Around 40% of ethical hackers recently surveyed by the SANS Institute said they can break into most environments they test, if not all. Nearly 60% said they need five hours or less to break into a corporate environment once they identify a weakness.
The SANS ethical hacking survey, done in partnership with security firm Bishop Fox, is the first of its kind and collected responses from over 300 ethical hackers working in different roles inside organizations, with different levels of experience and specializations in different areas of information security. The survey revealed that on average, hackers would need five hours for each step of an attack chain: reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.
The survey highlights the need for organizations to improve their mean time-to-detect and mean-time-to-contain, especially when considering that ethical hackers are restricted in the techniques they’re allowed to use during penetration testing or red team engagements. Using black hat techniques, like criminals do, would significantly improve the success rate and speed of attack.
Hackers find exploitable weaknesses in only a few hours
When asked how much time they typically need to identify a weakness in an environment, 57% of the polled hackers indicated ten or fewer hours: 16% responded six to ten hours, 25% three to five hours, 11% one to two hours and 5% less than an hour. It’s also worth noting that 28% responded that they didn’t know, which could be because of multiple reasons and not necessarily because it would take them more than ten hours.
One possibility is that many ethical hackers don’t keep track of how much time perimeter discovery and probing might take because it is not an important metric for them or a time-sensitive matter. Many factors could influence this, from the size of the environment and number of assets to their preexisting familiarity with the tested environment.
Over two-thirds of the questioned hackers indicated that they work or worked in the past as members of internal security teams and half said they served as consultants for offensive security providers. Almost 90% of respondents held an information security certification and the top specializations among them were network security, internal penetration testing, application security, red-teaming, and cloud security. Code-level security, IoT security and mobile security were less common at 30% prevalence or less.
“Our data shows that the majority of respondents with application security, network security, and internal pen testing experience were able to find an exploitable exposure within five hours or less,” Matt Bromiley, a SANS digital forensics and incident response instructor said in the report.
Around 58% indicated that they needed five hours or less to exploit a weakness once found, with 25% saying between one and two hours and 7% less than an hour. When asked to rank different factors that lead to exposures, the majority indicated third-party connections, the rapid pace of application development and deployment, adoption of cloud infrastructure, remote work, and mergers and acquisitions.
In terms of types of exposures they encounter most, the top place were misconfigurations followed by vulnerable software, exposed web services, sensitive information exposure, and authentication or access control issues.
“We also asked our respondents with cloud security experience how often they encountered improperly configured or insecure cloud/IaaS assets,” Bromiley said. “There’s an even split between ‘half the time’ and ‘more often than not.’ It’s only small percentages at either end that rarely see (4.6%) or always see (8%) misconfigured public cloud or IaaS assets. These stats support an unfortunate truth that … organizations develop and deploy applications that expose vulnerabilities, insecurities, and improper configurations for adversaries to take advantage of.”
Privilege escalation and lateral movement also happens quickly
The under five-hour time frame seemed to prevail across all other stages of an attack, with 36% of respondents reporting they could escalate privileges and move laterally through the environment within three to five hours after the initial intrusion, while 20% estimated they could do it in two or fewer hours. This remained consistent when it came to data collection and exfiltration with 22% of respondents indicating it would take them three to five hours, 24% between one and two hours and 16% less than an hour.
“We see a consistent theme of adversaries able to perform intrusion actions within a five-hour window,” Bromiley said in the survey report. “Whether it’s lateral movement, privilege escalation, or data exfiltration, security teams should be measuring their ability to proactively identify and detect and respond as quickly as possible.”
When it comes to the average time required to complete an end-to-end attack, most respondents (57%) indicated a time frame of less than 24 hours with another 23% saying they don’t know.
Good detection and response methods are effective
One potential good news for security teams is that only 38% of respondents indicated that they could “more often than not” successfully pivot to a new attack method that could bypass the defenses that blocked their initial attack vector. This indicates that having good detection and prevention methods in place pays off in blocking intrusion attempts, especially since criminals typically go for the path of least resistance and move on to an easier target if they don’t succeed.
Furthermore, 59% of respondents said they rely on open-source tools in their intrusions and 14% said they use public exploit packs. Only 6% use private exploits and 7% use custom tools they wrote themselves. This means security teams could get a lot of value from focusing on defending against known and public tools and exploits. Unfortunately, three-quarters of respondents indicated that only few or some organizations have detection and response capabilities in place that are effective at stopping attacks. Almost 50% said that organizations are moderately or highly incapable of detecting and preventing cloud-specific and application-specific attacks.