Behind the Scenes, New Insights from SANS Hacker Survey

As 2022 quickly comes to an end, reviewing how security strategies succeeded or failed throughout the year becomes a top priority. For many security teams, making improvements in 2023 will be based on successful defensive techniques or conversely types of vulnerabilities that jeopardized assets. However, analysis of past events from a defensive view isn't enough anymore. Pivoting to analyze through an attacker’s lens can lead to vast, more proactive security improvements - but it's not always easy to get access to these sorts of insights.

You are in luck! On Oct. 26, we hosted a webcast, Hacker Insights Revealed: New SANS Survey Results, to explore the findings from a survey conducted with over 300 ethical hackers aimed at dissecting an adversary’s mind. In this blog, we'll share highlights from our webcast featuring Matt Bromiley, Certified Instructor at SANS Institute and Tom Eston, AVP of Consulting at Bishop Fox. We hope that the survey results prompt organizations to evaluate their security posture from a hacker’s perspective and assess attributes that make them a valuable target along with the types of data they hold that threat actors want access to.

Look here to access the full SANS report with complete survey results.

Origins of the Survey

Before we dive into the survey results, let’s explore why we invested time to conduct this groundbreaking survey. Defenders commonly (and appropriately) think about security controls in terms of malware types, specific threat actors, and tracking indicators of compromise - to name a few examples. However, this is only one side of the cybersecurity equation and doesn't consider the attacker’s perspective. Exactly what we wanted to capture! While we can’t get directly into the minds of the attackers themselves, we leaned into the next best thing – the ethical hacker community.

“How did you pick me as a target? I don’t think we can legitimately have that conversation with many Black Hat hackers in the world. So, we thought let’s ask another form of adversary – those that must think like the Black Hats.” – Matt Bromiley, Certified Instructor at SANS Institute

The Modern Threat Landscape

Protecting today’s enterprises from cyber threats is not an easy feat by any stretch of the imagination. Being a Blue Team defender certainly wasn’t easy five years ago, and it only continues to become an increasingly complex profession. The COVID-19 pandemic, in particular, continues to influence the tactics, techniques, and procedures (TTPs) that threat actors use to conduct attacks and how defenders must frequently change trajectories to keep up.

With this in mind, a few of the biggest threats we continue to face are:

• Hybrid cloud environments. Due to the increase in remote work, threats to cloud security have resoundingly increased.
• Remote/disparate workforces. Traditional cyberattacks are on the rise as the workforce remains disparate. Online phishing attacks that use ‘work from home’ topics to lure victims and vishing (attacks performed over the phone) are two tactics that are giving hackers a leg up in remote workforce scenarios.
  
  

Notable Survey Results

Now let’s get to the good stuff – survey results!

To kick things off, an astounding 37% of respondents report being able to break into an environment more often than not, if not always. While Bishop Fox usually operates under time constraints and rules of engagement during pen tests, consultants frequently find entry vectors, emphasizing these results and demonstrating that a few roadblocks are not a major deterrent. Unlike pen testers, hackers have the luxury of time, likely providing an even stronger advantage when attempting to infiltrate attack surfaces.

Once survey respondents have successfully hacked into an environment, 64% report that only five hours or less are needed to reach the data exfiltration stage of an operation. Exfiltration can take many different forms, like screenshots of personal data, which is common in pen testing. However, attackers have a tougher job because they must consider detection and monitoring controls to avoid getting caught. They are often attempting to steal databases or sensitive information to sell or use in extortion campaigns. The results of this survey question prove that once hackers are in the environment, the chances of damage are high for victims. 

As we mentioned earlier, traditional attack vectors like phishing are still heavily utilized by threat actors. Survey results solidified this notion – social engineering and phishing accounted for nearly half of all attack vectors. The human element is always the weakest link and continues to be a reliable exploitation avenue. Balancing human behaviors with security controls is a constant struggle for defenders – it just takes one person to make the dominoes start falling at a rapid pace. In the chart below, see the full range of attack vectors covered by the survey. 
 

