# **What is Ethical Hacking**

Ethical Hacking is the practice of **thinking like an attacker to defend the system**, but within explicit ethical and legal boundaries (authorization, protective purpose, traceability). The difference with malicious hacking is not technical but intentional and regulatory: same tools, opposite purposes.

**Breaches aren't random events**: they arise from **structural weaknesses** (missing patches, weak credentials, exposed attack surfaces). Ethical hacking makes them visible and measurable before they become incidents, transforming the unknown into managed risk.

The cycle is not a checklist, but a **cognitive strategy** that maps adversarial intelligence:

- **Reconnaissance** – build a mental model of the target.
- **Scanning/Enumeration** – expose the real surface (services, ports, versions).
- **Controlled Exploitation** – securely validate the impact of hypotheses.
- **Post-Exploitation Analysis** – understand scope and potential lateral movement.
- **Reporting & Remediation** – translate technical evidence into mitigation and governance priorities.

---


### **Motivations**: Attacks as a Function of Incentives

**Hackers are not a single entity**: their intent and incentives vary. Typical (often overlapping) drivers are:

- **Economic** (ransomware, credential theft).
- **Ideological/hacktivism** (symbolic damage in protest).
- **Espionage** (strategic/competitive advantage).
- **Curiosity/expertise** (challenge seeking, underestimating legal risks).
- **Retaliation/internal** sabotage (abuse of legitimate access).

In terms of risk, this diversity implies heterogeneous threats in terms of profile, timing, and impact.

### **Methodologies**: A Recurring Adversarial Intelligence

- **Regardless of the motivations**, the workflow converges on the same pattern (mirroring ethical hacking, but with opposite goals):
- **Reconnaissance (intelligence)** – build a model of the target (people, systems, processes).
- **Scanning/Enumeration** – expose the real surface (ports, services, configurations).
- **Access** – exploit the breach (vulnerabilities, credentials, supply chain).
- **Maintenance** – persist (backdoor, RAT, living-off-the-land).
- **Covering Tracks** – degrade visibility (log tampering, anti-forensics).

### **Defense**: From Event to System

An effective preemptive strategy translates that workflow into lifecycle countermeasures:
- **Informed prevention** (asset inventory, hardening, prioritized risk-based patching).
- **Targeted detection** (useful telemetry, not "noise").
- **Response and containment** (playbook, least privilege, segmentation).
- **Lessons learned** → governance (metrics, accountability, reporting culture).

### **The WannaCry Case**

Not just "malware," but proof that:

- Patch management and known vulnerability management are factors of resilience, not bureaucracy.
- Local negligence can scale to global impact.
- Understanding techniques and the attack chain enables proportionate mitigations (prioritizing exposed/critical systems).

### **Framework**
**Motivations** explain the attack, **methodologies** make it possible, **anticipation** makes it unlikely.
Don't stop at the "what" (malware), work on how those who use it think.

---

### **One-screen: Types of hackers**

* **Black hat** — illegal; profit/sabotage (malware, ransomware, phishing, data sale, ATO).
* **White hat** — authorized defense (pentest, responsible disclosure).
* **Grey hat** — no permission, generally no malice; ethical/legal gray zone.
* **Red hat** — vigilantes targeting black hats with aggressive/off-channel methods.
* **Script kiddies** — prebuilt tools, low skill, noisy, attention-seeking.

### **Investigation mantra (5 steps)**

**Why → How → Signal → Test → Act**

* **Why**: infer motive (money, ideology, espionage, revenge, clout).
* **How**: map TTPs (Recon → Scan → Access → Persist → Cover).
* **Signal**: failed-login spikes, IP churn, odd UAs, geovelocity, small test charges, config gaps.
* **Test**: validate fastest hypothesis (e.g., credential-stuffing, ransomware, kiddie noise).
* **Act**: contain (rate-limit/MFA), protect users (reset/revoke), hold risky tx, preserve logs, harden (bot-mitigation, patching, least-privilege), post-mortem.

---