​Your cyber defences are probably wrong, again

The vast majority of hackers say they can compromise a target in less than 12 hours. Most of those reckon they can also identify and exfiltrate data in the same timeframe. And most say they never get caught.

These views are from Nuix Black Report: Decoding the Minds of Hackers, released by Australian technology company Nuix on Friday.

Personally I'm cynical about the deluge of vendor cybersecurity reports these days. Most of their commentary is obvious and banal. Nuix's chief information security officer Chris Pogue, lead author of the report, would agree.

"During my tenure in the cybersecurity space, I have read literally hundreds of threat reports that all seemed to report the same thing," Pogue wrote.

"Attacks are happening all over the world; attacks are growing in frequency across all target verticals; no data is safe; organisations are failing to prevent or detect attacks in any sort of meaningful way; and governments all over the world are looking to introduce legislation to compel the private sector to increase its security posture."

Pogue is right. We've heard it all before. Nothing changes but the buzzwords.

What value is there in saying, over and over again, that things are bad; that you need to give us more money to defend yourself; and that even then it won't be enough to keep your data safe?

Nuix has tackled the problem from the other end. They interviewed hackers -- that is, penetration testers -- at Black Hat USA and DEFCON 24 last year to find out what defences worked and what didn't.

Only 70 people were interviewed, and such a low N value means the margin of error is enormous. You can look up the "exact" numbers in the report, but I'll stick to fuzzy concepts like "many", "most", and "nearly all".

So, most hackers can get in and take your data within 12 hours, and most use social engineering as part of their attack strategy. Most are never caught in the act.

This confirms what we keep hearing elsewhere. Most penetrations start with a phish, and in Australia that's often through malicious Microsoft Office macros. The time taken to detect a breach continues to sit between six to 12 months, depending who you ask, but always way more than 12 hours.

Hackers told Nuix that most of the time, organisations only conduct limited remediation after a pentest, usually focused on the critical and high vulnerabilities. Most said their biggest frustration was that organisations didn't fix things they knew were broken.

Is it any wonder that bad-guy hackers have such an easy job?

The Nuix report discusses the motives and culture of hackers and cybercriminals, and the law enforcement perspective. Valuable stuff. But for my money, the most useful material is the hackers' perspective on what defences work, and what don't.

Many thought that data hygiene and information governance were the least useful security spend. Many thought that employee education was extremely important.

"The number one most effective countermeasure, according to 36 percent of respondents, was endpoint security. This was followed by intrusion detection and prevention systems at 29 percent and firewalls at 10 percent. Only 2 percent of respondents were troubled by antivirus. Interestingly, 22 percent of professional hackers boasted that no security countermeasures could stop them and that a full compromise was only a matter of time," wrote Nuix.

The most effective ways to spend money, the hackers said, were on intrusion detection and prevention systems, and penetration testing. The least: Data hygiene and information governance, perimeter defences, and incident response.

Of course, these views are based on pentester feelings, not science. That's probably why pentesters are rated so highly. But it's still worth comparing them with the new Essential Eight mitigation strategies from the Australian Signals Directorate (ASD).

There are differences. Nuix's hackers reckon that endpoint security was a real barrier, whereas the ASD rated that much lower. The ASD also found certain kinds of intrusion detection and prevention systems less valuable than others.

Perhaps these differences come down to the differing goals. Pentesters work to a limited scope, while nation-state and persistent criminal hackers can do what they like, when they like. But that's just a guess.

The important issue is that both Nuix and the ASD have focused on the things that work. They're usually different from the big-ticket items that vendors want to sell you.

"Security vendors are focused on building products that cater only to the security professionals who will use them. Features and functionality are based on customer feedback," wrote Dr Jim Kent, global head of security and intelligence at Nuix.

Indeed.

Far less attention should be given to the IT department's desire for 19-inch racks and pretty pew-pew dashboards, and far more to evidence and informed opinion of what actually helps improve cybersecurity.