What is a Black Hat Hacker?

Western outlaw in a black hat, firing his pistol at the camera
Public Domain

What is a Black Hat Hacker?

A black hat hacker’s sole intention is to monetize your IT systems using ransomware, cryptojacking, rootkits, trojans—the list goes on and on. What is a black hat hacker? They’re the bad guys.

White Hats and Black Hats

The symbology of the good guy wearing a white hat and a bad guy wearing a black hat goes back to the early westerns. In fact, it goes all the way back to 1903 and a twelve-minute short directed by Edwin S. Porter called The Great Train Robbery.

The image above is of Justus D. Barnes who played one of the outlaws. In a famous sequence from the end of the film he empties his pistol straight at the camera, effectively taking pot-shots at the audience.

The black hat hacker is a digital outlaw taking pot-shots at your cybersecurity defenses.

OK, But What’s a Hacker?

In a computing context, the word hacker originally meant a skilled and dedicated—or possibly obsessed—programmer. There were no overtones of good or bad attached to it. It simply described someone driven to become as good as they possibly could in the discipline of computer programming.

Over time it came to be associated with someone who had extensive knowledge of computer and operating systems, a high degree of skill in programming, and the desire to infiltrate systems for which they have no legitimate access.

The investigators and victims of the earliest cybercrimes would no doubt have concluded that the perpetrators must have been a hacker. No one else would have had the skills and knowledge to pull off the crime. And so hacker came to be a shorthand way of describing the bad guy.

The coding fraternity tried to get the term cracker adopted instead but to no avail. The damage has been done. In the mind of the populace, hacker will forever mean the bad guy. Or, as we call them nowadays, threat actors.

The Black, The White, and the Gray

The Black Hat Hacker

Black hat hackers have extensive knowledge about breaking into servers and computer networks. They can discover—and share amongst themselves—vulnerabilities in software and operating systems that can be exploited to allow them to gain access to the network or to plant malware in the system. Some black hat hackers are the authors of malware and Distributed Denial-of-Service software, and other software tools that assist hackers.

Their motivation is almost always financial, although hacking groups like Anonymous see themselves as social justice vigilantes. They attack organizations as a form of activism. Industrial espionage is another reason hackers attack systems.

Sometimes the motivation is a desire to whistle-blow. This was the motivation behind the famous case of Gary McKinnon. Between February 2001 and March 2002 he hacked into 97 NASA and US military computers looking for evidence of UFOs. He was convinced it existed but was being repressed. He thought he was going to prove UFOs were real and that the US military had access to alien technology.

A small portion of hacking is conducted by newcomers who want to break into any system they can. they want to prove they have the skills to be taken seriously in the hacking fraternity. But by far the majority of black hat activity is motivated by financial gain, plain and simple.

Black hat hackers will try to find hitherto unnoticed vulnerabilities in operating systems, protocols, and software packages. If they can then devise an exploit that capitalizes on this weakness and allows them to perform a cybercrime, all the servers and networks that use that operating system, software package, or protocol are effectively defenseless against that new attack. A security patch must be devised, released, and applied to the affected systems to remove the vulnerability. This is what is known as a zero-day exploit.

A black hat hacker may use the exploit themselves, or they may sell it on the Dark Web. Zero-day exploits can change hands for hundreds of thousands of dollars.

It is possible to classify and sub-classify threat actors and cybercriminal factions ad infinitum, but it as at least worth pointing out that not all cybercriminals are hackers.

Many cybercriminals use readily available malware kits, attack software, Cybercrime-as-a-Service, and proof of concept code that demonstrates how to exploit new vulnerabilities. They don’t have the knowledge or expertise to detect and weaponize vulnerabilities nor to write malware themselves.

What is a White Hat Hacker?

A white hat hacker is someone with the same set of skills as the black hat hacker, but they have chosen to put those skills to legal purposes. Sometimes called ethical hackers, they may be employed by companies as a permanent member of the IT and security staff, but more often they are recruited and employed by specialist cybersecurity firms, who undertake work for regular businesses.

White hat hackers employ the same methods of hacking as black hats, with the intention of finding and closing vulnerabilities before the black hat hackers detect them and exploit them. The big difference is white hat hackers have permission to try to crack into the network they are defending. It is illegal to use any hacking techniques against a network without the express and informed permission of the owner of the network.

A common tool used by white hat hackers is penetration testing. This uses a sophisticated software tool to probe and analyze the security of servers, networks, and web sites. A penetration test is actually a suite of tests, some of which can contain many hundreds of individual tests. The reports they produce are then used as a blueprint to close off any vulnerabilities that have been found.

If a white hat hacker uncovers a zero-day exploit they will report it to the software developer. This allows the software authors to address the vulnerability and to include the fix in their next security patch. If the vulnerability is sufficiently severe, the software developer may issue a specific patch just to address that single vulnerability.

Large organizations occasionally pay bounties or reward money for finding and reporting vulnerabilities. Google, Microsoft, and Apple have used such schemes.

What is a Gray Hat Hacker?

Very little in life is black and white. There are many shades of gray in between. Gray hat hackers are a blend of both black hat and white hat activities.

