Justin Shaw Grey, Sales Director of Synack spoke to Johanna Hamilton AMBCS about the world of international pen-testing, finding vulnerabilities in programs and selling the concept of white hat hacking to a company board.

Hacking, or tinkering around with the computer to discover its innermost secrets is as old as the computer itself. However, the 21st century has seen a darker side to the art. Theft, nation attacks, cyber missiles. In a digital world, where so much damage can be done with a few keystrokes, Synack is helping to keep the status quo.

Tell me about the history of Synack

‘Our founders, Jay Kaplan and Mark Kuhr, were two young guys working at the NSA in the US. They looked at the world of traditional pen-testing and felt that it needed to change. At the same time, the whole bug bounty program became quite prolific in the US - where companies like Apple and Amazon said to the world, "if you find any vulnerabilities in our systems then we'll pay you a bounty." So, they thought, "how can we use the crowd but not everyone to transform traditional pen-testing?" What they created is Synack.

‘Synack is around 1,300 of the world's best ethical hackers from 65 different countries. It's basically crowd-sourcing the best talent in the world and giving them a legal platform to hack against one another for money and also for kudos.

‘As you can imagine, a lot of hackers love competing with each other. For them, it's a bit of a game. So, hacker of the week, hacker of the month - every year we do a “hacker house”. Last year was in Costa Rica, this year it's going to be in Japan. We take our ten best hackers and pit them against one another in a live environment. So, during the day we'll normally do some sort of sporting activity, then in the evening, they start hacking against one another. It's pretty awesome to see.’

Do you set games, or are these real, live bounty hacks?

‘It's a real, live problem. In any environment they go through our security platform, Launch Point, where we've got full packet capture for complete visibility of what the hacker is doing. At our hacker house, it’s still our normal model but they're in the same room or vicinity.

‘We had one in Bali where one of the hackers had got onto a target but couldn't go any further. They knew that one of the other hackers was really good at a certain problem, so went over and tapped him on the shoulder and said, "if we crack this, do you want to split the bounty?", which is pretty awesome to see. So, not only do you have the best hackers involved, but you've got the best hackers co-operating with one another to try and find a vulnerability.’

How do you choose which hackers to work with?

‘They need to go through two tests: one is ethical, including a series of rigorous background checks, telephone / video interviews and police background checks. We also hold their passport details, social security numbers and keep tabs on their social media.

‘We vet our hackers more stringently than most organisations with a whole process that takes, on average, eight months. After all the vetting and testing, we only accept 8% of the ethical hackers that apply to us. There are bug bounty programs out there, with companies like HackerOne and Bugcrowd having hundreds of thousands of hackers on their books. We are not like that; we like to connect with our hackers.’

That is a huge time investment for a small number of people. 

‘We want to make sure they're good enough, but also keep them involved and then challenge them through having the status and the kudos and all that good stuff. That's very important to us.’

So, what’s the hacking process?

‘Different hackers, different technologies, different ways of working. Our team mirrors the dark side of hacking with many different nationalities from around the world. In our platform, the customers do have the opportunity to say, "we don't want hackers from the old eastern block” or "we only want hackers from Europe". However, our argument is, “if you're going to get hacked, guys, the chances are it might be from one of the former countries. Better we use the skillset we control than not."

‘They've got their own toolsets which take an average of ten years to build. Synack has a scanning tool that does an initial scan of the network - it kind of points the hackers in the right direction - but then they'll use their own scanning tools and skill.

‘You can imagine 1,300 different ways, 1,300 different mindsets. I don't think we've actually profiled it per se, but a female hacker in Ukraine will have a very different way of hacking to say an Australian guy. We put them on to a target, from level one to five. Our hackers have to start at level one. We currently have around 30 guys and girls who are really good at level five. They have to work their way up through a points system from bottom to top. Once again, it's all about the kudos.’

Do you have many women hackers? 

‘I would say around 10% of our hackers are women, but I could be wrong. It's growing as we get younger people onboard. I think the average age is between 20 and 30, but then you get people who might be in their 50s who do it, so even the age thing is quite an interesting dynamic to look at.’

Do you choose hackers for certain bounties?

‘We split the 1,300 hackers into cohorts. Within each group, we’ll have level ones to level fives, with a range of specialist skills in web testing, infrastructure testing, mobile testing, API testing. So, when we go into a bank, for example, and they want to do a web test or an infrastructure test, we invite the cohort that we think would be best suited to that target. If the customer is on a continuous test, we will rotate the cohorts every six weeks. We find a lot of vulnerabilities come up within 72 hours of a new cohort coming in, just because a fresh pair of eyes see different things.’

When vulnerabilities are found, are they fixed right away?

‘You'd be surprised how many don't. The way the process works, is that when a hacker finds an exploitable vulnerability, they need to show us how they did it and also how they would remediate against that vulnerability. That’s remediation advice from a hacker, including screenshots and text write-up. During the whole process, the hacker is available through a chat window in the portal, so you can ask them questions.

‘You've got a portal, the customer's got a portal, every time there's an exploitable vulnerability found or any vulnerability for that matter, it pops up in the portal. It will say, "this is the vulnerability. This is how severe it is. This is how we recommend you remediate against it." Then it's up to the customer to decide if that vulnerability is bad for business. That will be WannaCry.

‘We see our customers’ patch efficacy goes up dramatically once they've been given the advice. After the customer has fixed that vulnerability, we give the hacker the opportunity to hack it again. If they exploit that vulnerability, we pay them, the customer doesn't pay them. So, it's almost like a free test after.

‘We found 108 exploitable vulnerabilities for one of our customers - 50-odd of those were exploitable - and they patched them all within five working days. Other organisations already have lots of vulnerabilities and say, "we can't even fix the ones we've got and you're going to come along and throw another 20, 30, 40 vulnerabilities at us." Then the argument we have is, "wouldn't you rather know about every single one of them and then you can decide which ones you need to fix?" Burying your head in the sand doesn’t make the problem go away.’

Do you always have a contract with companies?

‘Hacking a system without permission is illegal, so yes, we always have contracts with customers. A pen-test is only as good as a point in time. The day after, the code may have changed and the application could have new vulnerabilities. Our ongoing customers know they've got Synack running in the background doing the ethical hacking, finding the vulnerabilities, doing the scanning and everything else 365 days a year. They can release new code and release new applications, too, knowing it's always being tested.’

So, is it just about good housekeeping?

‘It’s about housekeeping and ease of access. Traditionally, if you wanted to schedule a pen-test with a consultancy firm, the set up would take months. Synack has the ability to spin up a test within 24 hours. So, if you've got part of the business saying, "we've got a new application, we want to launch it in a week's time," we can find those vulnerabilities.

‘We had a client recently that had an application going live on Monday and they called us on the Friday afternoon and said, "We need to get it tested." We spun up a test. By that evening, we had 70-80 ethical hackers signed up. They tested over the weekend and found a lot of vulnerabilities. They didn't launch the application on Monday - but they launched it a week later. It's that continuous testing and the agility, which no one else on the market is able to do.”

Do companies always pay their bounties?

‘I'd like to think they do. Though the model can be a little flawed. When you’re throwing the challenge out to the crowd, potentially every single person in the world could find a vulnerability and who do you pay? It then becomes a little bit blurry and you don't want blurriness with hackers. Our hackers have their own view of the portal. They can very much see what everyone else is doing so they know when another hacker gets paid for a vulnerability. It's all legitimate, there's no arguments, there's no "that was mine" or anything else. We're trying to negate the uncertainty and pay our hackers within 24 hours - often within 12 hours.’

Do you have an image problem when you’re selling a hacking service?

‘Most people in IT are comfortable with it. But, if you say it to a lawyer or someone in procurement, they might say "hold on a second, you're going to get a hacker from Russia that we've never met and they're going to hack us?". It's like, "well guys, you're being hacked anyway from a bad hacker in Russia. You just don't know about it. So, do you want one of the good guys to find it first or one of the bad guys? It's a mindset thing.’

Do you see any repeat flaws in security? The same things over and over again in different companies?

‘We do see a lot of similarities in some of exploitable vulnerabilities that we find. We put a bit of an AI beast in the background. So, all the hacks and all the vulnerabilities we find we just fuel the scanning tool so we can obviously find vulnerabilities a lot quicker in the future.’

Do you ever anonymise results and share them through open source platforms?

‘It’s quite a grey area. Sometimes, law enforcement agencies in various countries, say, "why don't you give us your data, so we know what to look for?". Those conversations have been happening in the US and the UK, but with all the legalities around GDPR, etc, how do we repackage it? While those conversations are happening, it’s not something we’re doing right now.’

How do you become a white hat hacker?

‘A lot of these ethical hackers have done pen-testing courses, but really they have got a very different mindset. I don't think you can learn that. I think you've just got it. or you haven't. Our top ten hackers - their minds are like the matrix - they can see things that other people just cannot see.

‘We've got a hacker at Nottingham university. He's 20 or 21 years old and he's on about £80,000 a year. He's paid for all of his studies. I've met him and said, "why don't you just take your laptop, when you've finished your studies, travel around the world for two years? You can pay for all of your travel. You can stay in nice hotels. All you need is yourself and your laptop and you're good to go." He did a webinar where he showed me how he does hacks. It's just like rocket science. It really is fascinating to see.’

Do you think hackers are naturally gifted, as in having an advantage with neurodiversity?

‘I think absolutely. I think hackers have got a very unique mindset generally, the way they think, the way they do things. I also think it has a lot to do with age and origin too. If you looked at our hackers in India, they might have a very different way of thinking than maybe hackers in other parts of the world. A lot of our hackers in India aren't necessarily in it for the big bounty stuff, they're not really going for the $5-10,000 bounties, they're going for the smaller stuff because they know if they get $500 on a smaller vulnerability, that will feed them for a week or two weeks.’

What is the process to work with Synack?

‘To get the board on side, we explain the model. We've got a lot of reference customers, including banks, so that often helps. There's a lot of referral. We’ll do the first test and then write a two-page CEO board summary that says, "this vulnerability was found. If it was exploited by a hacker, this is what it would mean to your business. Access to your customers’ credit card details, for example." Then you can say, "what would be the cost to the business? The cost to do a test with Synack is X versus you getting hacked, which could cost hundreds of millions of dollars." And then, very quickly, you see board members agreeing, "we just need to do this." It's a no-brainer.’