Ethical hacking: at the heart of modern cybersecurity

The term “eth­ic­al hack­ing” may seem para­dox­ic­al at first glance, as it jux­ta­poses two con­cepts that are per­ceived as ant­ag­on­ist­ic. This appar­ent para­dox deserves some pre­lim­in­ary clarification.

His­tor­ic­ally, in the 1960s at MIT, the term “hack­ing” referred to the tech­nic­al ingenu­ity of pas­sion­ate stu­dents who mod­i­fied or improved com­puter and elec­tron­ic sys­tems for explor­at­ory or cre­at­ive pur­poses. This play­ful and curi­ous approach to com­puter sys­tems gradu­ally evolved with the emer­gence of the first com­puter vir­uses, fol­lowed by mal­ware, lead­ing to a neg­at­ive per­cep­tion of “hack­ers” in the col­lect­ive ima­gin­a­tion, often asso­ci­ated with illeg­al, fraud­u­lent or destruct­ive acts¹.

Land­mark events, such as the spread of the “Mor­ris Worm” in 1988, which para­lysed a sig­ni­fic­ant por­tion of the Inter­net at the time, and oper­a­tions car­ried out by groups such as the “Legion of Doom”, con­trib­uted to this alarm­ist per­cep­tion².

Today, in con­trast to these illeg­al prac­tices, “eth­ic­al hack­ing” is a dis­cip­line in its own right – struc­tured, leg­ally reg­u­lated and requir­ing advanced cyber­se­cur­ity skills. The experts involved, known as “eth­ic­al hack­ers” or “white hats”, use tech­niques sim­il­ar to those of cyber­crim­in­als, but with the oppos­ite aim: to strengthen the resi­li­ence of inform­a­tion sys­tems by identi­fy­ing and cor­rect­ing their vul­ner­ab­il­it­ies before they can be exploited for mali­cious purposes.

Eth­ic­al hack­ing is now a fun­da­ment­al stra­tegic tool in cyber risk man­age­ment. Its main object­ive is to pro­act­ively identi­fy vul­ner­ab­il­it­ies with­in IT sys­tems in order to pre­vent them from being exploited by mali­cious third parties. This approach com­ple­ments and enhances tra­di­tion­al pro­tec­tion meas­ures in a con­text marked by an expo­nen­tial increase in cyber threats.

In prac­tic­al terms, eth­ic­al hack­ing involves sim­u­lat­ing real­ist­ic attack scen­ari­os, rep­lic­at­ing the tech­niques used by attack­ers (recon­nais­sance, priv­ilege escal­a­tion, pivot­ing, data exfiltra­tion, etc.) to anti­cip­ate poten­tial points of fail­ure in the sys­tem being tested. This sim­u­la­tion, car­ried out by pro­fes­sion­als from out­side the organ­isa­tion, requires a pre­cise and leg­ally sound con­trac­tu­al frame­work that guar­an­tees the pro­tec­tion of both parties and defines the scope of the inter­ven­tion³.

Bey­ond simply search­ing for vul­ner­ab­il­it­ies, this approach helps to raise the cyber matur­ity level of organ­isa­tions. It con­trib­utes to the imple­ment­a­tion of long-term cor­rect­ive meas­ures, the con­sol­id­a­tion of secure devel­op­ment prac­tices (such as DevSecOps), and the ongo­ing train­ing of intern­al teams. In this sense, eth­ic­al hack­ing is a lever for organ­isa­tion­al trans­form­a­tion and a factor in digit­al resi­li­ence⁴.

Fur­ther­more, by identi­fy­ing the risks of sens­it­ive data leaks or com­prom­ise, eth­ic­al hack­ing plays a major role in reg­u­lat­ory com­pli­ance (GDPR, NIS2, etc.) and the pro­tec­tion of crit­ic­al assets, both for busi­nesses and pub­lic insti­tu­tions⁵.

Con­trary to the sen­sa­tion­al­ist view pro­moted by cer­tain media out­lets, eth­ic­al hack­ing is not a mar­gin­al, anarch­ic or intu­it­ive activ­ity. It is based on a rig­or­ous meth­od­o­logy, foun­ded on estab­lished stand­ards (such as PTES – Pen­et­ra­tion Test­ing Exe­cu­tion Stand­ard or OSSTMM – Open Source Secur­ity Test­ing Meth­od­o­logy Manu­al), and requires advanced tech­nic­al skills.

