There’s no shortage of reports, white papers, and eBooks on the realm of cyber-security. There’s more than 1,000 of them in the resource section of our site alone.
So another one from Nuix could easily be overlooked. But the Australian security company has tried to give a fresh take on security research. The company interviewed a group of 70 professional hackers at DEFCON to get insight into how they think and work for its new Black Report.
“The goal of the survey was to generate a report that was substantively different from the multitude of existing cyber threat reports present in the market,” says, Christopher Pogue, Chief Information Security Officer at Nuix. “All of them looked at the threat landscape from one specific perspective, that of the victim. While this information is useful, it only provides one facet of a multi-dimensional issue.”
“We saw this as an opportunity to provide the market with a difference perspective; that of the attacker.”
How hackers hack
The report provides some interesting insight into how hackers go about their business: over 80% of hackers use elements of social engineering at least ‘sometimes’ in their attacks, with over 40% employing this technique often or always. Open Source tools and phishing attacks were the most common tools and attack execution methods.
Endpoint security was cited as the biggest challenge during penetration tests, while Intrusion Detection/Prevention systems were the most effective place organisations could spend their budget. Data hygiene/information governance was listed as the least effective way to spend money. Educating employees was graded as ‘extremely important’ the majority of hackers.
Pogue outlines some of the kind findings as:
Attackers can breach your perimeter in less than 12 hours and identify and exfiltrate your critical value data in another 12 hours
“Most measure the ability of organisations to detect attacks in hundreds of days, the current average is somewhere between 250 and 300 days. If attackers can hit, breach, identify, and exfiltrate your data in under 24 hours, most organizations are 249 – 299 days behind their attackers on a regular basis (hackers are not like Santa Claus—they don’t only come once a year). This is unacceptable.”
69% of attackers report that they are almost never caught by security teams during their testing
“This staggering number is the result of several key failures: The inability to see certain types of attacks, a lack of experienced staff tasked with monitoring alerts, and security companies not continually analysing attack patterns. For security vendors to remain on the bleeding edge of threat detection, they need to research and analyse attack patterns regularly.”
50% of attackers change their methodologies with every target
“Many technologies base their detection of breaches around indicators of compromise; sets of behaviours and trails of evidence left behind by previous attacks that the security community has detected and analysed. When attackers change up their methodologies, it means the evidence generated by those attacks also changes. If a security solution only identifies static set of unchanging identifiers they are missing at least half of the attacks.”
What hackers think
The report also gets into the heads of hackers, asking about their views, frustrations, and what they want to say to the suits who run companies. Few hackers see themselves as mercenaries in it for the money; 66% say their main motivation was the challenge, a mere 3% cited ideology, and the rest cited financial reward.
Hacking isn’t always black and white (or Red). Security types often hack for fun and then let companies know about vulnerabilities. Often they are rewarded, occasionally they are arrested. Only a fifth of the people surveyed classified themselves as professional pen-testers who only ever work with indemnity letters, the rest classify themselves as somewhere between professional and ‘full-on hacker’. The majority (64%) describe legality of hacking as ‘myopic’.
“Hacking is simply the medium – whether used for good or ill is a philosophical decision that needs to be made by the individual,” says Pogue. “Some Pen-testers have a very black and white view of morality, and only use their skills and abilities when operating within the parameters of a contract. Others have a less rigid view, and may choose to operate in a slightly different ecosphere. In both cases though, these individuals believe that they are doing the “right” thing.”
The IT industry exists in a perpetual skills shortage, and perhaps companies should start to look beyond qualifications. More than three-quarters say that technical certifications are not a good indicator of technical ability, and are simply a ‘necessary evil.’
“Certifications seek to measure an individual’s comprehension of a specific body of knowledge,” says Pogue. “I am a Certified Ethical Hacker, but there are non-certified Pentesters that could run circles around me.”
“I was able to attend a class and retain the content sufficient to pass the examination. That does not make me a hacker; it makes me a good test taker. “
“Yes, they are necessary to provide tangible evidence that you have a foundational understanding of some core concepts, but they by no means communicate expertise. When any organisation is conducting interviews it’s important to remember what certifications were intended to do, and what their limitations are.”
Remediation, or lack thereof
Though it doesn’t ask hackers about how valuable they see themselves, when asked how they though the board perceived security, nearly half either said ‘purely a compliance requirement’ or ‘do just enough to show we think it’s important’. Key messages hackers want to get across where simple and oft-repeated: ‘Security is a journey, not a destination’, and ‘Trust your security professionals, you hired them for a reason’.
One of hackers’ biggest frustrations, according to the survey, is the fact companies ‘don’t fix things they know are broken’. Only 17% said they saw full or extensive remediation after a conducting penetration tests.
When put to Pogue that it’s this lack of action that is effectively putting companies at (completely-self-inflicted) risk, he takes a more pragmatic tone.
“I absolutely think it’s part of the problem, but certainly not the entirety of it. Most organisations have competing priorities, projects, and personalities. This creates an environment in which things that need to get squared away from a security perspective are overshadowed by things that are going on right now.”
“Until security takes on a fundamental priority within an organisation, and resources are never diverted to deal with other issues, I am afraid we are going to see more of the same.”
PREVIOUS ARTICLE«C-suite talk fav tech: Satya Samal, NIIT Technologies
Adrian Schofield sheds light on tech in South Africa
Mark Chillingworth on IT leadership