Once they’ve broken into an IT environment, most intruders need less than five hours to collect and steal sensitive data, according to a SANS Institute survey of more than 300 ethical hackers.
The respondents also proved the old adage that it’s not “if” but “when.” Even if their initial attack vector fails, almost 38 percent indicated they can break into an environment “more often than not” by repeated attacks.
Most SANS surveys focus on the defenders’ perspective – for example asking incident responders how long it took them to detect and respond to a cyberattack. This report, commissioned by offensive security firm Bishop Fox, aimed to “get into the mindset of someone who attacks an organization, and look at those metrics instead,” said author Matt Bromiley, digital forensics and incident response instructor at SANS.
“Now obviously, we can’t call up all of our favorite hackers in the world – I don’t think many countries’ intelligence agencies would take that phone call,” he told The Register.
So the research team went with the next-best option: the ethical hackers tasked with emulating the adversaries. They asked this group of bug hunters and penetration testers about their favorite attack vectors, the tools they use and their speed.
The bulk of the survey respondents (83.4%) work for companies headquartered in the US. And the largest segment (34.2%) said they worked in cybersecurity, with jobs ranging from security analyst to chief information security officer or VP of security or technology.
Of course, your humble vulture can’t verify these respondents are who they claim to be. And the report acknowledges that the respondents, who are generally hired by organizations to “attack” their IT environments, have different motives than what it calls “unsanctioned adversaries” – i.e. the baddies.
There’s value in knowing how long it takes an ethical hacker to breach an environment, how quickly they can shift gears, and what their favorite tactics are. Because that can help organizations focus their security investments in areas that will yield the greatest return on investment, Bromiley argued.
“If I have to assume a state of breach, it’s going to be the hardest, most lengthy breach you’ve ever been involved in,” he said. “I’m going to make it so tough for you to get in, that you might just stop. Fingers crossed.”
Speaking of return on investment, the survey found that the oldies but goodies continue to provide the biggest bang for the buck. In response to the question “Which attack vector is most likely to have the greatest return on investment?” social engineering (32.1%) and phishing (17.2%) were the top two answers. Can’t beat the classics.
For comparison, zero-day exploits (3.8%), man-in-the-middle attacks (1.4%) and DNS spoofing (1%) ranked last.
“Crafting a spear-phishing email or getting someone to click a link is relatively inexpensive, compared to writing your own piece of malware,” Bromiley pointed out, adding that this should send a straightforward message to security teams.
“Focus on the basics,” he advised. “Don’t forget that humans are involved in your security program. I do not blame the person who clicks in an email, but I do encourage that we train people to be vigilant. So user education has got to be part of our security program.”
This should also influence companies’ security spending, he added. “If I had to pick and choose between giving everyone in the company YubiKeys versus buying some fancy new thing with amazing taglines, I’d go the route of YubiKey,” Bromiley declared. “I’d go the route of forced multifactor token auth or something like that that covers more of the basics.”
Need for speed
The survey also asked several questions related to speed, and found 57 percent of the ethical hackers claimed to be able to discover an exploitable flaw within ten hours.
More than half of respondents (over 57%) stated they could successfully discover an exploitable exposure in ten hours or less. About 25 percent said it took them between three and five hours, while 27.6 percent said they weren’t sure how long it would take.
“The time periods are where a lot of readers can get the most value,” Bromiley said. “What is the difference between an adversary that takes one hour to break into an organization versus an adversary needing six hours to break in? That’s five hours of patch time. That’s five hours of preparedness. That’s five hours of hardening your environment. Then that appreciation of time periods can travel down through the rest of the intrusion.”
Once they’ve found a hole, 58 percent said they could exploit it in five hours or less. After breaking in, 36 percent of respondents said they could escalate or move laterally within three to five hours, while 20 percent said it takes them two hours or less.
And once they’ve gained access to target systems and data, 22.7 percent said they can collect and exfiltrate data in three to five hours. Meanwhile, 40.7 said they can do this in two hours or less.
“Exfiltration is not the place to focus your detections,” Bromiley concluded. “It’s a place to have detections, but it’s not a place to focus them. Focus on the spots of the intrusion where the adversary needs the most time. This is where you have the best opportunity for detecting them, because they’re in there the longest.” ®