adimas - Fotolia
Cyber attackers can breach targets in hours, report reveals
The majority of hackers claim they can breach an organisation within hours, while most security professionals admit they do not know what to look for
The majority of cyber attackers (71%) can breach a targeted organisation within 10 hours, and 18% claim they could breach a target in the hospitality and food and beverage industries within an hour, according to the latest Nuix black report.
Nearly 60% said it was rare for them to encounter systems that they could not break into, 75% of hackers said they were rarely detected by their victims after an attack and 2% said they were never detected. Some 74% said they were rarely impressed by an organisation’s security posture and that most security professionals tasked with detecting attacks do not understand what they are looking for.
The report is based on a survey of more than 100 cyber incident responders and known hackers from 16 countries, revealing their attack methodologies, favourite exploits, and what defensive countermeasures they have found to be the most and least effective.
When asked which countermeasures present the greatest challenge, 34% said host system hardening, followed by intrusion detection and prevention systems (18%), endpoint security (14%), and honeypots and other deception technologies (10%).
Only 8% said Microsoft’s Enhanced Mitigation Experience Tookit and antivirus software was a challenge, and the least challenging were firewalls (5%) and user access controls (3%).
Once attackers have breached the perimeter, said the report, they can move laterally with ease to map out the target environment and find what they are looking for. Almost three-quarters of hackers said they could cover their tracks in less than 30 minutes.
Averaged across all industries, most respondents (54%) said they could find their target data within five hours, while large numbers could find the data they wanted in less than an hour in the hospitals and healthcare (38%), hospitality (33%), and retail (30%) industries.
“This illustrates the reality of ‘candy bar security’, where an organisation’s security posture is crunchy on the outside and chewy in the middle,” the report said. “It’s the result of focusing on hardening the perimeter of a network and assuming that anyone who’s on the inside should be there and is doing what they’re supposed to be doing.”
One-third of hackers said they often use social engineering as their preferred method of obtaining information about a target, while 62% favoured phishing attacks, 22% preferred in-person social engineering attacks on a target, and just 16% said their favourite way of using social engineering was over the phone. A total of 17% said they always used social engineering, and only 12% said they never used it.
Read more about pen testing
- penetration testing essential for success in security arms race.
- Pen testing should be about risk, not box-ticking.
- Pen testing must be followed by action.
Social engineering is a popular attack method, favoured by 27% of hackers, second only to network attacks, which were favoured by 28%. This was followed by phishing (22%) – which is really a subset of social engineering attacks – and waterhole attacks (7%).
In a speech at CyberUK 2018 in Manchester, information commissioner Elizabeth Denham said: “Low-tech breaches are frustratingly common in the ICO’s enforcement work. So many of the breaches we investigate are down to human error.”
Asked how often new tools or techniques are released to enable more efficient attacks, 37% of hackers said there are new tools available every one to two months, allowing them to regularly switch their methods of attack, but 22% said attack methodologies become outdated or easy to detect in the same time period.
A big majority (93%) of respondents said that after a penetration test, the client would most commonly not fix some or all of the vulnerabilities identified by the testers or investigators. Only 7% would remediate all the vulnerabilities found and then re-test to see whether they had plugged all the gaps.
Some 18% of respondents said many of their clients would talk about what needed to be done, but not actually do it, and 6% said their clients did nothing because the pen test was just a box-checking exercise or regulatory requirement.
There is a pervasive opinion among respondents that organisations could and should take security more seriously, the report said.
David Smith, chief information security officer at Nuix, said: “The report confirms that hackers utilise their copious supply of weapons, including private exploits, exploit packs, commercial tools, open source tools and custom tools, with social engineering, in its various forms, always a favourite option.
“Valuable insight into the attack mindset demonstrates that a defence-in-depth security approach has never been more important, and that no industry is safe.”