There are many reports and research findings on threats and breach trends. However, there are few insights into the hackers that carry out attacks. What are their motivations? What are their preferred tactics, techniques, and procedures (TTPs)? Nuix issues an annual report to address some of these questions.
The 2018 Black Report stands out because it provides insight into hackers methods, challenges and recommendations for improving security effectiveness. This post highlights key report findings and shares thoughts on what the data tells us. I highly recommend reading the full report, it’s time well spent.
Before jumping into the findings we need to clarify a couple of points: definition of a hacker and how cyber attacks are carried out. It’s difficult to interview criminal or nation-state actors so Nuix focuses on the next best thing: professional hackers and red team members that perform penetration tests. I highlight this because some of the data doesn’t reflect the malicious intent a criminal or nation-state hacker demonstrates. For example, the motives described exclude monetary gain, political activism and retribution. This doesn’t invalidate the remaining report data because many of the same methods are used by criminal hackers and penetration testers.
For those not acquainted with the sequence of a cyber attack (commonly known as kill chain) below is a summary of the basics. The report indirectly references each phase so understanding the kill chain helps to place the findings into context.
Cyber Kill Chain Phases
- Step #1 Reconnaissance: The hacker works to gather information that can be used to compromise the target – username structure, organization structure, network information, etc. This can be accomplish using social engineering, researching public sources or scanning the target.
- Step #2 Weaponization: The hacker selects a method to exploit the target and creates a malicious payload (e.g., malware).
- Step #3 Delivery: Exploit (e.g., malicious payload) is distributed to the target.
- Step #4 Exploitation: Execution of the exploit is accomplished. Malware is successfully delivered or vulnerability (e.g., weak TLS version, exposed private keys, poor session management) is exploited.
- Step #5 Installation: This involves installing malware on the infected computer, in the event malware is used to conduct the attack.
- Step #6 Command and Control: A command and control channel is created to remotely manage software and exploited devices. The hacker may move laterally throughout the environment to identify targeted assets.
- Step #7 Action on Objectives: The attacker achieves their goal by exfiltrating data, executing ransomware or manipulating data.
What are the key report findings?
The Black Report covers quite a few topics but I’ll focus on some of the key points that help you take action to improve security.
The time required to penetrate an environment and accomplish their goal can be amazingly fast in some cases. When hackers encounter an environment that’s difficult to penetrate, they turn to side channels such as third parties as an entry point. They search for the weakest link. Additionally, compromising a supplier may yield access to multiple targets.
- 71% of respondents can breach the perimeter of a target within 10 hours.
- 54% of the hackers needed another 5 hours to move laterally and locate target data. Time drops to less than 1 hour when penetrating healthcare, hospitality and retail environments. Key observation: businesses in these industries are bound to compliance requirements – HIPAA/HITECH and PCI DSS. This demonstrates that compliance does not equate to effective security.
- 40% of respondents can exfiltrate data in less than hour after it’s located
These numbers represent a penetration tester. On the other hand, malicious hackers are a bit different. Execution of the cyber kill chain (reconnaissance – action on objectives) can take several months and many steps. Additionally, these hackers persist longer within environments (command and control) to accomplish their goal.
The tools used by hackers are increasing in their sophistication because the dark web has become a distribution point for experienced hackers to share their wares. This leads to a decrease in the skills needed to launch a cyber attack and an increase in the potential number of attackers. Will disgruntled employees or customers turn to the dark web for exploit kits or engage hackers-for-hire?
- Open source tools and exploit packs are used by 80% of hackers
- Hackers seek out forum, IRC sites, researchers and social media to learn new TTPs
- 88% of hackers use social engineering during the reconnaissance phase of the attack to obtain organizational information
The techniques attackers use to compromise their targets are described below. Network based attacks and social engineering are preferred over other methods. Phishing is called out separately from social engineering (phishing is a form of social engineering) because the number is significant and should be highlighted. Ransomware attacks are used by 3% of the hackers that responded. This contrasts with what we frequently see in the media. I believe this number is low due to the type of hackers interviewed. Red team testers tend not to place the organization at risk.
- 28% preferred network-based attacks
- 27% prefer social engineering
- 22% prefer phishing
Hackers change their tactics occasionally to increase effectiveness and avoid detection. Many attacks are executed repeatedly but organizations must remain diligent and detect new patterns.
- 41% change their tactics every > 6 months
- 20% change their tactics every 2 – 6 months
- 39% change their tactics < 2 months
Organizations are challenged to identify the presence of hackers and detect their activity. The responses in the Black Report demonstrate this is fact rather than fiction.
- 18% of hackers state organizations detect their activities less than half the time
- 77% of hackers state organizations detect their activities less than 15% of the time
- It takes 87% of hackers 30 minutes or less to cover their tracks
What does the data tell us?
The Black Report covers a lot of ground but what does it tell us about managing risk? In many respects the report confirms our understanding of hacker tactics and techniques. Some of the information such as the cost of hacker tools can be frustrating because organizations spend millions of dollars protecting their environments from hackers using free software – something is wrong with that picture.
My actionable takeaways from the report are highlighted below. Addressing these items requires a clear focus and persistence to proactively identify changes in the threat landscape and develop an appropriate response based on your business risk tolerance.
- Educate your workforce at all levels. Effective security training and awareness goes a long way to protect against social engineering attacks.
- Perform threat management to understand shifts in tactics and techniques. Go to the sites hackers frequent and subscribe to publicly available operational threat feeds (see Threat Intelligence: A Path to Taming Digital Threats). Take notice when new exploit kits become available. Be proactive to understand and mitigate risk.
- Manage the risk of known attacks because they will be used over and over again.
- Focus on detection of hacker activity and understand how they cover their tracks.
- Proactively address third party risk management. It’s demonstrated that hackers look to third parties when their target’s environment is difficult to penetrate.
- Address the basics. The report has more detailed recommendations in the There and Back Again: A Forensicator’s Tale section of the document (see page 46). My take on the basics include:
- Implement effective vulnerability management (includes patching)
- Develop and maintain secure configuration practices
- Deploy multi-factor authentication (it’s not a silver bullet but it helps)
- Build security in the software development life cycle (SDLC) process
- Perform network segregation
- Maintain effective logging and auditing
This post reflects my interpretation of the report findings and how it shapes my approach to managing risk. The takeaways can be different for each reader so I highly recommend a full reading of the report. Nuix puts a lot of thought into the content to raise awareness.