These and other takeaways were gathered by Chris Pogue, chief information security officer of cybersecurity/information governance company Nuix, after he surveyed 70 hackers and penetration testers (“pentesters”) at Black Hat USA and DEFCON 24 in 2016.
Pogue gathered his insights into a 50-page “Black Report,” believing a look into the minds of the attackers can help inform how companies should most effectively provision resources to improve their security posture.
Assembling a basic profile of pentesters based on their self-images, education levels and employment, Pogue then delved into the techniques successful hackers found most effective.
Using social engineering, vulnerability scanning and open-source tools, hackers and pentesters claimed they mount direct server attacks most commonly, break into the target environment in two to 12 hours, exfiltrating desired data in a similar timeframe, and rarely admit to being detected.
One of the reasons survey participants claim they meet few impenetrable barriers is because they change their attack methodologies regularly — most with every target or at least every six months — in order to learn new, efficient techniques.
One of the report’s conclusions for security program managers is that incorporating realistic, goal-oriented penetration testing and vulnerability scanning are a must to enhance security countermeasures that must contend with shifting attack strategies.
The most challenging security countermeasure, according to those surveyed, is not firewalls and antivirus but rather endpoint security, and intrusion detection/prevention systems present the best return on investment. And most said employee education could contribute greatly to preventing cyberattacks.
The report goes on to offer mini-essays on ransomware as a service, organizational incident readiness, resilience, a police chief’s evolving perspective on cybersecurity and the legal issues of post-breach responses, while revealing that nearly two-thirds of professional penetration testers and hackers express frustration at organizations for stressing about how to respond but not effectively fixing known vulnerabilities.
The hackers go on to posit that remediation of select vulnerabilities only treat the symptom, not the root cause, and that security is a journey, not a destination. Staff training coupled with technology are a must so that organizations can expediently and precisely address an attack, which should be considered imminent. And understanding the real-life threat landscape rather than acting off of attacker stereotypes and security professional incident reports is the only way to keep up with evolving threats.
The entire Black Report can be requested at Nuix.com.