Empathy in ethical hacking
22nd Nov, 2021#5
How do you remain empathetic when your job is to act like an attacker and point out issues with security systems?
With all its military language, cybersecurity can feel very aggressive, but this offensive security specialist shows us it doesn’t have to be.
Today I’m joined by Alexei Doudkine, penetration tester and co-founder of Volkis. I deeply resonate with how he puts his 10+ years of experience on the offensive side of cybersecurity to good use and challenges the status quo. He shares with us his views on empathy and how it embeds into his work as an ethical hacker.
For example, the belief that you are too good and technologically advanced that you can’t be hacked is actually a weakness in cybersecurity - and this is because it is still a very young field with new threats popping up every day and old threats evolving very fast.
This is why many companies seek the services of ethical hackers to test the robustness of their current security setup. They also get guidance on how to improve or change their security to reduce the chances of being compromised by malicious attackers.
In this episode, you’ll find out what penetration testing involves and the role it plays in a company’s cybersecurity resilience. You’ll also hear about how empathy supports the efforts and approaches adopted by ethical hackers. Lastly, you’ll discover the considerations that help the most when designing security architectures.
In this episode, you will learn:
How ethical hackers practice empathy (03:21)
What to consider when building security architectures (07:43)
How putting people in the attacker's shoes for a minute changes their perception of cybersecurity (10:26)
The role of transparency in building trust within a company (17:04)
Passionate and motivated hacker with over 10 years experience in a wide range of offensive security activities including Penetration Testing, Red Team, Physical Intrusion and Social Engineering.
Easy going, but proud of the accomplishments achieved in various roles such as team lead, educator and public speaker. Aims to build relationships with people and Hack the Planet as co-founder and Offensive Director at Volkis.
[01:29] Andra Zaharia: It is not easy to be empathetic when your job is to act as an attacker and figure out what the security weaknesses and other people’s businesses are. Alexei – today’s guest – is a penetration tester. And his job is to act like an ethical attacker and basically break into other people’s businesses, networks, websites, and so on. So, that comes with an interesting challenge; how do you practice empathy in that context? What does it look like? How do you work against stereotypes that people might have around what an ethical hacker does? And how do you help people understand that language matters when you talk about hacking - as in hacking is not a crime, it is not a malicious activity by itself; malicious hacking is, but not hacking, generally speaking. So, in this conversation, we actually talked about this topic and many more. And I’m excited for you to discover Alexei’s perspective, his very strong moral code, and how he makes a difference in his industry, in his sector. I bet that you’ll find his approach and his company’s approach very refreshing and inspiring. And potentially, it could serve as an example for your own efforts to communicate things that are important to you in a way that really gets them across to other people. So, I hope you enjoy this conversation.
[03:21] Andra Zaharia: So, Alexei, you have over 10 years of experience in cybersecurity, especially on the offensive security side, which is, for those who aren’t involved in the industry — and I hope many of you listening are not involved in the cybersecurity industry — I just wanted to clear, offensive security deals with actually walking a mile in the attacker’s shoes and evaluating the company from that standpoint. So, obviously, that’s not exactly the most empathetic approach towards what it takes to secure a company. So, how do you actually integrate and practice empathy in your role as the founder of a company that focuses on offensive security?
[04:08] Alexei Doudkine: It’s right there in the term – offensive security. We always joke about this but my title is Offensive Director, which is a bit of a joke title but it’s actually what it is. And everyone, you know, they say, “You’re offensive.” So, by nature, you’re exposing weaknesses in your clients, in the system that you’re targeting during a penetration test or red team. It’s adversarial by nature. So, it’s extremely important to put yourself in the minds of your clients and kind of say, well, they’ve probably spent a significant amount of effort trying to secure their systems or trying to protect themselves. So, even though you find stuff, oftentimes they’ve done something already. So, it’s very important not to have an ego about this. One of the big problems in the industry is that pen testers, hackers are seen as having a big ego. And honestly, part of that’s because they do. But trying to reshape that mindset of attackers, hackers, my guys, consultants is that you don’t need to brag about these things. It’s great that you’ve done it but the passion means that you should be happy about what you’ve done, but not go so far as to brag about it. And even myself on-site, getting domain admin — which is kind of like the keys to the kingdom in an internal penetration test — I always have to take a step back and curb my excitement, not to yell out as in seen in Golden Island Boris, “I’m invincible!” Try not to do that so much. And as the clients are into that — which some are — but also explain that this isn’t a test, this isn’t an audit, it’s not a pass or fail, it’s not “You’ve done horribly,” it’s not about making them feel bad about what they’ve done. It’s simply about showing them what they might not know, and giving recommendations for how to improve, being empathetic to their side. They want to fix this stuff, that’s why they’ve hired you already to do this. So, they’re doing the correct thing in that they’ve probably thought about this before, and just help them along the way in terms of being on their side. It’s very important that you make them feel like you’re on their side, which you are but there are certain ways you can actually emphasize that.
