Report: Hackers Take Less than 6 Hours on Average to Compromise Targets

by Chris Burt on Tuesday, February 28 2017

Get WHIR Hosting & Cloud Newsletters

Most hackers can compromise a target in less than six hours, according to a survey of hackers and penetration testers released Tuesday by security awareness training firm KnowBe4. The Black Report was compiled from 70 surveys taken at Black Hat USA and Defcon, and shows that phishing is the preferred method for 40 percent of hackers. A further 43 percent said they sometimes use social engineering, while only 16 percent do not use social engineering at all. Forty percent sometimes use vulnerability scanners, 60 percent use open-source tools, and just over 20 percent use custom tools for hacking. A majority of those surveyed (53 percent) said they sometimes encounter systems they are unable to crack, while 9 percent say they never do, and 22 percent said they “rarely” encounter such targets. KnowBe4 chief hacking officer Kevin Mitnick performs penetration testing with a separate company (Mitnick Security), with a 100 percent success rate. Mitnick will present the keynote address at the upcoming HostingCon Global 2017 in Los Angeles. [Register now for HostingCon Global and save $100 on your all-access pass] Once they have gained access to a system, one in three penetration testers said their presence was never detected, and only 2 percent say they are detected more than half of the time. Exfiltrating data after a compromise takes less than 2 hours for 20 percent of respondents, and two to six hours for 29 percent, while 20 percent take longer than 12 hours. See also: Pentagon Hires Hackers to Target Sensitive Internal Systems

When asked about effective protection against breaches, endpoint protection was named by 36 percent of those surveyed, while 29 percent identified intrusion detection and prevention systems. Only 2 percent consider anti-virus software an obstruction to hacking networks. One-quarter of those surveyed said their advice to corporate boards would be to recognize that it is inevitable that they will be hacked, it is only a question of when it will happen. Roughly the same number urged boards to consider the return on investment in security, while 10 percent said boards should realize that detection capability is much more important than deflection capability. KnowBe4 also commissioned a study from Forrester on the Total Economic Impact of breaches to put numbers to the potential return on investment (ROI) of security spending. The study is available from the KnowBe4 website. See also: Data Breaches Hit Record in 2016 as DNC, Wendy’s Co. Hacked

Survey: Most Hackers Break in Within Six Hours

A recent survey of 70 professional hackers and penetration testers found that 60% of them take a maximum of just six hours to compromise a target. The research titled The Black Report, was done at Black Hat USA and Defcon.

Penetration testers try to break into the network of the client organization and then provide advice on how they can secure those networks, one of the things KnowBe4's Chief Hacking Officer does through his (separate) company Mitnick Security with a 100% success rate.

When the 70 hackers were queried about how often they encountered systems they could not crack, 9% said this never happened. But 53% said "sometimes", 22% "rarely", and 16% "often" faced this issue.

40% said phishing was their favorite method to get into a system

Asked about the use of social engineering, 43% of the group said they used it "sometimes" to gain access and only 16% did not use it at all, and 40% said phishing was their favorite method to get into a system. No wonder, as hacking a human is by far the easiest way to get into a network.

Regarding using vulnerability scanners to detect potential entry methods, 40% said they used this method "sometimes", but 60% said they used open-source tools to hack and custom tools were used by just over 20%.

A third of the pen testers said their presence was never detected by the security team at the organization they were testing. Only 2% were detected more than half of the time, while another third were always detected.

After a compromise, exfiltration of data took 20% of them less than two hours, another 29% took anything from two to six hours to get the goods out, while about another 20% took more than 12 hours.

Only 2% of the hackers found anti-virus software an obstruction

Only 2% of the hackers found anti-virus software an obstruction to compromising systems. The biggest hurdle was endpoint security which 36% found to be an effective countermeasure to their plans; another 29% cited intrusion detection and prevention systems.

Advice for Company Boards: There Is a Return on Investment

When the survey asked what main message they had for the boards of companies that were penetrated, 25% of the hackers said the boards should realize that it was a matter of when, not if, a company was hacked, and about the same percentage stated that boards should realize that there was a return on investment for security and it was not a waste of time or money. To add to that, 10% said boards should be aware that the ability to detect an attack was much more important than being able to deflect one.

