Rarely do hackers provide an inside look at how they carry out a cyber-attack, and even more rarely are they impressed with a company’s security countermeasures. A new report offers insight into both, revealing how best to defend against an attack from the perspective of the hackers themselves.

Hackers took part in the 2018 Black Report conducted by software company Nuix in one of two ways: through an anonymous online survey or by completing a paper survey at a Nuix conference, an option more than half of the 112 total respondents chose. Survey respondents included both criminal hackers (those who access computer systems or applications without permission to execute nefarious activities for destruction or personal gain) and penetration testers (professional hackers who are contracted to attack their target).

The report did not differentiate between the two hackers, because they use the same techniques to achieve their goals. “It’s important to remember that the primary differentiator between criminal hacking and penetration testing is a statement of work,” says Chris Pogue, lead author of the report and head of services, security, and partner integrations at Nuix. “Without a contract, they’re all hackers.” 

The most troubling finding: Hackers rarely encounter security systems they cannot breach. Fifty-nine percent said they encountered environments they could not breach only 5 to 15 percent of the time. Moreover, 40 percent of hackers said they could exfiltrate data in less than an hour, and another 33 percent said they could do so within five hours.

“It’s important to remember that the primary differentiator between criminal hacking and penetration testing is a statement of work. Without a contract, they’re all hackers.”
Chris Pogue, Head of Services, Security, and Partner Integrations, Nuix

“The Black Report reveals a huge gap between perception and reality in cyber-security,” Pogue says. “You might think you’re well-protected, but the people whose job it is to break in and steal your data think otherwise.” For example, most companies invest heavily in firewalls, antivirus protections, and user account controls—measures that pose little, if any, challenges for hackers, the Black Report found.

Beyond consulting with analyst firms or taking advice from their chief information security officers to properly assess where money spent on cyber-security will have the greatest impact, “I believe the missing voice at the table is that of the hackers themselves,” Pogue adds.

The report’s crown jewel was a section that discussed security countermeasures that posed the greatest challenges for hackers and, thus, where companies should focus much of their time and attention. Specifically, although most hackers said they are rarely impressed by what they would consider effective security countermeasures, the top three most effective measures they cited were host system hardening; intrusion detection and prevention systems; and endpoint-security (the process of securing end-user devices like PCs, laptops, smart phones, and tablets).

“All of these pieces—the intrusion detection, endpoint security, and system hardening—Are fundamental security practices that companies should have as a baseline, but the bang comes when you have all these capabilities come together,” says Javvad Malik, a security advocate at computer security firm AlienVault. The more your technology capabilities speak to each other to reveal that holistic picture, the more effective the company’s cyber-security posture will be.

Mitigating many cyber-attacks comes down to practicing good security hygiene. Host system hardening, for example, is simply the process of updating systems with the latest software and patching known vulnerabilities—a critical measure that companies should not underestimate.

NUIX BLACK REPORT

Below is a summary of key questions and findings from the 2018 Nuix Black Report.
Once you’ve compromised a target, how often does your client’s security team identify your presence?
Always (100% of the time): 3%
More often than not (50-90% of the time): 2%
Less than half the time (15–50% of the time): 18%
Rarely (5–15% of the time): 75%
Never: 2%
Do you think most security professionals tasked with detecting attacks understand what they’re looking for?
Yes: 26%
No: 74%
Have you ever used a tool to cover your tracks?
Yes: 70%
No: 30%
How long does it take to obfuscate attribution?
More than an hour: 7%
30–60 minutes: 6%
15–30 minutes: 28%
5–10 minutes: 31%
1–5 minutes: 15%
Less than a minute: 13%
Source: Nuix 2018 Black Report

Many cyber-attacks really aren’t all that sophisticated, but rather the result of oversights, Pogue says. Take, for example, the massive data breach at the credit rating agency Equifax that occurred in September 2017. That breach was the result of a known vulnerability in Equifax’s security system that was left unpatched, allowing hackers to access the personal identifiable information of more than 143 million U.S. consumers.

“To ensure host system hardening has been performed effectively, it should always be followed up by a vulnerability scan and penetration test,” Pogue says. “This will help organizations to ensure that the goals of the hardening exercise were met and that the system does not have any lingering vulnerabilities.”

Security training also plays a critical role: “Security operations staff should receive training on detecting and countering attacks,” Progue says. “Introducing ‘purple team’ and tabletop exercises is a must.”

In cyber-speak, where red teams are penetration testers and blue teams are incident responders, a purple team is when the two come together to share each other’s techniques. Similarly, a tabletop exercise is when penetration testers create training exercises for incident responders to ensure their response processes are up to snuff in the event of a cyber-attack.

Malik of AlienVault also stresses not to underestimate the value of peer-to-peer collaboration, sharing real-world experiences about cyber-security trends, techniques that have worked, and what types of new cyber-threats they’re seeing. “Sharing that information among each other,” he says, “can really help boost the effectiveness of each company’s security controls.”