An eth­ic­al hack­ing mis­sion gen­er­ally con­sists of three main phases⁶:

• Scop­ing phase (or leg­al recon­nais­sance): this step involves defin­ing the object­ives, the exact scope of the audit, the rules of pro­fes­sion­al con­duct, the tools that can be used, and the func­tion­al and tech­nic­al tar­gets of the test. The sys­tem to be eval­u­ated is thus under­stood in all its oper­a­tion­al com­plex­ity (infra­struc­ture, applic­a­tions, net­work lay­ers, etc.).
• Sim­u­lated attack phase (or con­trolled exploit­a­tion): the “pen­test­ers” [Editor’s note: or eth­ic­al hack­ers] carry out vul­ner­ab­il­ity tests, using data­bases of known vul­ner­ab­il­it­ies (CVE, CWE) or their own tech­niques. This phase often includes par­tial – but non-destruct­ive – exploit­a­tion of the iden­ti­fied vul­ner­ab­il­it­ies, some­times accom­pan­ied by the plant­ing of traces prov­ing the intru­sion, for evid­ence purposes.
• Feed­back phase (or tech­nic­al and mana­geri­al report­ing): this involves writ­ing a form­al audit report doc­u­ment­ing the vul­ner­ab­il­it­ies iden­ti­fied, their crit­ic­al­ity (often using CVSS scores), the pro­posed remedi­ation meth­ods, and stra­tegic recom­mend­a­tions to strengthen the secur­ity posture.

This approach is based on a strict code of eth­ics. Eth­ic­al hack­ers are bound to respect the con­fid­en­ti­al­ity and integ­rity of the audited sys­tem and to be trans­par­ent with the cli­ent. All of their actions are logged, super­vised and often audited after the fact.

The applic­a­tions of eth­ic­al hack­ing go far bey­ond simple tech­nic­al audits. In the field of incid­ent response, their expert­ise is reg­u­larly called upon in crisis situ­ations, par­tic­u­larly to ana­lyse proven com­prom­ises, identi­fy attack vec­tors and pro­pose effect­ive cor­rect­ive meas­ures⁷.

For example, dur­ing the coordin­ated attack against TV5Monde in 2015, which para­lysed the chan­nel and com­prom­ised sev­er­al serv­ers, secur­ity spe­cial­ists – from state agen­cies such as ANSSI, but also inde­pend­ent experts – helped to rebuild the com­prom­ised archi­tec­ture and bet­ter under­stand the tech­niques used by the attack­er⁸.

The devel­op­ment of “Bug Bounty” pro­grammes is also part of this approach: organ­isa­tions open their sys­tems to volun­teer eth­ic­al hack­ers, who are paid or recog­nised for the vul­ner­ab­il­it­ies they identi­fy. This col­lect­ive intel­li­gence strategy makes it pos­sible to detect com­plex flaws that are often not iden­ti­fied by intern­al audits. The pub­lic pro­gramme launched in 2024 by France Iden­tité is a recent and emblem­at­ic example⁹.

Finally, the pro­spects for eth­ic­al hack­ing are set to expand with the rise of crit­ic­al tech­no­lo­gies such as arti­fi­cial intel­li­gence (AI), block­chain and quantum com­put­ing. Eth­ic­al hack­ers will be called upon to audit not only tra­di­tion­al tech­nic­al infra­struc­tures, but also AI mod­els them­selves, data sup­ply chains, and zero trust archi­tec­tures in cloud envir­on­ments. Explor­at­ory work is already under­way to secure machine learn­ing algorithms, pre­vent data pois­on­ing, and audit the trans­par­ency of gen­er­at­ive models.

In con­clu­sion, eth­ic­al hack­ing is now an essen­tial pil­lar of the cyber­se­cur­ity eco­sys­tem, com­bin­ing tech­nic­al expert­ise, pro­fes­sion­al eth­ics and a pro­act­ive approach to risk man­age­ment. It allows digit­al defences to be tested in a con­trolled man­ner, reveals the blind spots in a cyber­se­cur­ity strategy and strengthens organ­isa­tion­al resi­li­ence in the face of increas­ingly soph­ist­ic­ated threats.

How­ever, this prac­tice can­not devel­op fully without a del­ic­ate bal­ance between eth­ic­al hack­ers’ free­dom of action and rig­or­ous over­sight of prac­tices. It is up to pub­lic and private decision-makers to foster envir­on­ments con­du­cive to innov­a­tion in cyber­se­cur­ity, where experts can express their cre­ativ­ity without com­prom­ising secur­ity or ethics.