KnowBe4 recently commissioned Forrester to conduct a Total Economic Impact™ (TEI) study, examining the potential Return on Investment (ROI) enterprises might realize by implementing the KnowBe4 Security Awareness Training and Simulated Phishing Platform.

Whitepaper Download: Forrester Total Economic Impact Study

The research paper assesses the performance of the KnowBe4 Platform. How does 127% ROI with a one-month payback sound?

At the end of the study, you will have a framework to evaluate the ROI of the KnowBe4 Platform on your organization, and how you can leverage your end-users as your last line of defense using KnowBe4.

The value of KnowBe4 goes beyond ROI. Download the study here: https://info.knowbe4.com/whitepaper-forrester-tei

January 2017 Data Breach Report

You may have heard of Piper Jaffray & Co. Since 1895, they have been active in the stock markets, based out of Minneapolis. They are a thoroughly modern company though, and two of their research analysts - Nowinsky and Boyce - are keeping track of data breaches. The picture has thunderclouds with some silver lining.

"We conducted our monthly analysis of breaches reported in the month of January. There were 92 breaches reported in the month of January, which was up 48% y/y. The month of January also had the highest number of breaches since May of 2016, when there were 106. The three largest breaches all occurred within the Medical/Healthcare sector.

"For the full year 2016, there were 1,011 total breaches, up 30.3% from 2015. There were 1.54B records exposed in 2016, up from just 163.5M in 2015. However, excluding the two Yahoo breaches, there would have only been 35.8M records exposed, which is down 78% from the 2015 level. While the total number of breaches in 2016 was up 30%, the total number records exposed (excluding Yahoo) was down 78%."

How Do Breaches Correlate With Sales of Security Companies?

They calculated a 61.8% correlation between breach activity and revenue growth within the security industry. Their correlation calculation assumes a one-quarter lag between breach activity and revenue growth, meaning revenue growth tends to trend higher following an increase in breach activity. They also noted an acceleration in breach growth to 35% in 4Q16, suggesting 1Q17 vendor revenue growth could be better than normal seasonality." Learn more at piperjaffray.com. Security Awareness Training to Explode in Next 10 Years

Tara Seals at InfoSec Mag reported: "Security awareness training is the most underspent sector of the cybersecurity market, but it’s poised to become a multi-billion-dollar industry in 2017.

That’s according to a report from Cybersecurity Ventures, which also said that the market will top $10 billion by 2027.

According to Steve Morgan, founder and editor-in-chief at Cybersecurity Ventures, Fortune 500 and Global 2000 corporations will consider security awareness training as fundamental to their cyber-defense strategies by 2021, with small businesses following shortly thereafter.

Organizations of every size are starting to recognize that inside threats are as significant as outside threats, the research postulates, and users will be a crucial part of any organization’s information security program. So, training those users to recognize the overtures of malicious actors will be critical to hardening the “people layer,” also known as the last line of defense against cyberattacks.

Awareness training that combines interactive training in the browser with frequent simulated phishing attacks straight into the user’s email inbox has “proven to be very effective in creating a human firewall, a company’s last line of defense,” said Stu Sjouwerman, CEO of report sponsor KnowBe4.

“New-school security awareness training has by far the best ROI of any security layer. Users see phish-prone percentages go from an average of 15 to 20% down to 1% or 2% after a year.” Full article: https://www.infosecurity-magazine.com/news/security-awareness-training-to/

Don’t Miss the March Live Demo: New-School Security Awareness Training

Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, March 8, 2017, at 2:00 p.m. (EST) for a 30-minute live product demonstration of KnowBe4's game-changing Security Awareness Training Platform to see the latest features and how easy it is to train and phish your users:

  • NEW Social Engineering Indicators patent-pending technology, turns every simulated phishing email into a tool IT can use to instantly train employees.
  • NEW Access to the world's largest library of awareness training content through our innovative Module Store.
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-to Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Active Directory Integration allows you to easily upload and synch manage users, set-it-and-forget-it.
  • Reporting to watch your Phish-prone percentage drop, with great ROI.
  • Find out how 8,000+ organizations have mobilized their end-users as their last line of defense.

