Nuix hacker survey shows how easy it is to breach perimeters
The second annual Black Report -- a hacker survey aimed at getting a different perspective on cybersecurity -- detailed how long it takes to breach a perimeter and what attacks are easiest.
A new hacker survey aimed at getting a different perspective on cybersecurity and attacks helps fill in gaps left by other major data breach reports.
The second annual Black Report from Nuix, a cybersecurity company based in Sydney, polled 112 hackers and penetration testers during the 2017 Black Hat and Def Con conferences in Las Vegas. According to Nuix, these two groups are relatively similar, with one minor difference.
"We have defined a hacker as someone who accesses computer systems or applications without permission to execute nefarious activities for destruction or personal gain. Penetration testers are professional hackers who operate within the boundaries of a legal statement of work that grants them permission to attack their target," Nuix wrote in the report. "It's important to note that this piece of paper is the primary difference between a malicious attacker and a skilled penetration tester, not the tools available to them or the techniques they use. Without this document, pen testers are engaging in criminal activity, so it's tremendously important."
A major area of focus for Nuix's hacker survey was in how long it takes to perform each stage of a data breach. In the 2017 version of the Black Report, Nuix found 71% of respondents claimed they could breach a target in less than 12 hours.
The same proportion of respondents in this year's hacker survey said they could breach the perimeter of a target in 10 hours or less, but that only marked the first step of a data breach.
After breaching the perimeter, 78% of respondents said it would take fewer than 10 hours to identify critical data and 72% said it would take five hours or less to exfiltrate the data. Averaged across all industries, 54% of respondents said the entire breach would take 15 hours or less, but some industries would be easier to crack than others. Respondents in the hacker survey rated the food and beverage, hospitality, and healthcare industries as the three industries that would be fastest to breach.
Chris Pogue, head of services, security and partner integrations at Nuix, said this was the most surprising result of the hacker survey.
"Fifteen hours. That's how long it takes most of our respondents to research their targets, break in, find the information they want and exfiltrate it. That's it," Pogue said. "This stat is disturbing on its own but becomes more so when compared to many industry-accepted numbers that say it takes organizations seven to eight months, on average, to discover they're breached. That's a long, long time for your data to be gone before you figure it out."
This data stands in stark contrast to the 2018 Verizon Data Breach Investigations Report (DBIR), in which Verizon claimed that "the time from first action in an event chain to initial compromise of an asset is most often measured in seconds or minutes."
Pogue said this "clearly illustrates the difference in perspective" between hackers and "an incident response team examining a breach after the fact based forensic data.
"If you already have a working username and password, the time it takes to log in using that password is nominal. If you already know a web server is vulnerable to SQL injection, it only takes a little while to execute that attack. The Verizon report excludes the 'intelligence gathering or other adversary preparations,' so the time the attackers spend on reconnaissance activities required to get the compromised password or find out the web server is vulnerable to SQL injection have been omitted from the data sample," Pogue said.
"It also doesn't take into account things like unsuccessful exploits or failed access attempts," he continued. "It also doesn't include the time it takes, once you've executed the initial compromise, to escalate privileges, traverse the network, identify where the valuable data is stored, collect that data and exfiltrate it to a system the hacker controls. All of those components of a breach have been included in our data sample."
Habits and adaptability
The Black Report hacker survey found that some of the favorite types of attacks for respondents were the same that often top Verizon's DBIR: phishing, social engineering and network attacks. In fact, only 12% of respondents told Nuix that they never used social engineering to obtain information on a target.
Defenders need to understand not only which attack types could be used against them, but which ones are the most likely.
Chris Poguehead of services, security and partner integrations, Nuix
However, that data appeared to speak more to those types of attacks continuing to be successful rather than hackers sticking to a certain method. Nuix found 59% of respondents said their attack methods become out of date or easy to detect within six months and 29% said they found new tools or techniques that made them more efficient with every engagement.
Pogue said hackers and pen testers are constantly studying new trends and methods of attack.
"Methodologies morph based on the target. Since target networks and systems are not exact replicas of each other, the methodologies used to compromise those targets logically need to change," Pogue said. "Defenders need to understand not only which attack types could be used against them, but which ones are the most likely."
This adaptability also appears worthwhile because 77% of the pen testers surveyed said they were rarely (less than 15% of the time) or never detected by a client's security team after compromising a target.
Additionally, 70% said they used tools to cover their tracks, and 87% of all respondents in the hacker survey said they could obfuscate attribution in 30 minutes or less.
Pogue said this means law enforcement agencies around the world should "carefully aggregate data regarding attribution.
"While some percentage of that data may be inaccurate, some of it isn't and can help them build a case against the criminal. Once enough data is present, they can get a Mutual Legal Assistance Treaty and execute a search warrant," Pogue said. "So, it's not quite as binary as to gather or not to gather, and there is always more to the story."
Messages for CEOs
Nuix gave respondents four choices of messages to send to CEOs about security and two thoughts rose to the top. The first was that security "is a journey, not a destination" and organizations will "never be secure."
This was borne out by the hacker survey, which had just 3% of respondents say they encountered environments that they could not break into and 79% said they were rarely or never impressed with an organization's security posture.
The second popular thought for CEOs was that security requires "a strong combination of people and technology," not one or the other.
In terms of technology, many traditional security products didn't appear to cause much consternation for the hackers and pen testers surveyed. Fewer than 10% of respondents said they found challenges from countermeasures like user access control, firewalls, antivirus or Enhanced Mitigation Experience Toolkits. By contrast, intrusion detection or prevention systems flustered more respondents (18%) and host system hardening was by far the most challenging security countermeasure (34%).
On the people and planning side of security, respondents said goal-oriented pen testing was by far the most impactful to cybersecurity with 79% saying it was "very impactful" or "absolutely critical."
Pogue said the first step to implementing goal-oriented pen testing was to "find a vetted, trusted partner to conduct all penetration testing activities.
"Working with that partner, it's important to have a plan in place to respond meaningfully to their findings and, most important, perform new tests after any remediation efforts," Pogue said. "Test, test and retest -- doing one test and passing at one point in time does nobody any good."
