What can organisations learn from hackers? Inside Nuix's Black Report

A report that anonymously interviewed pentesters and hackers found most claimed they could get into almost any network within a day, including critical systems infrastructure

Credit: Michael Kan/IDGNS

Despite all the noise from security vendors, most hackers and pentesters can worm into a network and exfiltrate valuable data in under a day, including for critical systems, according to a recent report from Nuix.

The problem, according to head of services for Nuix, Chris Pogue, is that the major security issues have barely changed in decades.

"Organisations like to say the threats are more complicated and the attackers are more sophisticated, no they’re not," Pogue said, speaking by phone with Computerworld UK. "They have been shooting fish in a barrel for 20 years.

"Take any recent attack that's gone global and had massive impacts, whether it's Yahoo or Target or any of those big attacks – it’s all based on the same stuff, it’s all missing patches, it's all bad network hygiene or user IDs that have weak passwords. It’s IT laziness or poor hygiene."

The company first put together its 'Black Report' during the DEFCON cybersecurity conference in 2017. This year, participants – most of them anonymous – doubled to 112 and includes people who referred to themselves as hackers, pentesters, and incident responders. Hackers, Nuix notes, are people who spend their time accessing computer systems or applications without permission.

The majority of those surveyed found that it was rare to come across networks they couldn't breach. Most of their attacks were rarely detected, and a majority of 93 percent said that following a penetration test, their clients didn't fix some or all of the vulnerabilities found. It took 15 hours at most for the respondents to access the critical data that they wanted.

"What we found was the most effective countermeasure was the one nobody sells – you ask the hackers what keeps you out, and they say, 'well, it's good patching'," says Pogue.

"If you read security articles, breach after breach, they're usually caused by something simple. Missing patches, out of date systems. And they said this is the most important thing you can do, and yet they can't sell that, so no vendor is going to talk about that."

Speaking about the sheer speed of the attacks, Pogue added that some of the respondents managed to get in and out of a system in "as little as four hours".

"So when you think about an organisation's ability not only to invest in, but to put these countermeasures in place, they always miss the critical piece," he says. "You can't just buy an endpoint solution or a firewall, or whatever, and then say 'OK, I've bought it, that's my success criteria'. That's clearly incorrect."

The disconnect, according to Pogue, is often between decision-makers and budget planners – with organisations box-ticking security items and then forgetting about them. In the mind of a hacker, however, the job is never completed until they're in.

"They can very easily circumvent those controls and everyone is left wondering, what the hell just happened? I spent all this money, put these controls in place, and they didn't work," Pogue says.

History of the Black Report

The report itself came from a "good 10 to 15 years worth" of relationships, and began with a small group of friends, personal colleagues, or people Nuix had worked with in the past – promising them that the survey would be totally anonymous, without any identifying characteristics or markers.

"Some folks didn't believe us and filled out a paper survey," Pogue says.

"The second piece of that was just articulating what we were trying to do. Most of these folks are security purists, they believe the things that they are doing – whether we agree with it or not – is the right thing. They believe they are taking advantage of weaknesses for the betterment of something, sort of the Robin Hood complex.

"So I said to them: look, I can reach an audience you can't, I can sit down across from executives or boards of directors. What do you need me to tell them? You guys have all the information, the wisdom, and the knowledge."

The hackers shared personal anecdotes of breaching major institutions, be they professional law enforcements bodies, government agencies or professional sports teams.

"The overwhelming majority of those continue to be... they're not these high-tech high-speed attacks, they were missing patches here, they were missing updates, they had weak credentials, and they blew through them," says Pogue.

"Part of the joke is as a defender you have to get it right every time, all day every day, but as the attacker you only have to find one weakness, one bad password, one missing patch, one system that's not protected, and you're in.

"There were lots of anecdotes about attackers who said yes, I saw that there was an endpoint detection and response system in place, I blew right through it, it never logged anything, I was gone, and then six months later they noticed I was there."

Most of those surveyed preferred social engineering attacks, especially phishing, and most used open source tools to conduct other attacks. The whack-a-mole trope proved true as well, with new tools or techniques released regularly, allowing the hackers to mix up their attacks.

Among other things, the report advises that organisations maintain stringent training programmes to keep first responders up to date with the latest attacks, as well as improving communication lines to coordinate responses.

Pogue shared some of his anecdotes from his time as an investigator. In one, a large hotel – "if I said the name and location you would know it immediately" – had bought a Cisco ASA box. But it wasn't doing anything but logging traffic: the hotel was hacked two separate times by two different attackers with the same method, and the firewall could have stopped them, but it just logged the attacks instead.

Separately Pogue went to a sports venue as a pen tester.

"We had to convince the owner of the team why we wanted to pen test the venue," Pogue says. "Well, look at the Jumbotron. The information up there – what controls that? Oh, it's controlled by this computer? I said: 'what if I put porn up there in the middle of the game'?

"How are your tickets purchased – we went through ticketing, HVAC, food and beverage, the pro shop where you can buy jerseys and foam fingers, all of that is controlled right here in this room.

"If I wanted to I could shut the entire thing down, lights included, turn on the sprinklers, and put porn on the screen, all with the stroke of a few keys. His answer to me was: 'why would anyone do that?' Because they can, man. They ended up paying for it but I think that's a pervasive mentality – why, why would anyone do that?

"Why would someone steal, why would someone put porno on a Jumbotron? Because they can."

Show Comments