Threat Intelligence

2/23/2017
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Survey: Most Attackers Need Less Than 12 Hours To Break In

A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder

If the methods used by penetration testers to break into a network are any indication, a majority of malicious attackers require less than 12 hours to compromise a target. Four in ten can do it in barely six hours.

That's the just released findings from a survey of 70 penetration testers that Nuix North America conducted at the DEFCON Conference last year.

Nuix asked the pen testers about their attack methodologies, their favorite exploits, the security controls that deter them the most and the ones that are easiest to bypass.

The results showed that most pen testers find it almost trivially easy to break into any network that they take a crack at, with nearly 75% able to do it in less than 12 hours. Seventeen percent of the respondents in the Nuix survey claimed to need just two hours to find a way through.

Troubling as those numbers are likely to be for enterprises, what is sure to be even more challenging are the claims by survey respondents about how quickly they can find and siphon out target data. More than one in five said they needed just two hours, about 30% said they could get the job done in between two and six hours while almost the same number said they needed between six and 12 hours.

About one-third of the pen testers claimed that they have never been caught so far while breaking into a client network and accessing the target data, while about 36% said they were spotted in one out of three tries.

The survey results show that organizations face a more formidable challenge keeping attackers at bay than generally surmised, says Chris Pogue, chief information security officer at Nuix.

“You are squared off against a dynamic enemy whose technical capabilities are likely far beyond that of your security staff, and whose tool development has far outpaced your own,” he says.

Some of the results in the Nuix survey are similar to those discussed by Rapid7 in a recent report summarizing its experience conducting penetration tests for clients. According to Rapid7, in two-thirds of the engagements, clients did not discover the company’s penetration tests at all. An organization’s inability to detect a penetration test, which often is noisy, rapid fire, and of short duration, makes it highly unlikely it would detect an actual attack. Rapid7 noted at the time.

The experience of the pen testers in the Nuix survey suggests that malicious attackers like to use freely available open source tools and custom tools more than exploit kits or other malware tools purchased in the Dark Web. A bare 10% of the survey respondents said they used commercial tools like Cobalt Strike or the Core IMPACT framework to break and enter a client network, while an even smaller 5% said they used exploit kits.

The methods employed by pen testers are representative of the tactics, techniques and procedures used by criminal attackers, so enterprise security managers would do well to pay attention to the results, says Pogue. “The only real difference is motivation,” he notes.

Often the main variance between a pen tester and someone that attacks a network with malicious intent is a piece of paper representing a contract with a client. Consequently, the methods employed by pen testers are a reliable indicator of the methods that criminals are likely to use as well, he says. “The way I see it, this is the only way to truly understand the efficacy of your security countermeasures and detection capabilities,” Pogue says.

Significantly, more than one in five of the attackers claimed that no security controls could stop them. Among those controls that the remaining pen testers found the most effective were endpoint security tools and intrusion detection and prevention systems. Just 10% found firewalls to be a problem.

Also interesting was the fact that the survey respondents claimed they used different attack methodologies for almost every new attack, meaning that countermeasures focused on indicators of compromise have only limited effect. “Attackers are as creative as they need to be,” Pogue says. “When specific attack patterns start to get detected or blocked, then they switch things up slightly, and use that methodology until it gets detected or blocked.”

The message for defenders is that threats are not static and they need to be prepared for and able to detect the different methods criminals can employ to break in, he says.

“If an organization cannot detect a multitude of attack patterns, some of which they have likely never seen before, they are already lagging several paces behind their adversaries.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.