Thursday, April 18, 2024

Most Attackers Need Less Than 10 Hours to Find Weaknesses

Vulnerable configurations, software flaws, and exposed Web services allow hackers to find exploitable weaknesses in companies’ perimeters in just hours, not days.

The average ethical hacker can find a vulnerability that allows the breach of the network perimeter and then exploit the environment in less than 10 hours, with penetration testers focused on cloud security gaining access most quickly to targeted assets. And further, once a vulnerability or weakness is found, about 58% of ethical hackers can break into an environment in less than five hours.

That’s according to a survey of 300 experts by the SANS Institute and sponsored by cybersecurity services firm Bishop Fox, which also found that the most common weaknesses exploited by the hackers include vulnerable configurations, software flaws, and exposed Web services, survey respondents stated.

The results mirror metrics for real-world malicious attacks and highlight the limited amount of time that companies have to detect and respond to threats, says Tom Eston, associate vice president of consulting of Bishop Fox.

“Five or six hours to break in, as an ethical hacker myself, that is not a huge surprise,” he says. “It matches up to what we are seeing the real hackers doing, especially with social engineering and phishing and other realistic attack vectors.”

The survey is the latest data point from cybersecurity companies’ attempts to estimate the average time organizations have to stop attackers and interrupt their activities before significant damage is done.

Cybersecurity services firm CrowdStrike, for example, found that the average attacker “breaks out” from their initial compromise to infect other systems in less than 90 minutes. Meanwhile, the length of time that attackers are able to operate on victim’s networks before being detected was 21 days in 2021, slightly better than the 24 days in the prior year, according to cybersecurity services firm Mandiant.

Recommended:  Cybersecurity Startup Snyk Is Said to Plan 2022 IPO

Organizations Not Keeping Up

Overall, nearly three-quarters of ethical hackers think most organizations lack the necessary detection and response capabilities to stop attacks, according to the Bishop Fox-SANS survey. The data should convince organizations to not just focus on preventing attacks, but aim to quickly detect and respond to attacks as a way to limit damage, Bishop Fox’s Eston says.

“Everyone eventually is going to be hacked, so it comes down to incident response and how you respond to an attack, as opposed to protecting against every attack vector,” he says. “It is almost impossible to stop one person from clicking on a link.”

In addition, companies are struggling to secure many parts of their attack surface, the report stated. Third parties, remote work, the adoption of cloud infrastructure, and the increased pace of application development all contributed significantly to expanding organizations’ attack surfaces, penetration testers said.

Yet the human element continues to be the most critical vulnerability, by far. Social engineering and phishing attacks, together, accounted for about half (49%) of the vectors with the best return on hacking investment, according to respondents. Web application attacks, password-based attacks, and ransomware account for another quarter of preferred attacks.

“[I]t should come as no surprise that social engineering and phishing attacks are the top two vectors, respectively,” the report stated. “We’ve seen this time and time again, year after year — phishing reports continually increase, and adversaries continue to find success within those vectors.”

Just Your Average Hacker

The survey also developed a profile of the average ethical hacker, with nearly two-thirds of respondents having between a year and six years of experience. Only one in 10 ethical hackers had less than a year in the profession, while about 30% had between seven and 20 years of experience.

Recommended:  Chinese Researchers Say They’ve Spotted an NSA Hacking Tool

Most ethical hackers have experience in network security (71%), internal penetration testing (67%), and application security (58%), according to the survey, with red teaming, cloud security, and code-level security as the next most popular types of ethical hacking.

The survey should remind companies that technology alone cannot solve cybersecurity problems — solutions require training employees to be aware of attacks, Eston says.

“There is not a single blinky-box technology that is going to repel all the attacks and keep your organization safe,” he says. “It is a combination of people process and technology, and that has not changed. Organizations gravitate toward the latest and greatest tech … but then they ignore security awareness and training their employees to recognize social engineering.”

With attackers focused on exactly those weaknesses, he says, organizations need to change how they are developing their defenses.


Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Recommended:  US Offers $10M Reward For Information Linking Clop To Foreign Government

ClosePlease login
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates