What are the motivations for companies to use ethical hacking services and who is still the strongest attack vector? A look at the evolution of offensive security in the Czech Republic and Slovakia over the past 8 years since Citadelo first became a merchant will open up many questions for you to ponder and perhaps even prompt you to act before you discover that an unwanted visitor is already operating on your network.
We interviewed Jakub Novak Jakub has a technical background, he graduated from the Faculty of Applied Informatics at the Slovak Technical University in Bratislava and has been working as a Sales Manager at Citadelo for more than 8 years in business development and also manages portfolios of clients with a turnover of over 100 million CZK. CZK throughout Europe, but primarily in the regions of Czech Republic, Slovakia, DACH, and across almost all segments, such as banking and financial sector, fin-tech and startups, industry, automotive, healthcare, telecommunications, IoT, etc.
It’s been 8 years this year since I joined Citadelo as one of its first traders. The beginning was really challenging for me. I had never done trading before and was pretty much on my own. When I think about it now, it was and always will be a huge milestone for me because I basically decided to completely change my focus at that time. And that was to jump from being a degreed technical person/developer into the world of business, which I knew absolutely crap about. I guess the main reason for me was that I saw myself personally in Citadel’s previous salesman who was just on his way out. I just said to myself at the time that I was going for it, and I put everything on the line. And let’s face it, I knew from the beginning that I wasn’t the type that could stand looking at a monitor for 8 hours a day.
Penetration testing and related services were only being addressed by a few companies back then (turn of 2015-2016). The startups in this area were basically mainly financial entities and entities that worked closely for financial entities. These are otherwise the entities that are largely pulling this type of business to this day. That is to say, doing business in my early days in the cybersecurity world with other types of companies meant paving a whole new path. Of course, kudos to the exceptions.
Gradually, as legislation such as cyber law, GDPR, NIS, etc. came in, companies from other industries started to understand us more and more. For me, this is not the happiest way to start with this topic, as companies more or less come out of compulsion, but it is a significant step forward. My dream progression would be for companies, and therefore the people who run those companies, to proactively and preventively address cybersecurity so that they can sleep well and focus on their business. We are not there even now.
There are basically four main motivations that I have then and now:
Of course I don’t want to lump everyone together, in many cases it can be a combination.
At the very beginning, almost all active companies in the market basically came from the first two categories. On January 1, 2015, the Cybersecurity Act was created, and right after that in 2016, the NIS Directive. These hit banks, financial institutions, the energy industry, critical infrastructure and others first. That’s when the tables began to turn. At the same time, given the rapid increase in hacker attacks, other companies began to realize that they had assets to protect in the digital world, as their loss directly affected their existence.
Development of tested sectors at Citadelo
There is a growing interest from companies and this is for several reasons:
The first, which I am incredibly happy about, is the companies’ own initiative. With the extreme increase in hacking attacks, it is already clear to companies that it is not a question of if, but when they will be targeted. Therefore, they want to know an ethical hacker’s view of their infrastructure, application or entire organization just to protect themselves before the real black hat hackers turn their attention to them. And that’s the right decision.
When we look at our statistics, which we owe to our great our excellent marketing department, we conducted 384 simulated attacks in 2023, finding 2,795 vulnerabilities. That’s an average of 7 vulnerabilities per attack, and that’s a lot. For a hacker, this means that he has 7 more or less critical vulnerabilities ready for his success, which he can chain together to cause enormous damage to the company.
At the same time, the NIS2 directive is about to take effect (end of 2024), mandating other market segments to perform offensive security testing. In the Czech Republic and Slovakia, this will affect approximately 10,000+ new companies and involves a total of 19 market segments.
Then there’s DORA (effective Jan 17, 2025) which, among other things, directly mandates comprehensive company testing such as the Threat Lead Penetration Test - similar to our Red Teaming, which is a simulated comprehensive hacking attack on a company.
With the European NIS2 Directive and the new law on cyber security that the Czech Republic is preparing, this topic is already definitely resonating in company circles.
