Most hackers claim they can break target systems in under 12 hours

It also takes less than a day in total to finish the job and steal valuable data.
Written by Charlie Osborne, Contributing Writer

The majority of hackers claim they can break through cybersecurity defenses and infiltrate their target's systems within hours, according to new research.

While most reports only state stats and figures, the Nuix Black report attempts to separate itself by approaching security from the view of researchers as well as penetration testers. The report, released on February 23, says that more than three-quarters of hackers -- 88 percent in total -- who responded to the Nuix survey believe most network defenses can be breached within 12 hours.

In total, roughly a third said that their activities were never noticed by their victims -- and 17 percent of hackers claimed it would take them no longer than two hours to breach a target.

The confidential survey of 70 professional hackers and penetration testers was conducted at the DEFCON conference this year in Las Vegas, Nevada.

More than half of the respondents said they changed their tactics with every target, but traditional countermeasures such as firewalls and antivirus programs rarely proved to be a barrier. However, when it comes to endpoint security, modern solutions are considered a more effective way of preventing attacks.

Once inside a target system, 81 percent of respondents said that no more than 12 hours would be required to identify and steal valuable corporate data, while 31 percent said it would take them between six and 12 hours to finish the job.

In addition, 29 percent claimed to be able to complete such a task in two to six hours -- and 21 percent said less than two hours was all they need.

"Now, combine these figures with the finding that 88 percent of professional hackers can breach your perimeter in less than 12 hours, and you have a very important finding," the report says. "In the first 24 hours of an attack, it is more than likely an attacker will compromise your systems, find and exfiltrate your sensitive data, and leave you none the wiser that they were ever there."

Direct server attacks were the most popular method for breaking into systems and are favored by 43 percent of attackers. Phishing attacks were also popular at 40 percent, while drive-by and watering-hole attacks came in at roughly 9 percent each.

A large majority of hackers, 60 percent, said they relied on open-source tools to conduct attacks, while 21 percent said they created their own custom tools.

However, 8 percent owned up to buying private exploit kits or exploit packs.

Almost two-thirds of hackers, 65 percent in total, said their biggest frustration is that most organizations did not bother to fix the vulnerabilities and security weaknesses they discovered.

Hackers are in the game for a number of reasons. Men and women enter the field for white, gray, and black hat purposes, the money, and more often or not, due to the love of the game, problem-solving, and a challenge.

As shown below, the minority of hackers do it for political purposes and ignore the legal side of things.


In a 40-hour week, just over half -- 51 percent -- of hackers spend up to half their time actively working to bypass security systems. In total, 13 percent do so for more than 50 hours a week.

"What's very much lacking is a solution that ties everything together and allows you the flexibility to respond to all of the threats your organization faces," Chris Pogue, Nuix's CIO and co-author of the report. "The majority of our respondents say they change attack tactics regularly or even with every engagement; why would you want to combat that with a rigid, outdated approach to security? You'll never come out on top."

"We need to understand that security is more than just a policy on a piece of paper, an antivirus program, or a group of professionals sitting in a room scanning log events," Pogue added. "It's all of the above, and it's piecing everything together in a way that makes sense. That's the true challenge that we face in our industry today and it's one I'm confident we can overcome."

10 things you didn't know about the Dark Web

What Verizon's data breach research tells us about the state of IoT security:

Editorial standards