Last month cybersecurity firm Nuix released The Black Report, a white paper that contains specific tactics used by hackers, cybersecurity experts, and CISO and CSOs to attack and defend systems. The report, dissected extensively by ZDNet, found that some widely used defensive tactics are unreliable and that 60% of hackers are able to infiltrate targets within 12 hours. An additional 81% were able to identify and exfiltrate sensitive data in 24 hours. The research also found that it can take days, weeks, and sometimes months for organizations to detect a discreet intrusion. The current average response time is between 250 and 300 days.

The report was created to highlight the magnitude of modern cyber attacks. “When we decided to write our own threat report we looked at as many other reports as we could,” said Nuix’s CISO Chris Pogue, “and tried to identify the commonalities that made them look and feel so similar. What we found was that most were limited by the client base of the publishing organization, and all of them looked at the threat landscape from one specific perspective, that of the victim. While this information is useful, it only provides one facet of a multi-dimensional issue. We saw this as an opportunity to provide the market with a different perspective–that of the attacker.”

SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)

The hacker perspective is critically important, agreed Nuix’s Principal Security Consultant of Advanced Threats and Countermeasures Thomas McCarthy. “It very much is a cat and mouse game where the attacks try to stay one step ahead,” he said.

Pogue and McCarthy spoke with TechRepublic about the The Black Report, effective cybersecurity countermeasures, and the tools hackers use to exploit systems.

What are the key takeaways of The Black Report?

The key takeaways are:

  • An amazing 69% of attackers report that they are almost never caught by security teams during their testing. This staggering number is the result of several key failures.
  • The inability [of organizations] to see certain types of attacks. This is due mainly to the failure of security vendors to perform threat modeling and fully understand the stages of an attack–from reconnaissance to final exfiltration.
  • [Organizations are challenged by] a lack of experienced staff tasked with monitoring alerts. In many breaches we have investigated, the security detection technologies properly identified the attack but the human beings whose job it was to act on those alerts failed to recognize them and take action.
  • Most security vendors do not continually analyze attack patterns. Because attack patterns change regularly, [vendors] don’t adequately understand the dynamic threat landscape. Meanwhile, attackers regularly identify and use new vulnerabilities, exploits, and malware variants.
  • For security vendors to remain on the bleeding edge of threat detection, they need to research and analyze attack patterns regularly. Nuix does these things every day, thereby enhancing our detection and investigative capabilities. Nuix also conducts regular attack detection and fine tuning exercises to make sure our customers are getting the most out of our products and enabling their security teams to constantly improve their response capabilities. It is only through this marriage of people and technology that companies can hope to defend what is most valuable to them–their data!
  • 50% of attackers change their methodologies with every target. Many security technologies base their detection of breaches around indicators of compromise (IOC). These are sets of behaviors and trails of evidence left behind by previous attacks that the security community has detected and analyzed. When attackers change up their methodologies, it means the evidence generated by those attacks also changes. So, if a security solution only identifies static IOCs–a specific set of unchanging identifiers–our research indicates that they are missing at least half of the attacks.

SEE: New World Hackers group claims responsibility for internet disruption (CBS News)

What are the most effective penetration test countermeasures?

Penetration tests should mimic real world attacks. So, the question should be, “What is the best countermeasure against all attacks?” Talented, knowledgeable, and well-supported staff is the best defense. Many attacks are direct copies, or slight variations of pre-existing attack patterns – the old adage of, “if it ain’t broke don’t fix it applies here. If you want to protect your organization, you need to know your enemy, know your environment in and out and tailor your defenses to compensate for both. This approach is far more effective than blindly spending millions on products. It’s true that people need products to help them scale, and to integrate actionable intelligence into their defensive strategy, but the key is that both are needed. Either one by themselves have proven themselves to be inadequate.

SEE: How risk analytics can help your organization plug security holes (Tech Pro Research)

What are the most effective social engineering tactics?

The most effective social engineering tactic is the one that works. Attackers have unlimited time to try and can always call more people, send more phishing emails. Phishing is overwhelmingly the most common we see because of ease of creation and use. You can send thousands upon thousands of automated phishing emails and wait for people to open them. With these sorts of attacks, just one person clicking on a link or opening an attachment can provide the hackers with the access they need to establish a beachhead.

What tools do modern hackers rely on?

There are many tools out there, such as Metasploit, Cobalt Strike, Core Impact, BeEF, and the Burp Suite, just to name a few. Some of these tools are free, and some have a hefty price tag. For the most part, the most popular tools are the ones that are publicly available that hackers use and know well. The good hackers don’t need to rely on tools; there are always other methods or techniques that can be used to accomplish similar goals.

READ: Interview with a hacker: S1ege from Ghost Squad Hackers (TechRepublic)

What is the state of the cyber-weapon ecosystem?

This is a bit of a difficult question to answer, as it really depends on what you mean by a “cyber-weapon.” In the historical sense, this would mean the use of technical means of capabilities to target enemy systems to elicit some sort of desired outcome. This could be anything from malware like Stuxnet to controlling critical infrastructure to disrupting emergency management systems. To hackers, the technical aspects of these sorts of attacks are really no different than harvesting credit card numbers or stealing intellectual property, like drug formulas. There may be some subtle nuances based on the technology of the target systems, but the theory and methodologies used in the attack are no different. This is really more a factor of source and motivation than it is technology.

SEE: Cybersecurity in 2017: A roundup of predictions (Tech Pro Research)

What does the cutting-edge of malicious code tech look like?

There are no such things as “weapons” per se, although it makes for good media. There are exploits and payloads. Exploits are bought and sold often and payloads are created all the time. [Threat actors have] both of these. Most people can buy either. The only such thing as cutting edge is using ones that haven’t been seen or detected before. [Buying and selling occurs] through private contracts between organizations and governments, or simply through the Dark Web that pretty much anyone can get to. It is really only a matter of money.

The game of cat and mouse will continue and techniques and attacks will change with the landscape.

Read more