Which countermeasures improve security and which are a waste of money?
If you want to know about which cyber defenses are most effective and which are a waste of money and resources, ask a hacker. And that’s just what Nuix researchers did.
“During Black Hat USA and DEF CON 24 in 2016, we conducted a survey of known hackers, professionally known as penetration testers, and asked about their attack methodologies, favorite exploits, and what defensive countermeasures they found to be the most and least effective—and many other questions,” the company noted in a recently released report.
Lessons learned
The hackers’ responses to the questions revealed that:
- A direct server attack is the most popular method for breaking into systems (43%), followed by phishing (40%). Drive-by and watering hole attacks are both preferred by 9% of the hackers.
- 60% use open source tools, 21% their own custom tools, just 10% use commercial tools. 5% opt for private exploits, and 3% for exploit packs.
- 84% of them use social engineering to obtain information about a target, and 86% use vulnerability scanning to identify potential vulnerabilities.
- 33% of the respondents say that their target’s security team never spots their presence in their systems.
- Half of the respondents change attack methodologies with every engagement, and most of the respondents don’t change them because they no longer work, but because they are trying to learn new techniques, reduce noise and improve speed.
Almost three-quarters of our respondents claimed they could compromise a target in under 12 hours; 28% took between six and 12 hours and an astonishing 43% found a way in within six hours.
“A frightening 17% of respondents claimed they could compromise a system in less than two hours,” the researchers noted. “Realistically, you probably won’t even have a sufficient understanding of the attack in two hours, much less be able to mount any sort of defense. These numbers underscore the importance of having a well-trained response team using cutting edge technology actively monitoring for threats.”
Social engineering
During the reconnaissance stage of an attack, 84% of pentesters use some aspect of social engineering to gather information about their targets. Only 16% claimed they never used this attack method.
It’s important to point out that no security controls can fully mitigate or prevent social engineering attacks. That’s probably why most pentesters use this vector to gather data about their targets. The only reliable way to prepare for social engineering attacks is to educate your staff about what these attacks are, how they are carried out and why, and what each individual can do if they suspect they are being attacked.
Which technologies and approaches work for stopping attackers?
Intrusion detection/prevention systems and endpoint security solutions present the greatest challenge for the respondents (29% and 23%, respectively). Firewalls come up at 10%, and antivirus at 2%.
According to the respondents, companies would do well to invest in IDS/IDP systems, data hygiene/information governance solutions, and penetration testing. Also, most believe that employee education, goal oriented penetration testing, and vulnerability scanning are the most important security countermeasures in preventing cyberattacks.
Given the opportunity to speak to security decisions makers, the respondents would advise them to train their staff, find the right combination of people and technology, and to assume humans will fail (and opt for tech solutions that will protect people from themselves). Their message for boards of directors is: get serious about security, invest in it, and let the security professionals do their jobs.