The intricate world of ethical hacking, often misinterpreted as a carefree endeavor of breaking things, were recently brought into sharp focus during a dedicated discussion on IBM Technology platform featuring cybersecurity architect Jeff Crume and ethical hacker Patrick Fussell. The conversation aimed to move beyond the notion of a "joy ride on the internet" to focus on the actual tasks and rigorous ethical considerations that define the profession. Patrick underscored the reality that, while practitioners "hack for fun," they are ultimately paid to deliver a report, stressing that documentation is the most important part of the entire process. The core objective is always to work with clients to help them become more secure by understanding and addressing vulnerabilities.
Ethical hacking activities are tiered across a pyramid of complexity and time commitment. At the base is vulnerability scanning, an automated type of testing that focuses on gaining a big picture understanding of existing weaknesses. This foundational work typically requires 20 to 40 hours. Moving upward is penetration testing, which involves a talented tester utilizing tools to perform actual exploits and gauge their impact, consuming approximately 40 to 80 hours. At the apex is red teaming, or adversarial simulation, which attempts to replicate the perspective of a real-world threat actor, with engagements spanning two to four months or even longer.
Related article - Uphorial Radio
For any engagement, whether a single week or multiple months, two foundational elements must be established: the goals and the rules of engagement. The macro goal is consistently centered on helping the client understand their ability to detect and prevent a "bad guy" from breaking in. Micro goals are scenario-driven, such as a simulated bank break-in aimed at stealing money, which defines the specific testing methodology. Unlike malicious actors, ethical hackers must adhere strictly to the rules of engagement defined in a statement of work, respecting constraints related to time, budget, resources, and specific systems or geographies that are off-limits. Jeff pointed out that operating within these constraints, such as avoiding a critical e-commerce system during a holiday buying season, makes the ethical hacker’s job significantly harder than that of an unethical hacker.
Patrick's methodology takes an outside-in approach, contrasting with the security architect’s "inside out" perspective. The process begins with extensive reconnaissance to gather all possible information within the client's defined scope. This research goes beyond technical system checks, extending to publicly available sources such as employee social media, job postings on sites like Glass Door, or even the dark web for exposed credentials. The goal is to "case the joint" and gain the perspective of an external threat. After reconnaissance, the active phase involves probing for vulnerabilities to establish a foothold—the crucial entry point needed to access the target network or environment.
In adversarial simulation, the attacking Red Team works against the client’s internal Blue Team (defense). In many red teaming exercises, the Blue Team is intentionally kept unaware to accurately test their processes for detection, prevention, and response—often summarized as people, processes, and technology. A referee team oversees the entire operation, controlling the information flow between the Red and Blue teams to ensure safety and effectiveness. Ethical hackers structure their simulated attacks based on TTPs (Techniques, Tactics, and Procedures)—the "recipe" describing how an attack occurs. A vital resource for both hackers and defenders is the MITRE ATT&CK framework, which provides a common language and an extensive overview of adversarial possibilities that can be used as a checklist for defense planning.
The tools utilized vary significantly across the testing pyramid. Vulnerability scanning often employs automated, industry-standard tools like Nessus or Qualys, which automate processes and classify findings. Penetration testers frequently use tools such as NMAP for network scanning (a tool that continues to be actively developed) and Burp Suite. For red teaming, tools are often more conceptual, revolving around Command and Control (C2) mechanisms that allow an internal system to communicate with an external "bad guy" system after a foothold is established. Finally, and perhaps most surprisingly, the essential tools for a red teamer are PowerPoint and Word, which are critical for documenting findings and communicating progress to the referee team and the client.
