If you can’t beat ’em, use them!
Japan has found a way to defeat hackers, taunting them with bounties.
Japanese tech firms continue to struggle with the rising threat of cyberattacks. Fortunately, they already found an excellent solution. Japanese companies are now attracting hackers worldwide with money to find any loophole in their security systems, all to push their engineers to refine their skills. They call this white-hat hacking.
White-hat hackers counter Black-hat ones by finding the possible paths they could use to infiltrate a security system. This way, the White-hats raise their employer’s awareness of their own system’s vulnerabilities, allowing the companies to fix them before the malicious Black-hats find and exploit them. This method encourages hackers to turn to ethical hacking—reducing the number of black hats—and helps companies protect themselves better.
Sangfor Technologies, a vendor of innovative IT security solutions, provides a Network Detection and Response Tool (NDR) for securing IT network for added assurance. Still, acquiring any of the below strategies would help a struggling IT department finally figure out its opportunities.
Bug Bounty System
Chiba University—a state-run university in Japan—launched a bug-hunting contest for their students to improve their skills in cybersecurity. Teaching their students to adopt the mindset of a hacker and work through all the possible ways they can infiltrate the system and fix it. Be that as it may, the University only compensated the students with non-monetary gifts.
In 2014, Cybozu Inc.—a web-based groupware service company—offered cash prices for white-hat hackers to find any exploitable weaknesses in their system. Cybozu paid up to 500 thousand yen for each problem caught by hackers. By the end of 2016, hackers found 370 vulnerabilities in their designs. The company had to pay 15.6 million yen to white hackers. This moves inspired LINE Corp.—a messaging app company—to do the same in 2016.
In 2016, Sprout Inc.—a cybersecurity firm in Japan—started Bugbounty.jp, the first bug bounty platform in the country. They specifically designed the site for Japanese companies, but it is available in both English and Japanese. This platform allows hackers worldwide to help the partnered Japanese corporations—such as Pixiv, Gumi, and Baidu—find vulnerabilities in their sites.
Another site that hosts a plethora of white hacking requests is HackerOne. Just in 2019, they paid out over 4.2 billion Yen on the site. Line Corp., which also started posting on HackerOne reported that it has already paid out more than 100 thousand dollars in HackerOne. The management also remarked that the influx of reports challenges their engineers to refine their own skills.
Pixiv—a company that hosts a site for artists to post their works—started using HackerOne in September 2019. Before moving to HackerOne, the Tokyo-based company was using the website, as mentioned earlier, Bugbounty.jp. However, the management thought that using HackerOne would be better to expose themselves to more white hackers worldwide. True enough, when Pixiv posted requests on the hacking site, they received a barrage of reports—enough to slow down their own servers.
With this, the mindset of other website operators flipped. They thought, “Instead of keeping hackers at bay, why not challenge them with a reward?”
“Offensive Security” Ricerca—a company founded by five globally recognized young Japanese hackers—said was their strategy.
As most Information Technology systems have multiple weak points, white hackers must find every threat they could. This is what Ricerca calls “Offensive Security,” adopting the mindset of an attacker to find the best defensive moves you can employ.
To equip your security system against “zero-day” exploits—vulnerabilities that aren’t that well-known or made public just yet—an engineer must try to find and attack such weaknesses in his defensive wall.
Ricerca is also proud of its recently discovered attack method and has stated that they have inquiries from companies worldwide. Furthermore, they have received multiple domestic and international companies’ requests to develop an automated AI bug testing tool.
By mirroring the techniques used by the above Japanese companies, Southeast Asian nations can transition from constantly worrying about their defenses to testing them with the help of hackers. As an alternative, companies may invest in threat hunting solutions, though assistance from white hat hackers would give more confidence in the precautions and security solutions applied.