Cyber threat hunting is an ongoing process. More and more companies are turning to professionals to carry out a proactive and iterative search for vulnerabilities and discover in advance those activities that attempt to circumvent existing security solutions. Vulnerability Assessment and Penetration Test are the two terms that describe the functions deployed by specialists to prevent computer crimes and the dissemination of sensitive data. These are periodic checks and inspections that, thanks to today’s technologies, work in the background, i.e. without slowing down normal business operations. Given the increasing size of the attack surface, due in part to the rapid disappearance of the perimeter that used to distinguish professional from private computer networks, which are now mixed into a single experience of working remotely from home, it is essential to avoid major breaches both economically and in terms of reputation.
Vulnerability Assessment and Penetration Test procedures are closely linked to ethical hacking. This is because ethical hackers aim to investigate the system or network for weaknesses that criminals could exploit or destroy. They collect and analyse information to understand how to strengthen the security of the system, network, applications. By doing so, they can improve security so that it can better resist attempted attacks. There are many reasons why criminals break into computer systems: from financial gain to personal satisfaction. In reality, the two motivations have long drawn a different picture, at least in terms of categories. On the one hand, there are the real hackers, who breach software and networks without any great financial interest; on the other hand, there are the crackers, who aim precisely at obtaining compensation and ransom for their ‘work’. Over time, however, the differentiation has faded, especially in practice. This is true for the emergence of actors driven by states and large organisations, who end up carrying out actions that, in fact, directly or indirectly damage a company, rather than the individual citizen. How do you fight such a ‘war’? With other hackers. Ethical hacking seeks to strengthen the security of information systems by assessing a company’s protection and trying to anticipate unforeseen attacks with potentially devastating consequences. Professionals who are always in the field and who work directly for large companies or as consultants to specialised agencies, often recruited by the intelligence services.
In addition to specialised companies, many are unaware that one way to grow the ethical hacking scene is through bug bounty initiatives. A bug bounty programme aims to reward those who manage to find bugs and vulnerabilities in various software solutions, hardware, websites and so on, by fulfilling a number of requirements, such as proving the vulnerability, exploiting it, documenting it and not spreading it until it is fully resolved. Many companies and digital giants have their own bug bounty, specialised in the services or products they offer. In Europe in particular, attention to such initiatives is growing rapidly, thanks in part to companies that rely heavily on events of this kind, which today are almost exclusively online but used to be localised in large areas, to raise awareness among professionals and find new talent.
Intigriti is a security company based in Antwerp, Belgium, which raised €4.1 million in 2020 in a round led by ETF Partners and supported by several business angels. With its community of hackers, the Belgian startup offers customers continuous vulnerability testing. Hackers test selected areas of a company’s infrastructure and receive a fee, what is called a “bug bounty”, only if they root out a real weakness. As a service, Intigriti helps customers design and manage their bug bounty programmes, incoming vulnerability reports and payments. The areas of action are indeed many: IoT, cloud computing, artificial intelligence and automation are just some of the “new” contexts in which Ingriti’s network operates, to unearth vulnerabilities and possible backdoors on potentially critical infrastructure.
In January 2021, Intigriti became a partner of the European Commission to launch a new vulnerability programme for Matrix, an open source secure communication tool. This is all as part of a new initiative by the European Commission, the executive branch of the European Union, to protect critical open source software projects.
«The aim of Intigriti is to bring the power of crowdsourced security to Europe. When Intigriti launched in 2016, the use of ethical hackers within cybersecurity was already in motion around the world. However, it was mainly businesses in the United States that were utilising bug bounty programs» told to us Stijn Jans, CEO at Intigriti. «We began with a small but motivated team who all shared a passion for modifying cybersecurity testing. One of these people is Inti De Ceukelaire – a multi-award-winning ethical hacker. He set to work building our community of security researchers while I began reaching out to my contacts to educate them on the benefits of bug bounty programs. Today, we have more than 250 programs live on the Intigriti platform and over 35,000 researchers working with us».