[06:34] Andra Zaharia: Thank you for pointing that out. I think that that’s so important. And that opens a way to more transparent communication. And it makes people more receptive to any kind of information, generally, because whenever they get on the defensive side of things, that kind of blocks communication, and it just gets people – you lose them for the majority of time there. And thank you for emphasizing the role of communication because I think that that’s a lot of emphasis on the technical side and on the technical abilities, which is obviously incredibly important. But at least as important is communication and being able to adapt to these companies and these people’s context and needs and priorities, which may be very different depending on who you’re working with.
[07:23] Alexei Doudkine: It’s the difference between hacking and pen-testing. You can be a great hacker and maybe you’re not necessarily a great pen tester or a great consultant because you can’t translate the stuff that you’ve done into what the client actually needs of you. You can’t translate it into a business context on their side.
[07:43] Andra Zaharia: I love that distinction. And I’m sure that the fact that you have expertise that spans so many areas, which is not just penetration testing, you’ve also been involved in security design and architecture, you’ve built courses. And we know that these issues, I mean, the reason why we’re talking about this now and why I believe they’re important is because cybersecurity and general information security sits at a fundamental layer for stability in our tech ecosystem, and then in society because we depend so much on technology. And then on a broader level, even, it shapes our future. So, that starts with how engineers design security measures, security services, and security products and features into everything else that we use. So, where have you seen empathy missing from this entire process of security design and architecture?
[08:40] Alexei Doudkine: There’s a couple of different perspectives that we can look at that from. Maybe just starting with a vendor perspective. When you buy a product, like a software product, you expect it to be secure. Even when you ask someone to build a product for you, you expect it to be secure. It’s safety built-in. The issue at the moment with security, in general, is that the security is attached on to the product afterwards. It’s like if you go buy a car, and then you buy the car, but it doesn’t have any seatbelts. So, you have to go drive it to the seatbelt shop to put seatbelts in. That’s weird. But that’s actually what we started. That’s literally how cars were built initially. So, that’s where we’re at with security. It’s a hard problem. That’s kind of from the vendor side when we’ve done design work for our clients, there’s a lot we need to consider. First and foremost, we need to consider what it is they’re there to do. It’s fun for us to do this whole security thing. It’s usually not fun for anyone else. They have to do it in order to continue to do what they do, whether it’s provide financial services, or make toasters, or whatever it is that they do. That’s what they want to keep doing. So, it’s important for us to take a step back and say, “We’re not in here to make you be secure. We’re in here to help you continue to do what you love doing. And our way of doing that is with security because that’s what we do, that’s what we’re good at, that’s what we love doing.” So, it’s very important to still keep that in mind when you’re doing security is that this isn’t the focus, it’s the secondary aspect of what they have to do to continue doing the first aspect of what they want to do.
[10:26] Andra Zaharia: Thank you for emphasizing that. It is such an important distinction because I feel that nowadays, what we expect companies, even as regular users and customers, is that they’re also a security company, which does not work. You can’t make that your primary business objective or business process. Ideally, in a perfect world, everyone would have enough resources, and then enough staff and so on to handle things much better than they do now. But in the real world, where things are super complex, and then you have to balance so many priorities, you as a business owner can empathize with that more than most because you know exactly what they’re going through. So, it’s much easier to make sure that you lead with that in mind. And I bet that besides doing the technical aspects of your job, you get to talk to so many people in your penetration testing engagements with clients that you provide other services for, and especially when you’re building or when you’ve built courses along the years. And to me, teaching, helping people to see that integrated some cybersecurity principles in their lives can actually elevate their understanding of technology, and how they manage it and improve their self-awareness. To me, it has so many benefits. But it’s difficult for people to connect with that or to see that, and most don’t. So, what have you seen from building and delivering courses that get people to pay attention, what gets them to respond and to actually start creating some change in their lives, whatever that may be?
