More than two-thirds of hackers can break through cybersecurity defenses and into the systems they target within 12 hours. A full 81% say they can identify and take valuable data with 24 hours.
That’s according to The Black Report, assembled by Chris Pogue, CISO of Nuix. At DEFCON, he gathered a room full of hackers and handed them a paper survey with the intent to help CISO/CSOs and enterprise security teams understand which security countermeasures really do have an impact and which did not.
The results are concerning: When it comes to the cybersecurity arms race, many countermeasures that you think will to stop an attacker won’t even slow them down. And other defensive techniques that you think are totally arbitrary actually have a tremendous impact on security posture.
For instance, defensive countermeasures typically focus on indicators of compromise (IOCs), or known specific activities or programs that are associated with an attack pattern. Now, that would be an effective strategy if attack patterns either never changed, or only changed some of the time.
“Exactly 50% of our respondents changed their attack methodologies with every target. A further 38% changed things at least every six months,” the report noted. “The smallest grouping (5%) said they changed things every 12 months or more … maybe these are the same people who keep getting caught?”
In terms of their offense, the preconceptions hold up better. During the reconnaissance stage of an attack, 72% of pentesters use some aspect of social engineering to gather information about their targets. Only 15% claimed they never used this tried-and-true attack method.
During the next stage of reconnaissance, 86% of hackers used vulnerability scanning to identify potential vulnerabilities in their targets; 24% said they did it frequently and 22% said they always did it.
That said, if security decision-makers think attackers use commercial tools or private exploit kits to carry out their attacks, the Nuix data indicates otherwise. Only 10% used a commercial tool set such as the Core IMPACT exploit framework or the Cobalt Strike threat emulation package. An even smaller number owned up to using private exploit kits (5%) or exploit packs (4%).
Instead, a large majority of respondents used open-source tools (60%) or created their own custom tools (21%). This shows that the tools required to hack are easily acquired without having to pay large fees or frequent suspect websites.
Meanwhile, direct server attacks were the most popular method for breaking into systems, favored by 43% of attackers. Phishing attacks were also popular at 40%, while drive-by and watering-hole attacks came in at roughly 9% each.
“What’s very much lacking is a solution that ties everything together and allows you the flexibility to respond to all of the threats your organization faces,” the report noted. “The majority of our respondents say they change attack tactics regularly or even with every engagement; why would you want to combat that with a rigid, outdated approach to security? You’ll never come out on top. We need to understand that security is more than just a policy on a piece of paper, an antivirus program or a group of professionals sitting in a room scanning log events. It’s all of the above, and it’s piecing everything together in a way that makes sense.”