id="info"

Security

9 days: Black-hat hackers' threshold in untargeted attacks

When hackers deem their efforts in untargeted attacks such as credit card database breaches aren't profitable, they give up within nine days, according to a new study.

Image: iStock/nukleerkedi

Black-hat hackers will stand down if you can delay them for nine days, according to security firm Palo Alto Networks.

That's from a survey of 304 people in the US, the UK, and Germany who said they're knowledgeable about penetration testing. Palo Alto, which is based in Santa Clara, Calif., commissioned the study.

"What we wanted to do here is provide some insight into the threat landscape that hadn't been covered," Palo Alto spokesman Scott Simkin said. "At the end of the day, you have to think about what motivates a person to do what they're doing."

"Essentially 70 percent of them are in it for the money," Simkin said. "There's probably an element of other human motivations that play into this, that we don't have the empirical data to back up."

SEE: Hackers' modus operandi: 5 insights that may help identify emerging threats

Survey respondents said virtually no hacker would continue an untargeted attack after 209 hours (8.7 days). They also said 60% of attackers stop trying after 40 hours; 36% stop trying after 20 hours; 24% stop trying after 10 hours; and 13% stop trying after five hours.

What about targeted attacks?

Bruce Schneier, a well-known security expert and CTO of Cambridge, Mass.-based incident response specialist Resilient Systems, said Palo Alto's findings are reasonable for untargeted attacks such as a hacker who seeks a database of credit card numbers — those could be obtained somewhere else if the first victim's defenses are a hassle.

"On the other hand, consider a targeted attack," Schneier continued. "Here, the attacker is going after a particular victim because of their politics, or some other personal reason. In this case, there's limited shifting. If the hacker group Anonymous wants to get inside Hacking Team because they are a cyber-weapons arms manufacturer, then it doesn't matter how much better or worse Hacking Team's security is relative to the rest of the industry. What matters more is their absolute security."

Schneier added: "This isn't to say that raising the cost of attack in this case is useless. Everyone, from the NSA and China to lone cybercriminals, have a 'budget' of time and money and expertise, and they can only spend it one way. ... What you can do is to make it harder for them, and hopefully hard enough that you fall off their priorities list."

How will the economics of attacks change?

It's unknown how the findings may change as black-hat hackers acquire additional automated tools, while white-hat security methods also improve. Simkin acknowledged there is no easy answer, and said his company will consider making a follow-up survey to determine the situation in countries with lesser economies.

Read Palo Alto's full report: Flipping the Economics of Attacks.

Also see

About

Evan Koblentz began covering enterprise IT during the dot-com boom times of the late 1990s. He recently published a book, "Abacus to smartphone: The evolution of mobile and portable computers".

Editor's Picks