Over half of hackers need under five hours to collect data, report finds

Over 64% of hackers need just under five hours to collect and potentially exfiltrate data, learned Bishop Fox and SANS in their survey of over 300 ethical hackers.

Hacking is here to stay, with organizations opting for ethical hackers to safeguard their premises while threat actors are out on a hunt for valuable data. But even more so, ethical hackers can provide valuable insights into the overall posture of cybersecurity worldwide.

The survey found that upon discovering an exposure (and most respondents were unable to estimate how much time that would take,) it’s only a matter of five hours or less to exploit it and enter the environment.

But what puts companies at the most risk? According to surveyed hackers, the pace of application development/deployment and third-party connections are the top two factors for vulnerability exposure.

From the attack surface perspective, vulnerable configurations and software, as well as exposed web services and sensitive information, were the most commonly exploitable perimeter exposures recorded.

Surprisingly, those ethical hackers dealing with cloud environments almost evenly suggested that they find improperly configured or insecure public cloud/IaaS assets less than half the time (42.5%) and more often than not (41.4%).

“These stats support an unfortunate truth that, as we see in previous figures, organizations develop and deploy applications that expose vulnerabilities, insecurities, and improper configurations for adversaries to take advantage of,” the report explains.

Upon gaining access, it usually takes a hacker 3-5 hours (in 36.3% cases) to escalate privileges and/or move laterally among targets within a network, with the majority of respondents also requiring under five hours. These findings are important for security teams to be able to swiftly identify and respond to an attack.

Following this, 64% of ethical hackers are able to collect and potentially exfiltrate data in under five hours, with 24.6% needing only 1-2 hours to do so.

“As adversaries get further along in their attacks, they often either gain speed advantages due to lack of detection or become so familiar with the environment that exfiltration is simply another step in an already-established infrastructure,” Bishop Fox suggests.

On average, it takes an ethical hacker under 25 hours to complete an attack, including gaining initial access, gaining access to targets, and potentially exfiltrating data) with answers being evenly spread out between 5-10 hours, 16–20 hours, 21–25 hours, and over 25 hours.

In case the threat actors’ preferred attack method falls through, only 38% of respondents can successfully pivot to a method more than half the time. Although the results showcase that it heavily depends on the experience of a hacker, many attackers can pivot to a new method less than half the time.

Unsurprisingly, the most successful attack vector turned out to be social engineering, followed by phishing and web application attacks. This has been confirmed through many breaches, including the recent Uber hack, where the initial compromise vector appeared to be a phishing attack.

Finally, almost three-quarters of respondents answered that companies – on average – have either a few or some detection and response capabilities. We can only expect that threat actors know that, too, effectively exploiting organizations’ inability to deal with an attack. Further responses indicate that most companies are ill-equipped when it comes to detecting, responding, and preventing a wide range of attacks, such as application-specific and cloud-specific ones.