All in a day's work: Why hackers hack and how they do it
It can take hackers less than an hour to steal data from an organisation, and most of the time their targets don't even detect the attacks.
It's all in a day's work for professional hackers, who say that the reality of cybersecurity is much different to what some organisations believe.
Nuix's Black Report polled professional hackers, penetration testers, and incident responders from 13 countries.
Most hackers can breach a target system, find and exfiltrate data in just 15 hours, while 33% can do the task in five hours, and 40% can do it in less than an hour.
93% say organisations don't detect their attacks more than half the time – unsurprising considering 70% believe security professionals don't even know what they're looking for when they're trying to detect attacks.
“The Black Report reveals a huge gap between perception and reality in cybersecurity—you might think you're well protected but the people whose job it is to break in and steal your data think otherwise,” says Nuix's head of services, security and partner integration, Chris Pogue.
88% of hackers use social engineering tactics like phishing to get information about targets before they conduct their attacks, suggesting that security training for employees at every level in an organisation is critical.
“Most organisations invest heavily in perimeter defences such as firewalls and antivirus, and these are mandatory in many compliance regimes, but most of the hackers we surveyed found these countermeasures trivially easy to bypass. If hackers can steal your data within a day but you only find out it happened months later, you're well on the way to becoming the next big news story,” Pogue adds.
Who are those hackers? 57% work for medium, large or enterprise businesses. When asked if they had accessed their employer's critical data for personal gain or for unnecessary purposes, only 14% said yes.
“For every 1,000 employees your organisation has, 140 of them are accessing your CVD for their own purposes beyond that which their job requires,” the report says. Hackers are also smart: Three quarters have graduated from college and 32% have postgraduate degrees. 6% say that formal education is for ‘suckers'.
Most respondents (86%) say they hack to learn, 35 ‘hack for the lulz', 21% hack for financial gain, and 6% hack for social or political motives.
The hackers say that they use the same attack techniques for a year or more – despite common perceptions that attacks are becoming more sophisticated.
“Hackers can keep using the same attack techniques because they still work—if it ain't broke, don't fix it,” Pogue explains.
“Again and again in the media, data breach victims claim they suffered unprecedented and highly sophisticated cyberattacks but the reality turns out to be that someone didn't do their job properly. In the recent Equifax case, it was simply an older system that hadn't been patched.
But hackers are keeping an eye on what's happening in the wider security space – 48% spend between 1-5 hours keeping up with security news, trends, and technologies. 16% spend more than 10 hours doing the same activities.
“If cybersecurity is an arms race and knowledge is a weapon, are security specialists and incident responders spending as much time researching how to get better at their craft? Based on the data in this report, specifically the time it takes to compromise a target and how rarely our respondents were detected, it seems likely they are not,” the report says.
78% of respondents believe that data hygiene is an important part of cybersecurity.
Pogue says that organisations are misdirecting their security strategies because they aren't including people who know how to hack.
“When organisations develop their cybersecurity strategies, they may have IT, legal, risk, and human resources teams at the table but the one person they never invite is the bad guy,” Pogue concludes.
The survey polled respondents from Australia, Brazil, the Dominican Republic, Dubai, England, France, Germany, Ireland, Mexico, New Zealand, North America, the Philippines, Singapore, and South Korea.