Offensive cybersecurity, patrols of “good hackers” advance

Listen to the audio version of the article

The control tower of an Italian airport exchanges routine messages with the flight simulators that are training some pilots. Suddenly the messages derail from the routine and appear decidedly strange, the pilots are amazed and wonder what the heck is going on. But the same amazement shines on the faces of the flight controllers. It’s a hacker attack, they guess. What they don’t know is that they are “good hackers” or ethical hackers (in jargon “white hats”, the white hats from western films) engaged in an Offensive security test, an oxymoron that encompasses the activity in a single word of an expanding sector in the United States but also in Italy, in terms of services offered by specialized companies and professional training. In the increasingly strategic field of cybersecurity, which sees Italy growing but always lagging behind (we are in 11th place, for example, in the MIT Cyber ​​Defense Index). The attack on flight simulators is a real case, of the type man in the middleexplains Giannandrea Tateo, CEO of HN Security, a startup founded in 2021, based in Turin with specialists also in Florence and Rome, and which belongs to the Roman group Humanativa, owned by entrepreneur Stefano Commini.

The “white hats” of cybersecurity

“Good hackers”, explains Tateo, “make their expertise and passion available to test organizations’ IT infrastructures to verify their robustness and resilience”. A passion that for the older people was born in the basements in the early 2000s when they had fun and competed in hacking servers and IT infrastructures of the most disparate organizations, sometimes even risking complaints. «Over the last twenty years, someone has lost their way, others have made it a profession by putting themselves at the service of companies within the ICT departments, still others, the most visionary, have created real companies that offer Offensive Security services to their customers.” Offensive Security is the name given to this discipline to differentiate it from Defense Security, that set of hardware and software infrastructures whose purpose is to protect IT infrastructures and – in the event of hacker attacks – identify threats and isolate them to protect company assets.

Geeks in sweatshirts and managers in ties

Since the days of Kevin Mitnik, alias “Condor”, who left an American prison in 2000 and founded his security company, a global narrative has flourished over the last three decades around bad, good and “converted” hackers, which certainly the professionals who work for HN security have been drinking. «I know for a fact that some of my colleagues have personally known Mitnick, or HDMoore and others, but they don’t boast about it in public. Our two senior technicians Marco Ivaldi and Maurizio Agazzini – says Tateo – are two of the most renowned white hats in this small but very specialized world of Offensive Security, where everyone knows and talks to each other. They both started in this sector in the 2000s, on infrastructures and systems that have almost disappeared today, then they had the ability and passion to adapt to technological evolution. But in HN Security there are other younger and equally capable white hats, especially on new mobile technologies. How is the collaboration in the company between geeks in sweatshirts and management in ties? There is mutual respect and esteem, we are complementary, but now only I wear the tie in some meetings with the heads of the Public Administration. Of course, when we have to go to a client and ask for business casual clothing they tend to forget the business part…”.

How an offensive security startup is born and grows

HN Security was born three years ago precisely from the collaboration between these two technical and entrepreneurial “souls”, or from the meeting between the president of Humanativa Stefano Commini and two of these pioneers of offensive security who first developed their passion in the basements than on school desks. «Around them – Tateo continues – we have built a group of friends and former colleagues driven by the same passion: identifying IT flaws and then suggesting the remedy. We have gone from a turnover of 700 thousand euros in 2021 (with a positive Ebitda) to a forecast of 1,500 in 2024 and 2,000 in 2025 (with an Ebitda of 15%)”. Always investing heavily in people (today around twenty specialists) and in training, which are strategic aspects for aiming for excellence. «Our specialists follow an intense training program and dedicate 20% of their time to research and development: one day a week in which they study by playing, sometimes competing with each other in an attempt to hack what comes their way, always obviously in the limits of legality. To carry out our business you must be at least as good as your opponents.”

What types of interventions and how much do they cost

In addition to man in the middle already seen, among the types of intervention there is the classic one penetration test, authorized simulated cyber attack on a computer system or network, performed to evaluate the system’s security. Type attacks are more complete Red team, multi-layered simulations that aim to evaluate how an organization’s people, networks, applications and physical security controls respond. «We are also pushing a lot on activities that allow us to identify problems during the design and development of software, because identifying a flaw when it is already in production has an extremely higher cost, up to 30 times. Our work ends with the production of a detailed report that shows the vulnerabilities to which we associate the “Recommendations”, i.e. actions to be taken to remove or mitigate the threats that must not be carried out by the same subject (even if someone does it) . It’s an almost ethical question, I don’t have to look for vulnerability to then get myself more work.” An Offensive security project costs on average from 20 to 100 thousand euros, but the cost of implementing remedies can be several orders of magnitude higher, therefore very attractive for companies.