Survey: most hackers break in within six hours

Another 28% took between six and 12 hours to break down the locks, the survey, titled The Black Report, and conducted by Australian technology company Nuix found.

The survey was done at Black Hat USA and Defcon in 2016 and the 54-page report differs from practically all other cyber security reports in that it canvasses the views of people in the business of hacking.

Penetration testers carry out stress tests of internal and external networks for companies and then provide advice on how they can secure those networks. This field is nothing new; this writer interviewed one of this breed back in 2004.

{loadposition sam08}Asked about the use of social engineering, 43% of the group said they used it "sometimes" to gain access. But 16% did not bother with this tactic at all.

As to using vulnerability scanning to detect potential entry methods, 40% said they used this method "sometimes". A little more than a fifth always resorted this method.

Three-fifths of the 70 hackers said they used open-source tools to effect their hacks. Custom tools were used by just over a fifth. While 43% favoured a direct server attack, two-fifths said phishing was their favourite method to get into a system.

Asked how often they encountered systems they could not crack, 9% said this never happened. But 53% said "sometimes", 22% "rarely", and 16% "often" faced this issue.

A third of the professionals said their presence was never detected by the security team at the organisation they were testing. Only 2% were detected more than half of the time, while another third were always detected.

Exfiltration of data after a compromise took a fifth of these hackers less than two hours to achieve. Another 29% took anything from two to six hours to exfiltrate data while about a fifth took more than 12 hours.

In an admission that should worry those guarding corporate networks, half the hackers said they changed their attack methods for every single engagement. Another 29% said they did so every two to six months, while only 5% did not bother to change attack methods for more than a year.

The reason for changing attack methods varied, with 56% saying they did so to learn new techniques. Five percent were forced to change methods; the ones that had been used no longer worked.

Only 2% of the hackers found anti-virus software an obstruction to compromising systems. The biggest hurdle was endpoint security which 36% found to be an effective countermeasure to their plans; another 29% cited intrusion detection and prevention systems.

More than a fifth of the group boasted that no security measures could stop them; a full compromise was only a matter of time.

Asked what was the biggest frustration they faced as attackers, nearly two-thirds said it was the fact that people did not fix things that they knew were broken. A tenth of the group said "corporates and governments just don't get it."

Asked how organisations reacted after they were penetrated, three-fourths of the hackers said some remediation would be undertaken, and it would normally focus on vulnerabilities that were of a critical nature.

Only 10% said they had seen a full remediation of all security issues in an organisation after it had come to know its defences had been breached.

Five percent of the hackers gave the sarcastic response: "Nothing, they were just checking boxes", indicating that security team at the organisation that had been hacked was clueless.

Asked what key message they had for the boards of companies that had proved to be vulnerable, a quarter of the hackers said the boards should realise that it was a matter of when, not if, a company was hacked.

Another 23% said boards should realise that there was a return on investment for security and it was not a waste of time or money. And 10% said boards should be aware that the ability to detect an attack was much more important than being able to deflect one.

The report can be downloaded here.