Download the full report here
After October 17, 2024, CISOs will need to assess the so-called cybersecurity management scope, identify risks and start working to address them within a year. From an offensive security perspective, we, as Citadelo, are right at the beginning of the process, helping CISOs determine the scope of vulnerabilities in their systems through penetration testing and audits and providing suggestions for remediation.
The process for companies newly entering this regulation includes:
For example, NCIB in the Czech Republic conducted research on real companies and determined the average value of implementing measures to be 800K - 1.2 million. CZK per company system. This will be a significant amount of money that companies will have to spend on cybersecurity, and CISOs need to set these budgets today and prepare to spend them soon.
Penetration tests of web and mobile applications, of course, including tests of APIs where applications communicate with backends, and infrastructure (perimeter vs. internal infrastructure). There are also a growing number of requests for complex Red Teaming simulated attacks. Current trends are OSINT, Social Engineering (phishing/vishing/smishing, physical penetration, etc.) but also integration to LLM/AI.
Our internal statistics show that the weakest link has been, is, and dare I say probably will be for a long time, the human factor. Our long-term success rate of simulated hacking attacks by combining Vishing & Phishing is almost over 40%, i.e. almost every second victim succumbs to our simulated attacks and lets an ethical hacker into the company infrastructure. This is an alarming state of affairs. Consequently, this can be a vulnerable client application or company perimeter.
Currently, Social Engineering attacks using AI and LLM are already on the rise. As an example, a recent hacking attack where the CFO of a certain bank in Hong Kong was tricked by a combination of deepfake online meeting and phishing. The attack resulted in a financial loss of $25 million.
The use of these technologies almost blurs the distinction between fiction and reality for victims. This percentage can therefore be expected to increase.
The business sector does not matter. If a hacker wants to hack a company, he will do it by doing OSINT (open source intelligence) on it first. He will find out who works there in what positions, what information is available about the company in public and non-public sources, darknets, he will find out the habits of the company and its people and also if there was any data leak from the company, e.g. with passwords etc. On the basis of the information found, he orchestrates the attack through selected victims, i.e. people in the companies that are of interest to him. Or he plans a spear phishing targeting the whole company.
For a company of 100 employees, with a 40% success rate, he has the opportunity to get 40 victims to compromise stations and get into the company network.
We work with clients to provide regular and thorough security training to employees, where in addition to the theory itself, we also give them practical demonstrations of various hacking techniques so that they can then identify them as best they can. And we combine this with regular penetration testing in the form of social engineering - phishing / vishing / smishing campaigns. This, in my opinion, is currently the most effective way to keep this percentage relatively low.
Employees often believe that they are more protected in the company environment and are unaware of the steps they are taking to actively create an easy entry point for hackers into the company’s network and are not fully aware of the devastating impact this entails. This knowledge needs to be disseminated to them and their level of sensitivity needs to be regularly tested. Or maybe they are even aware of it, but in today’s huge rush of work, the percentage of errors is increasing because everyone wants to solve every task as quickly as possible to the satisfaction of the employer.
The techniques between black hat and white hat hackers are exactly the same. Within OSINT we can find out a lot of information for the client. Generally speaking, we can find out what all is available about a company for Black Hat Hackers on the web and darknets and therefore what cards they will play in a potential attack on a client. By finding out this data, the company gets a head start on protecting itself against a potential hacker attack.
Areas of Citadelo OSINT:
It is definitely important to check out the company in terms of the depth of its expertise, i.e. quality generally speaking. Ethical hacking is a complex discipline and it is always good to look for a partner that has proven experience with its complexity. The expertise and seniority of the ethical hacking team is absolutely key in this regard. The adage “If two do the same thing, it’s not the same thing.” is doubly true in this industry. I would look for a company that has ethical hacking as its core business.
Published information on references, vulnerabilities found and CVE’s or reports issued, length of time in the industry, number of ethical hackers, their technology focus and much more are all very good input. Ultimately, I would recommend meeting with the selected company and going through their processes that relate to the service, as this may be the place that will make it not only quality but also cost effective.
If we have caught your interest, contact us today to be one step ahead of black-hat hackers.
