Hacking for good: Meet the ethical hackers whose job it is to test Wells Fargo’s cybersecurity defenses
Sometimes more hackers — not fewer — are needed to combat today’s cyber threats. Wells Fargo’s Offensive Security Research Team simulates real cyberattacks to better protect customer money and information.
In the ongoing effort to thwart hackers, the best defense involves a good offense. For Wells Fargo, that means employing its own team of hackers.
Using an offensive security group — also known as a “red team” — is a reality of the 21st century. As society increasingly relies on advancing technology, vulnerabilities can show up in the cyber defenses of financial institutions, government agencies, and other vital organizations.
That’s why Wells Fargo’s Offensive Security Research Team, or OSRT, flips the script. This world-class group of ethical hackers doesn’t wait for bad actors to find weak spots. They simulate sophisticated threats to test the bank’s cybersecurity measures and to patch up flaws.
Here’s what you need to know about this unique layer of the company’s efforts to safeguard money and information and, ultimately, to earn your trust.
What is ethical hacking?
Ethical hacking is designed to enhance security, not take advantage of it for malicious reasons or personal gain. By running realistic offensive measures, the red team can proactively shore up the company’s cyber defenses by finding cracks.
“OSRT anticipates the next attack and helps to ensure that Wells Fargo and its customers are protected before it happens,” said Luke, a Lead Security Research Consultant on the OSRT’s Threat Simulation team. “Collaborating with the brilliant members of my team to solve these problems and meet our goals is extremely rewarding.”
The red team researches emerging technology and new hacking methods. When they find an opening, they’ll plan an attack with no impact to customers. If an operation is successful, they’ll work with the blue team, or the groups responsible for detecting and defending against threats, on an improvement.
Luke and his team execute full attack chains, often using technology in unintended ways, to demonstrate impact and reduce risk before the organization is targeted by a real bad actor.
Why is having a red team important?
These hackers complement the many cybersecurity measures Wells Fargo has in place by posing as real-world adversaries. They can think and act like the bad guys by taking pages from their playbook — sometimes in unexpected ways. For example, one OSRT member who specializes in hardware created a gadget that targets company devices.
“The red team exercise is going to look exactly like a sophisticated threat actor such as a nation state or organized crime group,” said Todd, an OSRT leader. “If we go undetected, then we’ll try to enhance our detections for future attacks.”
The red team’s importance goes beyond simulation. They serve as another research arm of the company’s cyber defenses by providing findings on how effective attacks are and how they can be detected. They know the company’s defenses better than anyone.
“The people I work with are at the top of their game. We have some of the best talent I’ve ever met,” said Jonathan, an OSRT cybersecurity researcher, “so I have a strong confidence in our defenses.”
What does it take to become an ethical hacker?
Wells Fargo’s red team hackers are self-described tinkerers and curious puzzle solvers. They’re part of the growing field of cybersecurity technology and boast backgrounds in defense, cybersecurity, software development, and computer engineering. Their job requires both the patience to do lengthy research and the ability to perform under pressure.
“The solutions I develop work in our complex and large infrastructure to help ensure that data is properly secured,” said Shawn, a Senior Lead Cyber Security Research Consultant on OSRT. “The work is complex and has infinite opportunity for using creativity and technology to reduce risk to our data and infrastructure from malicious intentions.”
A workday may occasionally resemble the dramatic twists of a spy thriller or the nail-biting moments of a heist movie, but this is serious work. What they learn goes back into the bank to better protect customers and their peace of mind.
“A bank runs on confidence. If you lose your money or get hacked, you no longer feel secure,” Jonathan said. “We offer security for people’s money. If customers don’t feel they can trust you, their business is gone.”