So You Want to Be a (Ethical) Hacker?

The news is inescapable. Hackers and their nefarious counterparts have been thrust into popular culture, not just in the form of fictional characters like Mr. Robot (see our thoughts on season 1), but in the form of very real individuals and organizations that are responsible for everything from the sophisticated take down of nuclear enrichment facilities to the humiliation of major media organizations. It all sounds terrifying, I know. Which is why I asked some of our very own researchers and analysts to help us separate fact from fiction. In this series, I will dive deep into some of the most pressing questions about what it really means to be a hacker, the moral dilemma that white hat hackers face, and what a profession in cybersecurity is really all about.

Read more in our WhiteHat series here:

• The Glider
• Don't Call Me and Expert, Call Me a Hacker

An Interview with Chris Navarrete, Security Researcher at Fortinet

Chris works within our FortiGuard Labs division, researching malware as well as emerging and zero-day vulnerabilities.

Q: What is more interesting, malware analysis or vulnerability research?

That is an interesting question, and this is actually very good to know. If you are coming from a pen testing background, like in my case, and you are trying to get into other areas of security research such as vulnerability research and discovery, malware analysis, forensics, or so on, you already have the tools. For example, as a penetration tester, I developed my own tools to access sensitive data. And now as a researcher, I get to use those same skills and toolkits for something different. In the past, it was my job to attack systems, servers, etc. Now, I am doing the same thing, only I’m attacking the malware itself. It’s basically the same kind of reverse engineering, so I don’t really distinguish between the two.

Q: What do you think about “Hackers” - the media’s depiction, the culture, etc.?

In my personal opinion, I feel that the media tries to sensationalize the whole thing. There are different levels or layers to the definition of hacker. That being said, I don’t really identify with others who call themselves hackers. To me, a hacker is more accurately someone who creates things. The term is much bigger than computers. For example, a doctor or medical researcher that is able to create a cure for a disease is able to do so only by reverse engineering some aspect of biology. Doctors are hacking, creating patches and workarounds, etc. This is exactly the same thing that what we are doing to malware on computers.

To me, hacking is a mindset. It’s an approach to problem solving.  

Q: Do you consider yourself a hacker?

I don’t think so. At least not in the way the media and popular culture use the term. I don’t want to be labeled like that. I just want to learn. I am very passionate about what I do. For me it is about developing something new with the experience and knowledge I have.

Q: Can you tell me a little bit more about how you developed your unique skill set?

It started when I was about 12 years old, in the 90’s. I was always crashing my father’s machine. At that time I played a lot with my father’s computer; Windows 3.1 I think it was. I started learning by messing things up. After some frustrations, my father sent me to a friend that owned a computer repair shop to learn how to fix the problems I created. He taught me a lot of the basics, and then I encountered a virus. I remember that it was the Jerusalem, or Friday the 13^th Virus. I also remember CIH, which was very, very scary for me. It is still scary to think about. It was basically an advanced PE file-infector that has the ability of overwriting the hard-disk sectors as well as the machine’s BIOS; including other malicious payloads.

(credit: dancoot1)

After that, I met someone at school who was very good with computers. He introduced me to a lot of different sites and forums where I learned more. I experimented a lot and developed an interest in penetration testing. I met others that were interested in pen testing, and eventually people who knew what I did started asking me to do analysis work, which was basically pen testing for money.

I never received a certification before I started. I always thought it was better to be the person who could solve the problem than the person who held 15 certifications. I actually still only have two: Certified Ethical Hacker (CEH), and more recently, a certification in malware analysis and reverse engineering.

Q: When you first got started doing pen testing, were you motivated only by your curiosity, or were you able to find some kind of network or group of other people that helped encourage you?

I can say this. In Mexico, where I grew up, it was actually very different. In other Latin American countries I think they were better about forming groups, but for the most part I did things alone. There were very few people that wanted to share information or teach you something. I had friends, but mostly in the US or UK.

Q: What else can you tell me about the hacking or cybersecurity culture in Mexico?

The underground community was not very big; there were maybe 50 people in total in four main groups: Raza-Mexicana, Ignition, X-Ploit and Raregazz. They became very famous for defacing websites. Someone I knew was actually caught for defacing a government website and gaining access to classified emails. It was at this time, too, that the Mexican chapter of 2600 was started. I never really got involved because things started to turn a bit bad. Before that, though, it was a good environment - mostly just us hanging out and talking about computers or security. I am still friends with a lot of those people. Like me, they are mostly working for security companies or doing consulting now.

I also spoke a few times at a conference called BugCon. It was a good venue to educate people about ethical hacking.

Q: If I wanted to learn malware analysis, pen testing, or even how to write malware, how would I get started?

You can just send me an email ;)

Chris and I spoke at length more informally about the motivations of a cyber criminal, the need for security education, ATM skimmers, and the next generation of hackers that seems to be emerging. Check back here for more on these topics, and more interviews from the professional hackers at Fortinet. 

After our interview, Chris also shared with me some of his favorite songs to hack to: