A new survey of 300 ethical hackers provides insight into not only the most common means of initial access but how a complete end-to-end attack happens.

cyber security
Credit: Dreamstime

Around 40 per cent of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60 per cent said they need five hours or less to break into a corporate environment once they identify a weakness.

The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organisations, with different levels of experience and specialisations in different areas of information security.

The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.

The survey highlights the need for organisations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they’re allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.

Hackers fine exploitable weaknesses in only a few hours

When asked how much time they typically need to identify a weakness in an environment, 57 per cent of the polled hackers indicated ten or fewer hours: 16 per cent responded six to ten hours, 25 per cent three to five hours, 11 per cent one to two hours and five per cent less than an hour.

It’s also worth noting that 28 per cent responded that they didn’t know, which could be because of multiple reasons and not necessarily because it would take them more than ten hours.

One possibility is that many ethical hackers don’t keep track of how much time perimeter discovery and probing might take because it is not an important metric for them or a time-sensitive matter. Many factors could influence this, from the size of the environment and number of assets to their preexisting familiarity with the tested environment.

Over two-thirds of the questioned hackers indicated that they work or worked in the past as members of internal security teams and half said they served as consultants for offensive security providers. 

Almost 90 per cent of respondents held an information security certification and the top specialisations among them were network security, internal penetration testing, application security, red-teaming, and cloud security. Code-level security, Internet of Things (IoT) security and mobile security were less common at 30 per cent prevalence or less.

“Our data shows that the majority of respondents with application security, network security, and internal pen testing experience were able to find an exploitable exposure within five hours or less,” Matt Bromiley, a SANS digital forensics and incident response instructor said in the report.

Around 58 per cent indicated that they needed five hours or less to exploit a weakness once found, with 25 per cent saying between one and two hours and seven per cent less than an hour.

When asked to rank different factors that lead to exposures, the majority indicated third-party connections, the rapid pace of application development and deployment, adoption of cloud infrastructure, remote work, and mergers and acquisitions.

In terms of types of exposures they encounter most, the top place were misconfigurations followed by vulnerable software, exposed web services, sensitive information exposure, and authentication or access control issues.

“We also asked our respondents with cloud security experience how often they encountered improperly configured or insecure cloud/IaaS assets,” Bromiley said.

“There’s an even split between ‘half the time’ and ‘more often than not.’ It’s only small percentages at either end that rarely see (4.6 per cent) or always see (eight per cent) misconfigured public cloud or IaaS assets. These stats support an unfortunate truth that … organisations develop and deploy applications that expose vulnerabilities, insecurities, and improper configurations for adversaries to take advantage of.”

Privilege escalation and lateral movement also happens quickly

The under five-hour time frame seemed to prevail across all other stages of an attack, with 36 per cent of respondents reporting they could escalate privileges and move laterally through the environment within three to five hours after the initial intrusion, while 20 per cent estimated they could do it in two or fewer hours.

This remained consistent when it came to data collection and exfiltration with 22 per cent of respondents indicating it would take them three to five hours, 24 per cent between one and two hours and 16 per cent less than two hours.

“We see a consistent theme of adversaries able to perform intrusion actions within a five-hour window,” Bromiley said in the survey report. “Whether it’s lateral movement, privilege escalation, or data exfiltration, security teams should be measuring their ability to proactively identify and detect and respond as quickly as possible.”

When it comes to the average time required to complete an end-to-end attack, most respondents (57 per cent) indicated a time frame of less than 24 hours with another 23 per cent saying they don’t know.

Good detection and response methods are effective

One potential good news for security teams is that only 38 per cent of respondents indicated that they could “more often than not” successfully pivot to a new attack method that could bypass the defences that blocked their initial attack vector.

This indicates that having good detection and prevention methods in place pays off in blocking intrusion attempts, especially since criminals typically go for the path of least resistance and move on to an easier target if they don’t succeed.

Furthermore, 59 per cent of respondents said they rely on open-source tools in their intrusions and 14 per cent said they use public exploit packs. Only six per cent use private exploits and seven per cent use custom tools they wrote themselves. This means security teams could get a lot of value from focusing on defending against known and public tools and exploits.