Typically, gray hat hackers look for vulnerabilities in a system without the owner’s permission or prior knowledge. If the gray hat hacker discovers vulnerabilities, they will report them to the system owner.

As a reward for finding the vulnerability the gray hat hacker will request a bounty or payment. They may offer to neutralize the vulnerability or to provide information to the system owner so that they can organize to have the vulnerability closed themselves.

If the owner does not respond at all or if they refuse to pay, the gray hat hacker may name and shame. Details of the vulnerability and the owner’s unwillingness to address the vulnerability can be posted online.

Unlike the black hat hacker, the gray hat hacker is not inherently malicious. They just want rewards for their efforts. Gray hat hackers very rarely exploit the vulnerabilities they find. But their activities are still considered illegal because the hacker did not receive permission from the owner prior to attempting to penetrate the system.

  • A black hat hacker will compromise a computer system without permission, stealing data such as bank details, credit card details, and industrial secrets for their own personal gain. They try to monetize a vulnerability by exploiting it.
  • A white hat hacker obtains permission before testing a system’s security. The findings are delivered back to the organization. They try to detect and nullify vulnerabilities to prevent their exploitation.
  • A gray hat hacker will attempt to compromise a system without permission. The owner is only informed after the event. They try to monetize their efforts at discovering vulnerabilities.

Other Colors

There are other hats—and hackers—of different colors and capabilities.

Blue Hat Hackers

By our definition of a hacker as someone with great expertise and finely-honed skills, a blue hat hacker isn’t really a hacker at all.

The blue hat hacker is a revenge-motivated individual who wants to do something to hurt your business. They are only interested in targeting your organization. For whatever reason, they wish you ill.

A disgruntled employee who tracks down some Distributed Denial-of-Service (DDoS) software and decides to use it on your organization as a form of retribution, is a blue hat hacker.

Red Hat Hackers

Red hat hackers are the lone rangers of the hacking world. Anonymous, and shying away from publicity, they have all the skills of the other hackers. But they choose to target the black hat hackers themselves.

They ingratiate themselves on hacking forums so that they are accepted and trusted. They use patience and social engineering to try to identify the threat actors on those forums, then target the black hat hackers’ own computers and attempt to remotely destroy them.

Red hat hackers might be fighting on the right side, but their methods are questionable. Like Batman, they operate outside of the law, without any official authority, and with their own interpretation of crime and punishment.

Green Hat Hackers

Although they may aspire to become a black hat hacker, green hat hackers are fledglings in the hacking world. They frequent hacking forums trying to absorb as much knowledge as they can. Usually, they don’t mount outright attacks, but they will try to access private networks as a means of sharpening their budding skills.

When they do manage to gain illegal access to a network they usually leave without doing anything. They’re not usually an active threat but will become one over time.

Team Colors

Hat colors shouldn’t be confused with team colors. You may have heard the terms red team and blue team. This is what they mean.

What Is A Red Team?

A red team is made up of white hat hackers who act as black hats in authorized attacks against an organization. The outcome is a real-world, objective assessment of the efficacy of the digital security of the organization.

They may utilize any technique from the threat actor’s portfolio of methods to try to gain access to the building, access to the network, exfiltrate data, install harmless pseudo-malware, and conduct USB-drop, phishing, and spear-phishing campaigns.

A large part of the red team’s effort is spent in reconnaissance before the actual attacks begin. They will painstakingly create a digital footprint of the target organization. It can include:

  • The operating systems in use in servers and computers.
  • The make and model of network-connected equipment such as servers, computers, laptops, Internet of Things devices, tablets, smartphones, firewalls, switches, routers, wireless access points, printers, etc.
  • The number of and details of physical access controls such as digital door locks, fob-operated doors, etc.
  • The details of open firewall ports that are exposed to the internet.

With this knowledge, the red team will identify weak spots and vulnerabilities. A plan can then be assembled to exploit them.

What Is A Blue Team?

The blue team is the opposite of the red team. Like the red team, the blue team is made up of white hat hackers but their role is to defend the network and organization from hacking and cyberthreats. They are defending the same IT assets that the red team is threatening.

The blue team draws up a cyberthreat risk assessment. They implement protective and defensive countermeasures such as intrusion detection systems, regular internal vulnerability scans, and external penetration testing. In addition, log monitoring and analysis tools, DNS audits, and analysis of samples of network traffic are performed. Automation of these tasks is used where possible.

IT governance policies and controls are put in place. These will define and regulate the use of the IT systems by employees. Staff education is conducted periodically, covering cybersecurity and best practices. A specific set of inductions and training will be implemented for new starters.

The configuration of all networking equipment is under blue team control, as is ensuring the firmware and embedded software of networking devices are patched and maintained up to date, along with the operating systems and software on servers and computers.

Red Teams and Blue Teams Work Together

The actions of the Red Team and the Blue team are complementary. Having these two teams in place benefits an organization by having two very different mindsets approach the topic of cybersecurity. Inevitably, there will be competitiveness and pride at stake in both teams, which fosters maximum effort and high attainment in both sides. Much of this can be out-sourced, of course.

A Note About Terminology

With the current concerns regarding terminology that uses racially-insensitive terms, we’d expect the use of black hat and white hat to be discontinued.

Threat actor and ethical hacker are perfectly reasonable replacements.