Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/23/2017
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Survey: Most Attackers Need Less Than 12 Hours To Break In

A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder

If the methods used by penetration testers to break into a network are any indication, a majority of malicious attackers require less than 12 hours to compromise a target. Four in ten can do it in barely six hours.

That's the just released findings from a survey of 70 penetration testers that Nuix North America conducted at the DEFCON Conference last year.

Nuix asked the pen testers about their attack methodologies, their favorite exploits, the security controls that deter them the most and the ones that are easiest to bypass.

The results showed that most pen testers find it almost trivially easy to break into any network that they take a crack at, with nearly 75% able to do it in less than 12 hours. Seventeen percent of the respondents in the Nuix survey claimed to need just two hours to find a way through.

Troubling as those numbers are likely to be for enterprises, what is sure to be even more challenging are the claims by survey respondents about how quickly they can find and siphon out target data. More than one in five said they needed just two hours, about 30% said they could get the job done in between two and six hours while almost the same number said they needed between six and 12 hours.

About one-third of the pen testers claimed that they have never been caught so far while breaking into a client network and accessing the target data, while about 36% said they were spotted in one out of three tries.

The survey results show that organizations face a more formidable challenge keeping attackers at bay than generally surmised, says Chris Pogue, chief information security officer at Nuix.

“You are squared off against a dynamic enemy whose technical capabilities are likely far beyond that of your security staff, and whose tool development has far outpaced your own,” he says.

Some of the results in the Nuix survey are similar to those discussed by Rapid7 in a recent report summarizing its experience conducting penetration tests for clients. According to Rapid7, in two-thirds of the engagements, clients did not discover the company’s penetration tests at all. An organization’s inability to detect a penetration test, which often is noisy, rapid fire, and of short duration, makes it highly unlikely it would detect an actual attack. Rapid7 noted at the time.

The experience of the pen testers in the Nuix survey suggests that malicious attackers like to use freely available open source tools and custom tools more than exploit kits or other malware tools purchased in the Dark Web. A bare 10% of the survey respondents said they used commercial tools like Cobalt Strike or the Core IMPACT framework to break and enter a client network, while an even smaller 5% said they used exploit kits.

The methods employed by pen testers are representative of the tactics, techniques and procedures used by criminal attackers, so enterprise security managers would do well to pay attention to the results, says Pogue. “The only real difference is motivation,” he notes.

Often the main variance between a pen tester and someone that attacks a network with malicious intent is a piece of paper representing a contract with a client. Consequently, the methods employed by pen testers are a reliable indicator of the methods that criminals are likely to use as well, he says. “The way I see it, this is the only way to truly understand the efficacy of your security countermeasures and detection capabilities,” Pogue says.

Significantly, more than one in five of the attackers claimed that no security controls could stop them. Among those controls that the remaining pen testers found the most effective were endpoint security tools and intrusion detection and prevention systems. Just 10% found firewalls to be a problem.

Also interesting was the fact that the survey respondents claimed they used different attack methodologies for almost every new attack, meaning that countermeasures focused on indicators of compromise have only limited effect. “Attackers are as creative as they need to be,” Pogue says. “When specific attack patterns start to get detected or blocked, then they switch things up slightly, and use that methodology until it gets detected or blocked.”

The message for defenders is that threats are not static and they need to be prepared for and able to detect the different methods criminals can employ to break in, he says.

“If an organization cannot detect a multitude of attack patterns, some of which they have likely never seen before, they are already lagging several paces behind their adversaries.”

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5421
PUBLISHED: 2020-09-19
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...