Hacking for good: Meet the ethical hackers whose job it is to test Wells Fargo’s cybersecurity defenses
Sometimes more hackers — not fewer — are needed to combat today’s cyber threats. Wells Fargo’s Offensive Security Research Team simulates real cyberattacks to better protect customer money and information.
In the ongoing effort to thwart hackers, the best defense involves a good offense. For Wells Fargo, that means employing its own team of hackers.
Using an offensive security group — also known as a “red team” — is a reality of the 21st century. As society increasingly relies on advancing technology, vulnerabilities can show up in the cyber defenses of financial institutions, government agencies, and other vital organizations.
That’s why Wells Fargo’s Offensive Security Research Team, or OSRT, flips the script. This world-class group of ethical hackers doesn’t wait for bad actors to find weak spots. They simulate sophisticated threats to test the bank’s cybersecurity measures and to patch up flaws.
Here’s what you need to know about this unique layer of the company’s efforts to safeguard money and information and, ultimately, to earn your trust.
What is ethical hacking?
Ethical hacking is designed to enhance security, not take advantage of it for malicious reasons or personal gain. By running realistic offensive measures, the red team can proactively shore up the company’s cyber defenses by finding cracks.
“We don’t just hack for fun,” said Andrew, a researcher on the Advanced Capability Research and Validation, or ACRV, team, which develops tools for the OSRT. “It’s critical that we find these things before that one malicious actor comes in and finds a weakness.”
The red team researches emerging technology and new hacking methods. When they find an opening, they’ll plan an attack with no impact to customers. If an operation is successful, they’ll work with the relevant blue team, or the groups responsible for detecting and defending against threats, on an improvement.
Andrew found an exploit years ago that the OSRT was able to plan an attack around. Because of him, code that Wells Fargo technologists developed to address his scheme is still found on company devices today.
“It’s always a game of cat and mouse between the blue and the red team. We’ll make an action, and they’ll learn how to detect it and improve,” said Brian, a member of the OSRT’s threat simulation and emulation team. “We’re keeping pace with each other.”
Why is having a red team important?
These hackers complement the many cybersecurity measures Wells Fargo has in place by posing as real-world adversaries. They can think and act like the bad guys by taking pages from their playbook — sometimes in unexpected ways. For example, one OSRT member who specializes in hardware created a gadget that targets company devices.
“The red team exercise is going to look exactly like a sophisticated threat actor,” said Kelly, an OSRT leader. “If we go undetected, then we’ll try to enhance our detections for future attacks.”
The red team’s importance goes beyond simulation. They serve as another research arm of the company’s cyber defenses by providing findings on how effective attacks are and how they can be detected. They know the company’s defenses better than anyone.
“The people I work with are at the top of their game. We have some of the best talent I’ve ever met,” said Jonathan, an OSRT cybersecurity researcher, “so I have a strong confidence in our defenses.”
What does it take to become an ethical hacker?
Wells Fargo’s red team hackers are self-described tinkerers and curious puzzle solvers. They’re part of the growing field of cybersecurity technology and boast backgrounds in defense, cybersecurity, software development, and computer engineering. Their job requires both the patience to do lengthy research and the ability to perform under pressure.
“This is kind of the real-life version of a strategy game,” Brian said. “One minor mistake can get us caught, so there’s excruciating detail we put into an operation. It’s very suspenseful.”
A workday may occasionally resemble the dramatic twists of a spy thriller or the nail-biting moments of a heist movie, but this is serious work. What they learn goes back into the bank to better protect customers and their peace of mind.
“A bank runs on confidence. If you lose your money or get hacked, you no longer feel secure,” Jonathan said. “We offer security for people’s money. If customers don’t feel they can trust you, their business is gone.”