Survey: Most Attackers Need Less Than 12 Hours To Break In
A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder
If the methods used by penetration testers to break into a network are any indication, a majority of malicious attackers require less than 12 hours to compromise a target. Four in ten can do it in barely six hours.
That’s the just released findings from a survey of 70 penetration testers that Nuix North America conducted at the DEFCON Conference last year.
Nuix asked the pen testers about their attack methodologies, their favorite exploits, the security controls that deter them the most and the ones that are easiest to bypass.
The results showed that most pen testers find it almost trivially easy to break into any network that they take a crack at, with nearly 75% able to do it in less than 12 hours. Seventeen percent of the respondents in the Nuix survey claimed to need just two hours to find a way through.
Troubling as those numbers are likely to be for enterprises, what is sure to be even more challenging are the claims by survey respondents about how quickly they can find and siphon out target data. More than one in five said they needed just two hours, about 30% said they could get the job done in between two and six hours while almost the same number said they needed between six and 12 hours.
About one-third of the pen testers claimed that they have never been caught so far while breaking into a client network and accessing the target data, while about 36% said they were spotted in one out of three tries.
The survey results show that organizations face a more formidable challenge keeping attackers at bay than generally surmised, says Chris Pogue, chief information security officer at Nuix.
“You are squared off against a dynamic enemy whose technical capabilities are likely far beyond that of your security staff, and whose tool development has far outpaced your own,” he says.
Some of the results in the Nuix survey are similar to those discussed by Rapid7 in a recent report summarizing its experience conducting penetration tests for clients. According to Rapid7, in two-thirds of the engagements, clients did not discover the company’s penetration tests at all. An organization’s inability to detect a penetration test, which often is noisy, rapid fire, and of short duration, makes it highly unlikely it would detect an actual attack. Rapid7 noted at the time.
The experience of the pen testers in the Nuix survey suggests that malicious attackers like to use freely available open source tools and custom tools more than exploit kits or other malware tools purchased in the Dark Web. A bare 10% of the survey respondents said they used commercial tools like Cobalt Strike or the Core IMPACT framework to break and enter a client network, while an even smaller 5% said they used exploit kits.
The methods employed by pen testers are representative of the tactics, techniques and procedures used by criminal attackers, so enterprise security managers would do well to pay attention to the results, says Pogue. “The only real difference is motivation,” he notes.
Often the main variance between a pen tester and someone that attacks a network with malicious intent is a piece of paper representing a contract with a client. Consequently, the methods employed by pen testers are a reliable indicator of the methods that criminals are likely to use as well, he says. “The way I see it, this is the only way to truly understand the efficacy of your security countermeasures and detection capabilities,” Pogue says.
Significantly, more than one in five of the attackers claimed that no security controls could stop them. Among those controls that the remaining pen testers found the most effective were endpoint security tools and intrusion detection and prevention systems. Just 10% found firewalls to be a problem.
Also interesting was the fact that the survey respondents claimed they used different attack methodologies for almost every new attack, meaning that countermeasures focused on indicators of compromise have only limited effect. “Attackers are as creative as they need to be,” Pogue says. “When specific attack patterns start to get detected or blocked, then they switch things up slightly, and use that methodology until it gets detected or blocked.”
The message for defenders is that threats are not static and they need to be prepared for and able to detect the different methods criminals can employ to break in, he says.
“If an organization cannot detect a multitude of attack patterns, some of which they have likely never seen before, they are already lagging several paces behind their adversaries.”