Story image

All in a day's work: Why hackers hack and how they do it

12 Apr 2018

It can take hackers less than an hour to steal data from an organisation, and most of the time their targets don’t even detect the attacks.

It’s all in a day’s work for professional hackers, who say that the reality of cybersecurity is much different to what some organisations believe.

Nuix’s Black Report polled professional hackers, penetration testers, and incident responders from 13 countries.

Most hackers can breach a target system, find and exfiltrate data in just 15 hours, while 33% can do the task in five hours, and 40% can do it in less than an hour.

93% say organisations don’t detect their attacks more than half the time – unsurprising considering 70% believe security professionals don’t even know what they’re looking for when they’re trying to detect attacks.

“The Black Report reveals a huge gap between perception and reality in cybersecurity—you might think you’re well protected but the people whose job it is to break in and steal your data think otherwise,” says Nuix’s head of services, security and partner integration, Chris Pogue.

88% of hackers use social engineering tactics like phishing to get information about targets before they conduct their attacks, suggesting that security training for employees at every level in an organisation is critical.

“Most organisations invest heavily in perimeter defences such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass. If hackers can steal your data within a day but you only find out it happened months later, you’re well on the way to becoming the next big news story,” Pogue adds.

Who are those hackers? 57% work for medium, large or enterprise businesses. When asked if they had accessed their employer’s critical data for personal gain or for unnecessary purposes, only 14% said yes.

“For every 1,000 employees your organisation has, 140 of them are accessing your CVD for their own purposes beyond that which their job requires,” the report says.

Hackers are also smart: Three quarters have graduated from college and 32% have postgraduate degrees. 6% say that formal education is for ‘suckers’.

Most respondents (86%) say they hack to learn, 35 ‘hack for the lulz’, 21% hack for financial gain, and 6% hack for social or political motives.

The hackers say that they use the same attack techniques for a year or more – despite common perceptions that attacks are becoming more sophisticated.

“Hackers can keep using the same attack techniques because they still work—if it ain’t broke, don’t fix it,” Pogue explains.

“Again and again in the media, data breach victims claim they suffered unprecedented and highly sophisticated cyberattacks but the reality turns out to be that someone didn’t do their job properly. In the recent Equifax case, it was simply an older system that hadn’t been patched.”

But hackers are keeping an eye on what’s happening in the wider security space – 48% spend between 1-5 hours keeping up with security news, trends, and technologies. 16% spend more than 10 hours doing the same activities.

“If cybersecurity is an arms race and knowledge is a weapon, are security specialists and incident responders spending as much time researching how to get better at their craft? Based on the data in this report, specifically the time it takes to compromise a target and how rarely our respondents were detected, it seems likely they are not,” the report says.

78% of respondents believe that data hygiene is an important part of cybersecurity.

Pogue says that organisations are misdirecting their security strategies because they aren’t including people who know how to hack.

“When organisations develop their cybersecurity strategies, they may have IT, legal, risk, and human resources teams at the table but the one person they never invite is the bad guy,” Pogue concludes.

The survey polled respondents from Australia, Brazil, the Dominican Republic, Dubai, England, France, Germany, Ireland, Mexico, New Zealand, North America, the Philippines, Singapore, and South Korea.

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.
Red Box gains compliance boost with new partnership
By partnering with Global Relay, voice platform provider Red Box is improving the security of its offerings for high-value and risk voice data.