Register Now: https://attendee.gotowebinar.com/register/3367146988510458370

KnowBe4's Chief Hacking Officer Kevin Mitnick Interviewed by WSJ

Kevin Mitnick, who spent time on the FBI's Most Wanted List for hacking 40 corporations in the 1990s, discusses his new book, "The Art of Invisibility," on Lunch Break with Tanya Rivero. He also explains why hackers breach data with relative ease, and why we should never link our devices: http://www.wsj.com/video/former-convicted-hacker-on-how-to-protect-your-data/165951D3-CEDF-4752-BF16-A9B9D19F7E4C.html Phishing Attack Uses Stuxnet Technology and Makes PCs Into Roombugs

Researchers have uncovered an advanced malware-based operation that siphoned more than 600 gigabytes from about 70 targets in a broad range of industries, including news media, and scientific research.

The operation uses malware to capture audio recordings of conversations, screen shots, documents, and passwords, according to a blog post published last week by security firm CyberX. Targets are initially infected using malicious Microsoft Word documents sent in phishing e-mails.

Once compromised, infected machines upload the pilfered audio and data to Dropbox, where it's retrieved by the attackers. The researchers have dubbed the campaign Operation BugDrop because of its use of PC microphones to bug targets and send the audio and other data to Dropbox.

To become infected, targets had to open the malicious Word document attached to the phishing e-mail and enable macros. To increase the chance targets would change this default setting, the Word document included a graphic that looked like an official Microsoft notification.

It read: "Attention! The file was created in a newer version of Microsoft Office programs. You must enable macros to correctly display the contents of a document."

CyberX researchers stopped short of identifying a specific country involved (Russia) but said Operation BugDrop was almost surely the work of a government with nearly limitless resources.

"Skilled hackers with substantial financial resources carried out Operation BugDrop," they wrote. "Given the amount of data analysis that needed to be done on [a] daily basis, we believe BugDrop was heavily staffed. Given the sophistication of the code and how well the operation was executed, we have concluded that those carrying it out have previous field experience."

Some examples of the way Operation BugDrop is very sophisticated include:

  • Dropbox for data exfiltration. Organizations typically don't prevent end users from accessing Dropbox and often don't monitor connections. That helped the surveillance operation to remain stealthy.
  • Reflective DLL Injection, a malware injection technique that was also employed by the BlackEnergy malware used in the Ukrainian power grid attacks and by Duqu in the Stuxnet attacks on Iranian nuclear facilities. Reflective DLL Injection loads malicious code without calling the normal Windows API.
  • Encrypted DLLs that avoid detection by common anti-virus and sandboxing systems.
  • The use of legitimate free Web hosting sites for command-and-control infrastructure. The hosting sites required little or no registration information, making it hard for researchers to learn much about the attackers.

An employee stepped through new-school security awareness training would not have made an obvious error like that. Full story at Arstecnica: https://arstechnica.com/security/2017/02/hackers-who-took-control-of-pc-microphones-siphon-600-gb-from-70-targets/

5 (No, 22) Ways to Spot a Phishing Email

Think you're clever enough to recognize a phishing attempt? Think again. Cybercriminals are getting smarter and their phishing skills are getting better, but we've put together this list of clues to help you avoid a costly error. Article at CSO, pointing to a bunch of things we have been saying here the last few years. http://www.csoonline.com/article/3172711/security/5-ways-to-spot-a-phishing-email.html?

As a matter of fact, here is a unique job-aid: Social Engineering Red Flags™ with 22 things to watch out for. It's a free PDF and you can print it out for all employees to pin on their wall: https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/SocialEngineeringRedFlags.pdf

iPhone Robbers Try to iPhish Victims

Brian Krebs warned: "In another strange tale from the kinetic-attack-meets-cyberattack department, earlier this week I heard from a loyal reader in Brazil whose wife was recently mugged by three robbers who nabbed her iPhone. Not long after the husband texted the stolen phone -- offering to buy back the locked device -- he soon began receiving text messages stating the phone had been found. All he had to do to begin the process of retrieving the device was click the texted link and log in to the phishing page mimicking Apple's site. More:https://krebsonsecurity.com/2017/02/iphone-robbers-try-to-iphish-victims/