Most hackers exfiltrate data within five hours of gaining access

More than 60% of hackers can collect and exfiltrate an enterprise’s data within five hours of gaining access to an environment, finds inaugural Ethical hacking survey by cyber security training firm SANS.

Based on the responses from around 300 sanctioned adversaries (i.e. those hired to attack a particular network, commonly referred to as “ethical” hackers), a major theme of the survey was the speed with which hackers could operate.

Sponsored by Bishop Fox, the research found that while it takes 57% of adversaries around 10 hours to successfully discover an exploitable exposure, nearly 64% of hackers were then able to collect and potentially exfiltrate data within a five-hour window.

According to Tom Eston, Bishop Fox’s associate vice-president of consulting, the aim of the research is to help security teams make better offensive and defensive decisions by exploring the thought processes of actual attackers.

“With these insights, we can better understand the ‘cost of doing business’ for attackers, as well as the speed with which they execute. Knowing how adversaries operate and how they pivot between tactics and techniques can help organisations evaluate their investments, and better understand where they need to double down on controls, policies, testing and defenses,” he said.

While a further 28% of respondents said they were unsure of how quickly they were able to identify an exploitable exposure, SANS posits that sanctioned adversaries’ success is often measured by hiring organisations in terms of overall outcomes (i.e. were you able to get in and what techniques did you use?) as opposed to how quickly each step occurred.

It also found that, upon gaining access, more than 40% required two hours or less to collect and exfiltrate data. While a further third said they were able to escalate privileges or move laterally among targets in a victim network within three to five hours, 20% said they were able to do so in two hours or less.

“We see a consistent theme of adversaries able to perform intrusion actions within a 5-hour window. Whether it’s lateral movement, privilege escalation, or data exfiltration, security teams should be measuring their ability to proactively identify, and detect and respond as quickly as possible,” said SANS in a report breaking down the survey results.

It further noted that many hackers speed increases the further along they get in their attacks, either because a lack of detection up to that point, or because they become so familiar with the compromised environment that exfiltration is simply another step in an already established infrastructure.

“From a speed perspective, we would expect to see adversaries take longer to enter and escalate privileges within an environment. The ‘final’ stages of an attack, such as data exfiltration, can be done quickly because the adversary already established lines of communication, has access, and has identified key system,” it added.

Looking at the attack process from end-to-end – incorporating every stage from reconnaissance and exploit discovery to intrusion and exfiltration – SANS found that the overall time frames it took sanctioned adversaries to complete an attack were fairly evenly dispersed.

For example, only 3.8% said they could conduct every step of an attack within five hours or less, 14% said they could in six to 10, 11.8% in 11 to 15, and nearly 14% in 16 to 20.

While around a fifth said an entire attack process would take 25 hours or more, another fifth said they were unsure.

Commenting on whether enterprises have adequate detection and response capabilities, some 74% indicated that organisations have only few or some detection and response capabilities to effectively stop an attack.

However, it also noted that it is not uncommon for adversaries referred tactics to be blocked or limited, meaning they must shift towards new methods. While only 38% of all respondents said they pivot to new bypass methods more than half the time, experience was an important factor contributing to an adversaries ability to successfully pivot.

“Respondents with one to three years of experience made up most answers to being able to pivot less than half the time. Conversely, four-plus years of experience seemed to be able to pivot easier to bypass preventative measures, with four to six years making up the bulk of the ‘Always’ response,” it said.

In terms of attack vectors, SANS found the two most popular were social engineering and phishing, with web application attacks, password attacks and ransomware filling out the rest of the top five. These vectors were assessed by sanctioned adversaries in terms of which had the highest return on investment to hackers.

To complete these attacks, 60% said they used open source tools, while only 11.5% said they used commercial tools.

The sanctioned adversaries were also asked what they think the most significant factors were in making overall attack surfaces vulnerable to compromise. While responses were fairly evenly distributed, third-party connections, increases in the number of users connected to networks or apps, and the increased pace of application development and deployment were some of the most common answers.   

“Speaking of expanding attack surfaces, we also asked our respondents with cloud security experience how often they encountered improper configures or insecure cloud/IaaS [infrastructure-as-a-service] assets,” it added.

“There’s an even split between ‘half the time’ and ‘more often than not’. It’s only small percentages at either end that rarely see (4.6%) or always see (8.0%) misconfigured public cloud or IaaS assets. These stats support an unfortunate truth that, as we see in previous figures, organisations develop and deploy applications that expose vulnerabilities, insecurities and improper configurations for adversaries to take advantage of.”