Most Attackers Need Less Than 12 Hours To Break In

A Nuix study of DEFCON pen testers shows that the usual security controls are of little use against a determined intruder. Lamar Bailey, Sr. Director, Security R&D at Tripwire points out the weaknesses of the research.

Lamar Bailey, Sr. Director, Security R&D at Tripwire:

Lamar Bailey“Pentesters are a valuable resource to evaluate the security stance of an application, system, or network. However, it is worth noting that this survey only asked people who are paid to break into systems and get hired based on how good they are, so of course they are going to brag and probably stretch the truth some. All their engagements are under NDAs so there is no way to verify any of these claims.  I do not doubt that they can get into many networks in under 12 hours but it is not because “usual security controls are of little use”, it is because foundational security controls are not being used correctly or the target’s security processes are inadequate.

The article mentions the pentesters are using free open source tools and exploits. This shows they are not relying on some super-secret zero-day bought from an uber hacker in the depths of the darkweb. If it is in a public tool then there is a publically known vulnerability associated with it so a good vulnerability management product would have detection for this vulnerability. Patch the vulnerability and you close the hole, the attacker cannot get in that way, end of story. A good IPS device should detect and block any known attempts to exploits many of these vulnerabilities and using file integrity monitoring, change controls, and log management products will alert on any suspicious activity on the systems during and after the attack.  Only talking about a firewall as the “usual security controls” is an extremely narrow and misleading focus.

Over the last few years there have been many reports detailing that the majority of successful attacks are due to unpatched known vulnerabilities. Investing in foundational security controls and developing a security policy that is adhered to is the best defense.”