[12:05] Alexei Doudkine: Honestly, having fun with the course is the number one driver. So, I’ve made courses for technical people. I’ve made courses and workshops for everyday staff at organizations. I’ve taught large companies whether they’re in the room or they’ve watched the recording afterwards. Basically, everyone has seen that workshop that I’ve created. And I always go back to, especially if I’m teaching about security stuff, I put them in the mind of the hacker, I try and put them in those shoes because even in pop culture, it’s kind of like the sexy thing, you know, you’ve got Mr. Robot, Swordfish, and the movie Hackers. There’s a lot in pop culture about this mystical hacker that does these magic tricks and gets into every system. So, I like to put people in those shoes and – even if it’s not technical – just have them think like a hacker for a second. I’ve asked groups of people, “Okay, you’ve got access to someone’s email and your goal is to break into the company, how would you do it?” And the answers that I’ve received from non-technical people have been, honestly, better than what I’ve come up with sometimes. I’ve got my list of, obviously, the five, six things that I expect. And every now and then someone just pulls something completely out of that field. And I’m like, “That’s brilliant. That would absolutely work.” So, putting them in those shoes has been great, because not only is it engaging, they need to think about what they would do from the hacker side of things, but it also helps defend. So, if you know your adversary, it helps you defend against them, helps you protect yourself against them. One thing I wanted to add is it’s just very important to not jump that line into fear-mongering. There’s a very fine line between making them scared of hackers and making them understand them. So, I’m always very conscious to not make them scared of it, but something to just be aware of.
[14:08] Andra Zaharia: To me, that’s perhaps the most important aspect of helping other people, whether it’s training them, whether it’s having a conversation, whether it’s offering support in something they’re not able to deal with, simply because I noticed this as well. Well, I think that the first reaction to cybersecurity that I get from people who have no relation to it is that they feel intimidated. They feel they can’t do this, so they’d rather reject or set it aside, like, “This is not for me. This is not something I can do.” And obviously, no one wants to do things that make them feel stupid or inadequate, or uncomfortable. So, making sure that we put them in control, that they feel there is something they can do about this, that they have this, they understand this, this is something they can deal with - I feel that makes a huge difference. And I’ve seen it in my parents. I mean, now they send me WhatsApp messages and things like that and tell me like, “Is this safe to click? Is this website safe to shop?” And I’m like, “Yes! Yes, it worked. I nagged them for a few years, but it works.”
[15:13] Alexei Doudkine: And it’s important to highlight that everyone can be scammed. I have been scammed. You’re not stupid because you fell for it. Literally, anyone can be scammed, tricked into doing something that’s not for their benefit; right place, right time, right mindset from the attacker’s point of view, and they’re going to get you. In the training sessions, I actually get people to volunteer and just say like, “Hey, raise your hand if you’ve ever fallen for a phishing email.” And it’s like half the room that voluntarily put their hand up. But even if it was 10% of the room, that’s still a massive highlight to say that this happens to everyone. It’s not just you. It happens because it works. So, don’t be ashamed of this stuff, it doesn’t need to be a technical thing. There are certain security principles, like psychological principles that you can do to address this. You don’t need to be a crazy computer wizard to understand security at its core.
[16:22] Andra Zaharia: Yes, I totally agree. And I think that normalizing this happens to everyone. And this is one of the reasons that I love so many people who work in the cybersecurity industry because they’re very honest about this. They’re not the kind of people who say — Well, there are obviously these kinds of people as well but it’s not the kind of people that we like to deal with. They don’t say, “I’m an expert. I am unhackable,” and everything else along those lines – don’t trust those people if you’re listening to this.
[16:54] Alexei Doudkine: If you want to get a free pen test from every malicious hacker in the world, say that you’re unhackable and that will basically put a target on your back.
[17:04] Andra Zaharia: Exactly. Plus, I wanted to also highlight that I think you mentioned something that was very important that anyone can contribute to the security mindset or process, or to not today’s industry but to keeping things safe for others as well. No matter what your level of technical skill is, whether you have it or not, there’s always a way to contribute because keeping things safe is not just a matter of just technology, it’s not just a matter of mindset; they all have to work together, simply because at the end of the day, it’s humans exploiting humans through technology. So, if we understand we get to learn out of blind spots, which is what you do best, then we can improve a little bit or our awareness of them. So, as a business owner, you’ve created Volkis because you wanted to build a culture that represented both you and your co-founders’ principles, the way that you want to do things and do things that you believe in with, hopefully, people who share the same values. So, how do you use empathy in how you run the company because you’ve grown so fast?
[18:19] Alexei Doudkine: Yeah, it’s been crazy. It’s a really good question. Maybe I’ll talk a bit about why we started Volkis in the first place or the first couple of reasons. Matt and I didn’t feel that it needed to be the shady industry, not even shady in the bad sense but just shady as in really closed off, like we’re in the shadows. It didn’t really need to be like that. I feel our strength is in the way that we deliver things in the human to human interactions. So, we’re pretty confident in just being transparent about publishing our methodologies and just showing people how we do things in a day-to-day sense. We’ve had people say, “You guys are brave for publishing your handbook.” And both Matt and I are like, “Really?” Didn’t take guts from our side, it just felt like the right thing to do. So, I think that that’s a really important thing with empathy is, first of all, being transparent in what you’re doing is. Trust is everything for us. So, in order to gain trust of our clients, of our peers, of everyone, we need to show our hand a little bit and say, “This is how we do things.” Again, the interaction is very personal and very human. Started seeing a shift in our industry moving away from that, doing engagements and penetration tests, a bit of a commodity, a bit of checkbox exercises, like, “Okay, cool, go do these things. Go check off all these items and you’re done.” But it’s not quite like that. Businesses are not made from nothing, businesses exist because there are a bunch of actual people working there. And the success or the failures of those businesses really depend on the people.