Unfortunately, three-quarters of respondents indicated that only few or some organisations have detection and response capabilities in place that are effective at stopping attacks. Almost 50 per cent said that organisations are moderately or highly incapable of detecting and preventing cloud-specific and application-specific attacks.


Apple supplier Foxconn maintains Covid-19 production measures in world’s largest iPhone factory to meet surge in holiday orders

The world’s largest iPhone factory, operated by Foxconn Technology Group in the central Chinese city of Zhengzhou, has kept up its “closed-loop” production system that restricts movement of employees since mid-October, as Apple’s prime supplier remains under pressure to meet surging demand during the holiday season. Foxconn’s integrated Digital ...

View more: Apple supplier Foxconn maintains Covid-19 production measures in world’s largest iPhone factory to meet surge in holiday orders

Nutrition analysis startup Zoe Health extends Series B with £25m

London-based health tech startup Zoe Health, known for its large-scale nutrition and medical testing app, has extended its Series B funding round with an additional £25m. Zoe Health’s latest investment round has brought the total amount raised by the company to $83.7m (£68.3m). Founded in 2017, Zoe provides home ...

View more: Nutrition analysis startup Zoe Health extends Series B with £25m

Post-lockdown auto emissions can't hide in the grass

Graduate student Cindy Yañez taking inventory of plant samples mailed in by community scientists for radiocarbon dating. Credit: C. Czimczik/UCI University of California scientists have a new way to demonstrate which neighborhoods returned to pre-pandemic levels of air pollution after COVID restrictions ended. Vehicle emissions are the biggest source ...

View more: Post-lockdown auto emissions can't hide in the grass

RULoans launches digital platform for partner on-boarding

ETtechRULoans Distribution Services on Monday launched its end-to-end digital platform for faster and seamless partner on-boarding as well as paperless and fully compliant loan file processing. The digital platform will power the company’s plans to take the loan disbursement to more than Rs 1,00,000 crore and channel partner network strength ...

View more: RULoans launches digital platform for partner on-boarding

Google opens London research centre for disability support tech

Google has opened a UK research and development centre to develop tech to support people with disabilities. The tech giant has joined forces with the Royal National Institute of Blind People, the Royal National Institute for Deaf People, and the charity Everyone Can, to develop the centre in London. ...

View more: Google opens London research centre for disability support tech

NetApp deepens APAC ties with new channel leader

Brenda Tan is tasked with defining NetApp’s APAC channel model.

View more: NetApp deepens APAC ties with new channel leader

Partech closes £103m seed fund, eyes UK startups

Paris-headquartered venture capital firm Partech has secured €120m (£103.1m) for its fourth seed fund. The oversubscribed Partech Entrepreneur IV fund received backing from 100 entrepreneur angels, family offices, multinational corporations and financial institutions. A spokesperson for Partech told UKTN that the UK is “definitely part of our European strategy”. Romain ...

View more: Partech closes £103m seed fund, eyes UK startups

Loss of key Apple AirPods account causes GoerTek profits to fall by 50% – 60%

Annual net profit for Apple supplier GoerTek in 2022 could fall by up to 60% compared to last year, according to its stock filling on Dec. 3. The company’s expected net profit for 2022 ranges from RMB 1.7 billion to RMB 2.14 billion ($240 million to $310 million). The ...

View more: Loss of key Apple AirPods account causes GoerTek profits to fall by 50% – 60%

Google claims that Apple Messages are stuck in the 1990s

Redmi K60 series specifications tipped ahead of impending launch

Vivo Y02 India launch tipped, here’s when its coming

OpenAI's new ChatGPT bot: 10 coolest things you can do with it

iQOO 11 series specifications, colors tipped via leaked poster

Robot suppliers continue capacity expansions in China despite instability, says DIGITIMES Research

GF and Intel semiconductor talent forgo are gifts to competitors

Vingroup partners Google Cloud to modernize group-wide SAP applications, accelerate global growth ambitions

Researchers harness bacteria-eating viruses to create powerful food decontamination spray

What does Polly say? Community science data reveal species differences in vocal learning by parrots

Volkswagen faces growing backlash in China over malfunctioning software in ID Series

Apple suppliers expand investment in India, look to dial down China operations


Top Car News Car News