Crowdsourcing ways can be turned against cyber hackers too
UAE’s National Bug Bounty project takes on cyber criminals using their own methods
Crowdsourcing is a way of seeking skilled individuals from a large population, with a varied talent pool, to solve problems and introduce new ideas and solutions on a short-term, non-committal basis. These sourced individuals will submit their ideas online or through dedicated crowdsourcing platforms.
For decades, cyber adversaries have used crowdsourcing techniques to penetrate cyber defences. They use this strategy to buy and sell access, share tools and techniques, have forums for education, discuss vulnerabilities and host conferences. Adversaries will operate within hacker sanctuaries, communing through forums and conventions both digital and physical.
Many early hacker publications and conferences were forums to share information with fellow hackers. Today, criminally-motivated crowdsourcing takes place on the dark web, private forums, and in digital dead drops, among other things.
Crowdsourcing is becoming mainstream across a number of different industries. Many diverse tools and capabilities are available across a community beyond that of a singular workforce or full-time staff. The time has come to leverage crowdsourcing against bad actors attempting transgressions with similar strategies.
Bounty programs
In response to cyber criminals who use crowdsourcing for nefarious purposes, governments and companies are leveraging the power of the crowd to help them bolster their defences in identifying vulnerabilities, bugs, and misconfigurations. Governments are investing significant time and money into these programs, which they see as a pathway to measurable security outcomes.
Today, crowdsourced security supports key attack surfaces on all key platforms. As companies move to cloud architectures and applications, the biggest concerns are web application frontends and APIs, which may be deployed on Information of Technology devices, mobile apps, or cloud. Each of these can be evaluated for risk by crowdsourced security hackers with freelanced, specialised skillsets.
Crowdsourced vulnerability disclosure (VDP) and Bug Bounty (BB) programs facilitate security researchers to document and submit security vulnerabilities to organisations with compensation or recognition. This is already helping to identify security vulnerabilities across hardware, software, mobile apps, web apps and cloud services.
By taking advantage of diversified skillsets, methodologies, and tools, organisations can security test a wide range of assets with a large and specified scope. When using vulnerability disclosure and bug bounty programs, it utilises and expands upon this concept within the context of security.
Take on threats upfront
Global security researchers and hackers have a great capability that can be leveraged within this type of ecosystem, while companies benefit from their skillsets in a decentralised mechanism. It has been proved time and time again that VDP/BB programs uncover risks in areas unknown to security organisations, such as shadow IT applications or exposed perimeter interfaces. In this way, progressive organisations discover those vulnerabilities and fix them before being compromised by an adversary.
With bug bounty programs, such as the UAE National Bug Bounty Program, or the Vulnerability Disclosure Program (VDP), set up by the Cybersecurity and Infrastructure Security Agency (CISA) in the US, expanding beyond traditional vulnerability management allows organisations to focus on hardware platforms, linked communications systems and the ability to stress-test an entire ecosystem.
It grants a perspective of different aspects on which to focus, and reveals how many different avenues through which adversaries can target a platform. These programs are an excellent method to discover those vulnerabilities, remediate and fix them before being compromised. As we are currently in a community of UAE researcher and hackers, these programs are more attainable than ever.
Beat the costs
Cost constraints are a reality. Using crowdsourced security is one way to increase the value of your security and operational budgets. Minimal false positives, reduced licensing costs, reduced third-party contract costs, and increased identification of cyber risks are just a few benefits. As security budgets come under increasing scrutiny, crowdsourcing becomes an attractive option for simultaneously controlling costs while still aggressively protecting the business.
The goal behind programs like the UAE National Bug Bounty Program is to leverage crowd-sourced security researchers and hackers that can help UAE critical infrastructure, government and semi-government agencies are able to identify vulnerabilities and other cyber risks, ultimately increasing the security posture of an organisation.
The future of cyber security and vulnerability detection will depend on and exist within crowdsourcing programs; whether organisations embrace this now or later will depend on how quickly they recognise the importance crowd sourcing plays in their own operations.