Talents' stories - Fabien Spagnolo, Head of Ethical Hacking, France

We are ethical hackers. The aim is to copy what real cybercriminals are doing online. We replicate cyberattacks in real conditions, using the same techniques and the same tools as real hackers, on request by our clients: ministries, banks, listed groups, but also SMEs. 

You use the term "hacker," which can cause confusion...

You're right, we need to be careful with our vocabulary.  

The term "hacker" originally referred to computer tinkerers, free-spirited tech enthusiasts, talented fixers. Over time, it has gained a negative connotation. So now it is usually associated with malicious intent and cybercrime.  

As ethical hackers, we are also known as pentesters. We also refer to "white hats," as opposed to "black hats," cybercriminals.  

The traditional approach to offensive security, particularly using pentests, aims to detect as many vulnerabilities as possible in a specific area, in a limited period of time. But due to the type of attacks we are seeing nowadays, and increasingly tough security systems installed by businesses, we really need to put ourselves in the situation. Targeting widely and effectively. No holds barred. 

Deploying a "Red Team" vs. a "Blue Team" - a military-inspired term - where an attacking team faces off against a defending team responsible for detecting and blocking these attacks.  

So, your role is to "act before getting hacked." Is it a simulation?

No, that’s not quite correct. We don’t pretend. We carry out a real cyberattack, we extract data, we can even intentionally disrupt certain services if our client asks for this scenario. The aim is to be as similar as possible to the real situation to identify weaknesses and fix them. It is a simulation only in the sense that we do not actually make use of the data, and we do not demand a ransom, but we genuinely exploit the systems and loopholes... 

We can reproduce different types of attack: simple thefts, ransom demands, state-sponsored attacks involving highly sensitive data. We use all possible means of attack: the internet to hack the website and access the internal network; targeting individuals via email and phishing, with the loophole opening as soon as a link is clicked; or just a simple phone call. We even carry out physical intrusions, entering the building and managing to connect to the internal networks. In this case, we have to open doors, clone passes, even pretend to be an electrician... the idea is to identify every weakness.  

The client asks you to carry out these attacks, but do they know when and how you will attack?

That depends on the type of service and the scenario. It can be basic, simple, and take a few days to review: we simply try to find as many vulnerabilities as possible in a limited area, such as a website.  

But the task can be much larger. Recently, a major industrial company with factories worldwide gave us a few weeks to see if a determined hacker would be able to extract data from the executive committee’s emails and take control of the financial systems. In this case, only the CEO and a few members of the Executive Committee were in the loop. We also had to test the response of the teams, who were unaware of what was going on. 

So, the aim is to identify as many vulnerabilities as possible in an organization...

Yes, whether technical, or linked to the company’s organization where people are involved, their ability to apply a procedure or raise the alarm. The use of tools is as important as the tools themselves.  

We are involved beforehand, but sometimes also afterwards, once an incident has raised awareness, for remediation, to restore best practices.  

What is the result? Is there a real wake-up call and adjustments, or a complete overhaul of the system in the businesses that are tested?

We have two use cases in practice. As I said, we range from the basics to longer and more complex assignments. In the first case, we are often contacted by groups, e.g., banks, who continually carry out these tests. These are standard and regular procedures for them. 

In the second case, particularly when we hold final meetings where we reveal all the identified weaknesses to our client. Sometimes it is a real shock. We are no longer talking about theory, a hypothetical risk, the "what ifs". When we demonstrate that we were able to steal the contents of the CEO’s emails, the reaction is not the same. Obviously this triggers a smaller or larger action plan depending on the identified risks and results. It sometimes requires a budget to be earmarked to handle urgent matters.  

What are the confidentiality rules during your assignments?

We never reveal client names, even internally at Orange Cyberdefense. They are only known to a few individuals. Audit reports are confidential and encrypted and destroyed after assignments if requested by our client.  

We have an ethical hacker charter signed by every ethical hacker, which outlines the protection measures we must follow to keep our clients’ data confidential. 

We must take great care to ensure that an ethical hacker is truly ethical. We often recruit within our network, on a referral basis. Some of our workforce has special state clearance for the most sensitive requests. 

Do you think that all companies should have these tests carried out - like we might visit the doctor to stay healthy?

That’s exactly right. Everyone should do it, at their own level, even SMEs. It is important to know where you are, carry out a diagnosis and decide on an appropriate budget. We sometimes go back to basics: do back-ups! 

These tests should be thorough, and the Government encourages them through the France Relance Plan for example. This support is useful for SMEs, and we are working with them more frequently.  

Cybersecurity is a lively industry that moves fast each day. You must be able to regularly take on new information, keep abreast of changes, which requires time and good organizational skills.  

Our job requires us to protect our clients against cyberthreats, we must adapt to their challenges, their background on the topic, their level of maturity. This has an effect on our advice to help them address weaknesses, and on the communication we use. We must be instructional, understandable, pragmatic, and persuasive.