaches.
“One of the most important concepts in the stuff we’re doing is to never lose the edge because while the technology is so openly available, it can also be used for bad things,” Grishchenko said. “But if we as a community will always [have] an edge over somebody who wants to use the same technology in a malicious way, we have a chance of winning this race of arms.”
Despite these challenges, hackers at SecLab continue to foster a community built around passion. They work as a team to confront problems, and have freedom to choose the complex projects they pursue. Pletinckx and Grishchenko notice this environment when working together.
“There’s one big mantra in the lab, which is ‘Work on what you love, something you’re passionate about,’” Pletinckx said. “The supervisors don’t have a hidden agenda themselves. It’s like ‘work on what you’re passionate about because that will produce the best results.’ You will be motivated as much as possible because it’s something that you have passion for.”
“It’s exactly like Stijn was saying,” Grishchenko said. “People are passionate about it, and you also have a community of [peers] that you can share these passionable ideas with. Also, it’s a very honest and great community … we’re helping people to discover pitfalls very early on. It’s both support on a path which you truly believe is very good or trying to kill the path you really think is not good. Honesty, integrity, and passion would be like the centerpieces of this whole process.”
An example of this passion coming to life was during a project conducted by Pletinckx. While researching a network issue, he found a technique to send emails under someone else’s name. This was a discovery that highlights the impact of ethical hacking on companies and people in general.
“The fun part about [the technique] is that you can communicate to companies that have this vulnerability, and many of them are super happy that you found this and that you can help them to sort of fix it,” Pletinckx said. “That’s something where the academic side could directly influence the industry that uses these techniques, rather than keeping it very theoretical.”
“The technique was so crazy that some parties with whom he was communicating his results to were saying ‘By the way, this is not possible,’” Grishchenko said. “So, like, this is the thing. You’re doing the thing, you know it works, and it’s such a cool step that somebody cannot even believe that you can do it. But you can. It’s a cool feeling.”
A common misconception of ethical hacking is that there is no difference with malicious hacking. The way to tell them apart is the scale at which they operate. Malicious hackers work at smaller scales to benefit themselves, while ethical hackers work at larger scales to have the most impact on others. A big part of ethical hacking is developing the science behind the field so that it can be applied to more than one case.
“Many times, malicious hackers come for particular use cases,” Grishchenko said. “They target a particular business or a particular application, and they find an instance of [an] attack. And then they want to monetize [off] it. On the other hand, what we are trying to do is find one little bug, and then go to businesses and say ‘You have this problem.’ What we’re trying to do is develop a methodology to find many different kinds of instances of attacks at scale.”
“There’s a lot of theoretical knowledge about … why these methods work,” Pletinckx said. “This is all still within the realm of ethical hacking because we’re doing this to make the systems better. Even though it’s related to security and trying to break into systems, the ultimate goal is not to gain money or to tear down a company.”
Still, some may be confused about the difference between ethical hacking and malicious hacking. Incentive also is what separates the two: the incentive of ethical hackers is to improve a system, while the incentive of malicious hackers is to exploit systems for information.
“The incentive [of ethical hackers] is to always bring goodness, and sometimes this incentive is missed,” Grishchenko said. “What the people from ethical hacking are doing or malicious hackers are doing, sometimes it’s the same thing. But incentive is different.”
According to the University of Denver in the article, “The Complete Guide to Ethical Hacking,” these diverging incentives can be described in depth with a hat system. The different hats are as follows:
Black hats are cybercriminals. They hack without authorization and with malicious intentions.
White hats are ethical hackers. They act with authorization and without malicious intentions.
Gray hats are in between white and black hats. They hack without authorization or malicious intentions. Typically, gray hats hack for fun rather than to improve or harm systems.
Blue hats are hired by tech companies to locate security vulnerabilities or test products.
Red hats are vigilante hackers who aim to prevent black hats from accessing unauthorized information.
Green hats are beginners who haven’t fully developed their hacking skills.
There are many ways for green hat hackers to become ethical hackers. Participating in Capture the Flag (CTF) competitions through free websites is one way. These events give hackers the opportunity to grow their abilities either independently or with a team. picoCTF is a website recommended by Pletinckx and Grishchenko that offers these CTF challenges for people of any skill level.
“These [challenges] are not just for professionals,” Pletinckx said. “There are these high school competitions … that can get you started. And, literally, the silly advice of ‘If you’re stuck, google it.’ It’s very frustrating at the start, but getting better at googling is a good skill and actually helps … If it takes you days and weeks to figure something out, to solve a puzzle, that’s totally normal. We are stuck on things for days and weeks that some people solve even faster.”
Along with attempting security challenges online and consulting google when necessary, Pletinckx and Grishchenko encourage those who are passionate about ethical hacking to consider the following advice:
“Don’t be scared, it’s much more accessible than you think,” Pletinckx said. “The skill level just allows you to do cooler stuff, but it’s not a prerequisite to get started, to have fun … Find mentors around, people that have done a similar path or are in a position that you would like to get to, and reach out to them.”
“There are, right now, many tools, techniques, information, and everything that can help with the technical side,” Grishchenko said. “What all these things cannot help with are two things, which are passion to the field, passion to ethics, passion to helping people and helping society; and imagination.”
Ethical hacking and cybersecurity will continue to evolve as technology advances beyond its current state. With this inevitable advancement, Pletinckx and Grishchenko hope diversity in the field will evolve as well. Their emphasis on passion and creativity means they value contributions from people with a range of experiences and backgrounds.
“Computer science still has indeed the stereotype of the nerdy, white guy that just is introverted and good at programming and … that those are the ones that are successful,” Pletinckx said. “That’s absolutely not true. Everybody is in computer science. And everybody can do computer science. Background doesn’t matter at all. It doesn’t matter where you come from, what language you speak, how you identify. None of that is any issue.”
“We want this field, in general computer science and cybersecurity, to be more welcoming,” Grishchenko said. “This is what we want to see around: [a] more diverse, inspired crowd doing weird things … We want to be amazed, and I guess this also provokes this request for creativity and not [a] request for monotonous technical execution of things.”