DefCamp #11: Cosmin Iordache (Inhibitor181) on the mindset and discipline of being a bug bounty hunter

Seeing your business from an ethical hacker’s mindset can have an illuminating effect. Especially when that hacker is a prolific one, having found, analyzed, and reported countless vulnerabilities.

This is exactly what the interview with Cosmin Iordache (Inhibitor181) is all about. At the end of 2020, Cosmin reached a huge milestone that got him media attention and well-deserved kudos: he became the first bug bounty hunter to earn more than $2,000,000 in bounty awards through the vulnerability coordination and bug bounty program HackerOne.

We wanted to tap into this experience and perspective for the DefCamp #11 interview series because diversity is crucial to expanding your understanding of the infosec industry and how it’s shaping decisions in technology, business, and even politics.

So how do you become a bug bounty hunter?
And what catches your attention when you’re hunting for vulnerabilities all day every day?

Let’s find out!

PII is still a major blind spot for most people

The “I have nothing to hide” and “my data’s not interesting to cybercriminals” arguments are still ways most people think about their digital footprint. Unfortunately, this slow, steady trickle of personal information broadcasted online has a compound effect that leads – with certainty – to a massive impact down the road.

Cosmin thinks it’s a topic we don’t talk about enough to people outside the infosec industry. We wholeheartedly agree!

“I think an important topic that many times is not cared for enough is our personally identifiable information (PII).

I see many cases where people tend to very easily share their identity online without thinking about consequences or even companies that do not care enough about breaches.

Many of us think that a potential attacker does not care about us, we are simple individuals that are uninteresting to them. That may be partially true in the beginning, but when our PII is getting sold on the black market and then fed to various groups that have a lot of automation tools or people that actively use this data maliciously we can become the targets.

Phishing is pretty common and can be pretty easily identified, but this can be leveraged into sending actual letters and I have also seen SIM swapping attacks that have devastating effects.”

We’ve had countless presentations at DefCamp in the last decade that illustrate and prove how cybercriminals are scaling their malicious operations to leverage the wealth of personal details people share.

But it’s not enough to cascade this knowledge to our tech-inclined peers. We must also broadcast it persuasively to decision-makers.

Cosmin identifies a starting point for this.

“A very serious challenge I tend to often see is how to properly configure many cloud or SaaS services.

Those are usually extremely complex services that are very customisable and tend to come with a lot of documentation.

Setting everything secure and giving it the needed flexibility a company needs is often a very hard job and, if improperly done, can leave someone vulnerable to a trained eye.”

In 2020, a survey of 300 senior IT decision-makers revealed yet another worrying static: 8 in 10 companies across the US experienced a data breach whose underlying cause was cloud misconfigurations.

This is consistently one of the essential problems that plague companies of all sizes and that allow attackers to exploit these misconfigurations to their advantage.

As more and more software becomes plug & play, the issue is bound to escalate. While usability and no-code software has many benefits, if it’s not secure by design, it has deep and serious implications for its users, no matter if they’re businesses or consumers.

Technology innovation and its mixed blessings

There are many things in tech that act as a two-edged sword, such as pre-configured, ready-to-use software. Advancements in cybersecurity tend to work similarly, and the 2020 FireEye hack – plus the subsequent SolarWinds attack – are proof.

Cosmin highlights the risks and implications that constantly challenge information security pros and other specialists who can see the far-reaching implications of developing advanced tools.

“In my opinion, there is a very fine balance between malicious attackers and “good” attackers in general.

In the last few years, several new attacking techniques were made public by security researchers that have naturally also been picked up by malicious actors. This adds to the layer of complexity of how to properly secure a network or an app, but it is not a bad thing.

First, it raises awareness and, second, what would happen if the same technique was known only by the bad guys?

The reverse also happens: first, an exploit is found and then reversed so that other systems can be properly secured.

So I feel that advancements in cybersecurity are a double-edged blade, but no one should bury their heads in the sand and ignore potential consequences.

Serious organizations should adopt proactive testing of their online systems and always be up to date with everything that happens in this world.”

Building a career as a bug bounty hunter

Many infosec specialists, no matter their expertise, will tell you that all it took was a spark to move from their previous background and into cybersecurity. For Cosmin it was attending a security seminar while working as a developer.

“Being a bug hunter is something I have chosen after finding out about a security seminar while working as a dev.

I really fell in love with it pretty fast because it gives me the flexibility I wanted and because I am getting paid for actual results.”

The mirage of fast gains and fame is what attracts many people to bug bounty hunting, but Cosmin will tell you it’s about much more than that. The real achievement is a combination of satisfaction of having an impact, getting paid for it, and fueling your development with constant learning.

“Being a bug hunter is pretty straightforward: I am allowed to hack X or Y according to their scope and terms, I find an exploit and if I am the first to find this particular attack vector, I receive a bounty according to the company’s bounty table, based on actual impact of course. And that’s the short story.”

Behind the scenes, Cosmin is engaged in relentless self-education and the constant practice that helps him internalize what he learns while also developing new, creative approaches. His discipline is based on 3 key elements.

“Three things I have learnt include:

  1. there is a very steep learning curve: because this is a competitive area, the learning curve is very steep for a newcomer with low experience. It takes years of learning and practice until you reach a steady income flow.

  2. the community is very helpful and open: even if it’s competitive, people are always willing to collaborate with you and we learn from each other.

  3. invest time in something specific: investing time is one of the most important things you have to do. There is no shortcut here. Whether it is investing time in learning an attacking technique, reading specifications and docs, or doing research, it is irrelevant. As the learning curve never stops, you should be prepared to invest time in different matters or topics based on the current level you are at.”

SMEs bound to continue to be vulnerable to cyberattacks

It’s a harsh reality that, in crisis situations, those that suffer the most are the most vulnerable categories, whether we’re talking about individuals or organizations. The companies that lack resources, a cash runway, or a steady income have limited options and, thus, will always be an attractive target for cybercriminals.

Cosmin makes an important point about small and medium businesses that were forced to reduce their cybersecurity budget in 2020 and possibly for the foreseeable future.

“The trend I saw in 2020 will probably continue also in 2021. In large organizations, I have not seen any trend in decline or a shift in the importance of cybersecurity. On the contrary, it has grown. However, for smaller organizations, the budget for cybersecurity shrunk or they simply cut it altogether.

Although I do not agree with it, this is understandable as more funds were needed in other, more vital parts. But those were pretty rare and isolated cases as data security is an important part of an organization.”

Before you go and set up an account on CyberEDU so you can start practicing your cybersecurity skills, take a moment to let this sink in.

3 key takeaways to build on:

  1. Cultivate your understanding of how technology works and how tech advancements shape and influence the field of information security
  2. Invest your time and energy in focused learning as soon as you gain a stronger footing in cybersecurity. Do it consistently to advance and keep up with evolving challenges.
  3. Be a generous contributor to the infosec community and you will find other like-minded people who will support you just as you support them.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..