[20:13] Alexei Doudkine: So, that’s the core of it. For us, it’s that having that very human interaction, person-to-person, understanding what their fears and what their needs are, and what they need help with. And figuring that out is just as important as figuring out “What systems do we need to test?” One of the things that we always go back to is — I keep using penetration testers because that’s what I know but we always ask, “Why are you doing this penetration test?” And the first answer we get is, as expected, “Well, we want to find vulnerabilities.” Kind of get these looks like, “Why would you ask me that? Isn’t it obvious why we’re doing penetration tests?” And I kind of push further and go, “Okay, but why do you want to find those vulnerabilities?” I keep digging a bit deeper and deeper until I get to the core of why they want to improve their security. And then it could be, “We want to protect our client’s data from being exposed,” or “We want to protect our own intellectual property from being exposed,” or “We want to continue to write code, build toasters,” whatever it is. So, getting to that core of it is really kind of our strength. I think we put a lot more effort into that than others.
[21:33] Andra Zaharia: And I bet that it makes a huge difference for customers as well because they probably never sat with this question as much as they thought they did. It’s often through questions and conversations that we discover a lot about ourselves, at the end of the day; what we really care about, what we really think about things, what’s truly important to us. And having that level of clarity and not being afraid to have these conversations, I think, is so important. Because as you know better than me, especially in penetration testing, there’s this fascination, and then obviously, excitement around all of the technical things that you can do, and all of the ways that you can manipulate technology and then human psychology to expose its weak spots. But when it comes to dealing with businesspeople and people who are outside the cybersecurity industry, who don’t have a shared language for this, I feel that there’s a reluctance to have the more difficult conversations there. It’s thrilling to see that you’re taking a different approach, that you’re building on this, and that you’re sharing these days transparently with the community, which we need so much more of to be able to lift everyone up.
[22:50] Alexei Doudkine: It’s surprising it hasn’t happened yet. I understand security is still a baby industry. Security in computers has literally only been a thing for like 30 years. It just didn’t exist back then. We’ll catch up eventually, I’m sure. Like I said, it’s still a young industry. But you’ve got to start somewhere. And even if people want to call us out and say, “I read your handbook. I don’t agree with this.” That’s great. We want that kind of stuff. And it’s got to start somewhere. Even our clients – they can look at it and say, “Hey, I read on your handbook you’re supposed to do this but you didn’t. You didn’t do that during your pen test, how come?” And we’d better have a good answer for that, either like, “Yeah, we made a mistake, sorry. We’ll get on that right away,” or “Oh, well, in this case, it’s a bit different,” whatever the answer is. But it gives a bit more power to the clients, I think, which is good in that it moves away from, “Well, here’s your report.” And the client’s going, “Is this good? Is this bad? I don’t really know. I’m not an expert. That’s why I hired you. So, I kind of just have to trust that it’s good.” Versus if we’re a bit more transparent and say, “Well, this is the stuff that we need to do, not from a technical perspective, but what our expectations are from a consulting approach.” They can push back and say, “Hey, this wasn’t up to par communication,” or “The way the report was structured wasn’t great, it was too technical,” or whatever it is. We can have those conversations, which is great.
[24:27] Andra Zaharia: And I think that it gets them to have skin in the game. You can create these things for them. But if they want to actually read them and go through them, that’s a great way of educating themselves. And they’ll be able to apply that knowledge in various ways, and in many ways that I think are unexpected. Because security is not just a point solution thing, it’s much broader than that, and it teaches you to see things that you, otherwise, probably wouldn’t notice. So, thank you for this conversation and for these examples, and for sharing so openly. It is incredibly refreshing and exciting to talk to people like you and to be able to take these conversations outside this echo chamber that we’re trying to pierce through — all of us — to get more people interested in what is a fundamental discipline for how our society evolves without being too pretentious.
[25:26] Alexei Doudkine: I’m passionate about this stuff. So, I’m happy to talk about this stuff all day, really.
[25:33] Andra Zaharia: Well, I’ll make sure to add your contact details in the show notes so anyone who wants to get in touch with you or your co-founder or with Volkis, in general, will have an easy way to reach you. Thank you so much, Alexei. This has been a pleasure.
[25:48] Alexei Doudkine: Thank you so much for the invite.