Around 40 per cent of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60 per cent said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organisations, with different levels of experience and specialisations in different areas of information security.
The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
The survey highlights the need for organisations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they're allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.
Hackers fine exploitable weaknesses in only a few hours
When asked how much time they typically need to identify a weakness in an environment, 57 per cent of the polled hackers indicated ten or fewer hours: 16 per cent responded six to ten hours, 25 per cent three to five hours, 11 per cent one to two hours and five per cent less than an hour.
It's also worth noting that 28 per cent responded that they didn't know, which could be because of multiple reasons and not necessarily because it would take them more than ten hours.
One possibility is that many ethical hackers don't keep track of how much time perimeter discovery and probing might take because it is not an important metric for them or a time-sensitive matter. Many factors could influence this, from the size of the environment and number of assets to their preexisting familiarity with the tested environment.
Over two-thirds of the questioned hackers indicated that they work or worked in the past as members of internal security teams and half said they served as consultants for offensive security providers.
Almost 90 per cent of respondents held an information security certification and the top specialisations among them were network security, internal penetration testing, application security, red-teaming, and cloud security. Code-level security, Internet of Things (IoT) security and mobile security were less common at 30 per cent prevalence or less.
"Our data shows that the majority of respondents with application security, network security, and internal pen testing experience were able to find an exploitable exposure within five hours or less," Matt Bromiley, a SANS digital forensics and incident response instructor said in the report.
Around 58 per cent indicated that they needed five hours or less to exploit a weakness once found, with 25 per cent saying between one and two hours and seven per cent less than an hour.
When asked to rank different factors that lead to exposures, the majority indicated third-party connections, the rapid pace of application development and deployment, adoption of cloud infrastructure, remote work, and mergers and acquisitions.
In terms of types of exposures they encounter most, the top place were misconfigurations followed by vulnerable software, exposed web services, sensitive information exposure, and authentication or access control issues.
"We also asked our respondents with cloud security experience how often they encountered improperly configured or insecure cloud/IaaS assets," Bromiley said.
"There’s an even split between 'half the time' and 'more often than not.' It’s only small percentages at either end that rarely see (4.6 per cent) or always see (eight per cent) misconfigured public cloud or IaaS assets. These stats support an unfortunate truth that … organisations develop and deploy applications that expose vulnerabilities, insecurities, and improper configurations for adversaries to take advantage of."
Privilege escalation and lateral movement also happens quickly
The under five-hour time frame seemed to prevail across all other stages of an attack, with 36 per cent of respondents reporting they could escalate privileges and move laterally through the environment within three to five hours after the initial intrusion, while 20 per cent estimated they could do it in two or fewer hours.
This remained consistent when it came to data collection and exfiltration with 22 per cent of respondents indicating it would take them three to five hours, 24 per cent between one and two hours and 16 per cent less than two hours.
"We see a consistent theme of adversaries able to perform intrusion actions within a five-hour window," Bromiley said in the survey report. "Whether it’s lateral movement, privilege escalation, or data exfiltration, security teams should be measuring their ability to proactively identify and detect and respond as quickly as possible."
When it comes to the average time required to complete an end-to-end attack, most respondents (57 per cent) indicated a time frame of less than 24 hours with another 23 per cent saying they don't know.
Good detection and response methods are effective
One potential good news for security teams is that only 38 per cent of respondents indicated that they could "more often than not" successfully pivot to a new attack method that could bypass the defences that blocked their initial attack vector.
This indicates that having good detection and prevention methods in place pays off in blocking intrusion attempts, especially since criminals typically go for the path of least resistance and move on to an easier target if they don't succeed.
Furthermore, 59 per cent of respondents said they rely on open-source tools in their intrusions and 14 per cent said they use public exploit packs. Only six per cent use private exploits and seven per cent use custom tools they wrote themselves. This means security teams could get a lot of value from focusing on defending against known and public tools and exploits.
Unfortunately, three-quarters of respondents indicated that only few or some organisations have detection and response capabilities in place that are effective at stopping attacks. Almost 50 per cent said that organisations are moderately or highly incapable of detecting and preventing cloud-specific and application-specific attacks.