The average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours, with penetration testers focused on cloud security gaining access most quickly to targeted assets. And further, once a vulnerability or weakness is found, about 58% of ethical hackers can break into an environment in less than five hours.
That's according to a survey of 300 experts by the SANS Institute and sponsored by cybersecurity services firm Bishop Fox, which also found that the most common weaknesses exploited by the hackers include vulnerable configurations, software flaws, and exposed Web services, survey respondents stated.
The results mirror metrics for real-world malicious attacks and highlight the limited amount of time that companies have to detect and respond to threats, says Tom Eston, associate vice president of consulting of Bishop Fox.
"Five or six hours to break in, as an ethical hacker myself, that is not a huge surprise," he says. "It matches up to what we are seeing the real hackers doing, especially with social engineering and phishing and other realistic attack vectors."
The survey is the latest data point from cybersecurity companies' attempts to estimate the average time organizations have to stop attackers and interrupt their activities before significant damage is done.
Cybersecurity services firm CrowdStrike, for example, found that the average attacker "breaks out" from their initial compromise to infect other systems in less than 90 minutes. Meanwhile, the length of time that attackers are able to operate on victim's networks before being detected was 21 days in 2021, slightly better than the 24 days in the prior year, according to cybersecurity services firm Mandiant.
Organizations Not Keeping Up
Overall, nearly three-quarters of ethical hackers think most organizations lack the necessary detection and response capabilities to stop attacks, according to the Bishop Fox-SANS survey. The data should convince organizations to not just focus on preventing attacks, but aim to quickly detect and respond to attacks as a way to limit damage, Bishop Fox's Eston says.
"Everyone eventually is going to be hacked, so it comes down to incident response and how you respond to an attack, as opposed to protecting against every attack vector," he says. "It is almost impossible to stop one person from clicking on a link."
In addition, companies are struggling to secure many parts of their attack surface, the report stated. Third parties, remote work, the adoption of cloud infrastructure, and the increased pace of application development all contributed significantly to expanding organizations' attack surfaces, penetration testers said.
Yet the human element continues to be the most critical vulnerability, by far. Social engineering and phishing attacks, together, accounted for about half (49%) of the vectors with the best return on hacking investment, according to respondents. Web application attacks, password-based attacks, and ransomware account for another quarter of preferred attacks.
"[I]t should come as no surprise that social engineering and phishing attacks are the top two vectors, respectively," the report stated. "We've seen this time and time again, year after year — phishing reports continually increase, and adversaries continue to find success within those vectors."
Just Your Average Hacker
The survey also developed a profile of the average ethical hacker, with nearly two-thirds of respondents having between a year and six years of experience. Only one in 10 ethical hackers had less than a year in the profession, while about 30% had between seven and 20 years of experience.
Most ethical hackers have experience in network security (71%), internal penetration testing (67%), and application security (58%), according to the survey, with red teaming, cloud security, and code-level security as the next most popular types of ethical hacking.
The survey should remind companies that technology alone cannot solve cybersecurity problems — solutions require training employees to be aware of attacks, Eston says.
"There is not a single blinky-box technology that is going to repel all the attacks and keep your organization safe," he says. "It is a combination of people process and technology, and that has not changed. Organizations gravitate toward the latest and greatest tech ... but then they ignore security awareness and training their employees to recognize social engineering."
With attackers focused on exactly those weaknesses, he says, organizations need to change how they are developing their defenses.