Figure 1- Attack Vectors with Greatest ROI

Without looking at the people behind the hacking, the survey results wouldn’t be nearly as impactful. So, we pivoted to find out what types of ethical hacking participants specialized in and how that influenced their success (or not). One might assume that more years of hacking experience results in higher success rates, but this is not necessarily true based on respondents' answers. While ethical hackers with 15+ years of experience and niche specializations certainly top the list of successful exploits, we also found that this is not the vast majority. In other words, years of experience does not necessarily equate to increased success rates.

We discovered that a hacker’s specialization becomes an important barometer for speed of entry. Application pen testers, network security, and internal pen testers tend to be faster than other types of hackers.

In pen testing, specialized skill sets and experience are important for not only breaking into environments, but also for teaching clients how to be better at defending forward. Deep knowledge and expertise are irreplaceable when shared with clients to improve security. The best pen testers are good at a bit of everything.

Breaking Down the Attack Cycle

Next, we wanted to understand how ethical attackers approach different stages of the attack lifecycle. We broke it out into the following four phases to tune into the operational speed of cyberattacks.

• Discover an exploitable exposure: How long on average does it take to discover an exploitable exposure that enables access to the targeted environment?
• Gain access to the target: Once an exploitable exposure is discovered, how long does it take to get in?

• Acquire the target: Once in the network, how long does it take to move laterally?
• Exfiltrate data: After gaining access to target data and systems, how long does exfiltration take?

The majority of surveyed hackers reported that only ten hours or less is needed to find an exploitable exposure. To up the ante, 16% only needed two hours or less. Defenders should take note of how quickly attackers can find a way to break the attack surface to find a foothold in the attack surface.

You are probably wondering what types of exploitable exposures the surveyed hackers find; there was no shortage of options for the attackers. Exploitable exposures found most often included: Vulnerable configurations, vulnerable software, web services, sensitive data, and access control weaknesses. If you are a defender, we recommend checking to see how these align with your current risk assessment strategy. 

Figure 2 - Types of Exploitable Exposures Found

More often than not, a vulnerable configuration provides the ‘keys to the kingdom’ during pen testing engagements especially with cloud configurations and application security. Misconfiguration in these types of environments are open doors for attackers.

Once the adversary is in your network the situation is instantly more urgent – the clock is ticking to prevent attackers from stealing data and inflicting damage. The survey results spotlighted that once access to target data and systems is acquired, hackers need very little time to collect and exfiltrate data. A whopping 63% were able to collect and potentially exfiltrate data in five hours or less. This goes to show that once attackers are in your network, they move quickly to reach the end game.

The results from this segment of the survey should pique defenders' interest and lead to increased participation during pen test engagements. We hope defenders are encouraged to ask pen testers how long their approaches took and focus on augmenting security controls to increase detection times. If your pen testers’ techniques aren’t being detected, it is a good time to step in and ask more questions to get to the root cause of weak defense vectors. Be proactive and set goals to increase detection times for future pen testing engagements; this will help you know how fast your defenders will be at detecting the real adversaries when they strike.

Level Up Your Approach to Offensive Security

On average, 74% of ethical hackers reported that 50% or less of targeted organizations have adequate detection and response capabilities that can identify and stop an attack before target data and systems are accessed.

Defenders often prepare for attack scenarios by analyzing risk scores and threat intelligence instead of the way that attackers see their targets. We want to help change this:

• Assess your approach to offensive security and raise the stakes for your security defenses.
• Use offensive practices to your advantage and layer it on top of your existing defenses.
• Explore different types of offensive security services to fit your needs.
• If pen testing isn’t quite the right fit, ask about Purple Team engagements and dive into a more collaborative offensive scenario. The cooperative nature of Purple Team engagements is invaluable for some organizations as a break from traditional pen testing which tends to be stealthier.

We challenge defenders to consider how an attacker views an organization from an attack surface perspective. Knowing how you appear in an attacker’s eyes is a vital way to defend forward for your organization in the future. To see all of the survey results, download the 2022 SANS Survey Report, Inside the Minds and Methods of Modern Adversaries.