Most hackers claim they can break through cybersecurity defenses and infiltrate a targeted system in 12 hours or less, according to a new survey.
A new study called "Black Report" released by Australia-based cybersecurity firm Nuix said more than eight in 10 hackers polled claimed they can compromise a target in less than 12 hours.
Around 43% of professional hackers interviewed by Nuix said they could do it within six hours while 17% claimed they could find their way in within two hours
"If you cannot identify and stop an intrusion attempt in less than 12 hours, in all likelihood, at least one host will almost certainly be compromised," Nuix noted in the report. "Realistically, you probably won't even have a sufficient understanding of the attack in two hours, much less be able to mount any sort of defense.
Once inside the targeted system, 81% of respondents said they could identify and steal valuable data in no more than 12 hours. Around 29% said they could do it in under six hours while 21% said they needed just two hours to complete the task.
"Now, combine these figures with the finding that 88 percent of professional hackers can breach your perimeter in less than 12 hours, and you have a very important finding," the report reads. "In the first 24 hours of an attack, it is more than likely an attacker will compromise your systems, find and exfiltrate your sensitive data, and leave you none the wiser that they were ever there."
The security firm conducted the survey of "known hackers," professionally known as penetration testers, during Black Hat USA and DEFCON 24 last year.
"The only difference between me and a terrorist is a piece of paper [a statement of work] making what I do legal," one hacker told the firm. "The attacks, the tools, the methodology; it's all the same."
Among the most popular methods for breaking into systems, most attackers surveyed favoured direct server attacks (43%), followed by phishing attacks (40%), drive-by attacks (9%) and watering-hole attacks (9%). However, half of the respondents admitted they change their attack methodologies with every target.
A large majority of respondents (60%) use open source tools while 21% created their own custom tools. About 8% said they purchase private exploit kits or exploit packs.
In terms of countermeasures, about 36% hackers said the most effective countermeasure was endpoint security, followed by prevention systems (29%) and firewalls (10%). Just 2% of respondents said they were bothered by antivirus.
However, 22% of the professional hackers claimed no security defenses could stump them, adding that a complete compromise was "only a matter of time." In fact, nearly one-third of attacks said their targeted organizations never even detected their activities.
The survey comes amid serious concerns over cyberattacks on nation-states and other malicious actors targeting critical national infrastructure. In recent months, there have also been a slew of massive, damaging data breaches disclosed by multiple companies, including Yahoo.
"Data breaches take an average of 250–300 days to detect—if they're detected at all—but most attackers tell us they can break in and steal the target data within 24 hours," Chris Pogue, Nuix's Chief Information Security Officer and co-author of the report said in a statement.
"Considering almost half of our respondents claim they can breach security in less than six hours and an equal number say they can exfiltrate data in a similar timeframe, how much damage can a malicious attacker do in a week? Or a month?" the report reads.
"We need to understand that security is more than just a policy on a piece of paper, an antivirus program, or a group of professionals sitting in a room scanning log events. It all of the above, and it's piece everything together in a way that makes sense."