One would think that most CISOs and IT security teams are at least cautiously optimistic about their ability to respond to cyber threats. But if the opinions of professional “white hat” hackers are any indication, the reality is that they are practically defenseless.
During DEFCON 24 and Black Hat USA in 2016, the digital forensic investigation experts at Nuix conducted a survey of penetration testers. They asked about hackers’ preferred attack methods, what security controls worked against them and which ones didn’t, how often they succeeded or were thwarted, what motivated them, and more.
What We Can Learn from “The Black Report”
While most IT security reports rehash the grim statistics on what happened on the cybersecurity battlefield, “The Black Report” (viewable in PDF format with no registration here) focuses on how attacks are taking place. As Nuix puts it: “This is an entirely different perspective on the threat landscape; instead of hearing from the victims, we’re hearing from the attackers.”
While admittedly non-scientific, it’s a perspective that’s worth considering. Among the report’s key takeaways:
- 43% of white hat hackers say they can compromise most targets in less than six hours; 88% say they can do it within 12 hours. Further, 81% say they can identify and exfiltrate valuable data within a further 12 hours. That doesn’t leave a lot of time for breach detection.
- Only 53% admitted they sometimes encounter a system they can’t break into. 9% went so far as to say their attacks “never” fail.
- 36% said they are detected after a successful penetration about one-third of the time—the other two-thirds of the time they remain undetected as they browse for data. 26% of respondents said they are detected half the time. A third of the hackers interviewed stated that they are never detected in their work.
- What controls are most effective at tripping these hackers up? Traditional countermeasures like firewalls and antivirus rarely slow them down. Endpoint security technologies generally prove most effective, according to 36% of respondents. Intrusion detection and prevention systems were rated most effective by 29%. (22% stated no security controls could stop them and that a breach was only a matter of time.)
- 50% of attackers customize their methodologies for each specific target. This presumably limits the effectiveness of defensive strategies that are based on recognizing known attack vectors.
- A high percentage of investigations following data breaches found that automated detection controls warned that an attack was taking place—but the people responsible for monitoring those alerts failed to spot them and act on them.
- 52% of hackers believe that employee education is an extremely important security countermeasure. From this perspective, a well-informed, well-supported and security-conscious staff ranks among the most effective security countermeasures an organization can have.
Interestingly, 65% of hackers surveyed said their biggest professional frustration is organizations frequently fail to fix many vulnerabilities after they are identified. No wonder so many of them are confident they can breach their victims’ systems.
Nuix sums up their report by reminding us the biggest cyber security threat is “failing to plan.” They recommend organizations conduct real-world, controlled attacks while security teams are watching, responding and learning in real-time.
To explore possibilities for how ethical hacking, penetration testing and vulnerability assessments can help your organization improve its security posture and focus security spending on the most effective and needed controls, contact Pivot Point Security.