Survey

Think Like a Hacker: Inside

the Minds and Methods
of Modern Adversaries
Written by Matt Bromiley
September 2022

©2022 SANS™ Institute

Introduction
Protecting an enterprise environment is no easy feat, especially in today’s complex
digital landscape. A multitude of factors contribute to an overwhelmingly expansive
attack surface that security teams must protect: hybrid cloud environments with
multiple providers, a remote and disparate workforce, ever-increasing complexities of
legacy, on-premises solutions. These are all part of a moving target that is increasingly
difficult to defend.

Unfortunately, resources are limited, forcing organizations to make calculated investments

from a defense-in-depth perspective across prevention, detection, response, and recovery.
While the defensive approach is critical, it considers attack scenarios from a theoretical
point of view often based on historical trends, threat intelligence, and internally
calculated risk scenarios, all of which are often outdated. The defensive viewpoint is only
one of many that must be taken into consideration. A comprehensive approach includes
looking at things from the attacker’s perspective.

In this inaugural 2022 SANS Ethical Hacking Survey, we aimed to understand the intricacies
of how attackers think, the tools they use, their speed, their specialization, their favorite
targets, etc. These insights are critical to investment decisions across an increasingly
complex attack surface that is becoming more difficult to protect.

A few great insights and takeaways include:

• Approximately 37% of respondents indicate that they can break into an environment
more often than not, if not always.

• Nearly 64% of respondents need five hours or less to collect and potentially
exfiltrate data.

• Social engineering and phishing account for nearly half of all attack vectors that
hackers cite as yielding the highest return on investment.

The bird’s eye view of an adversary—whether sanctioned or not—can be a guiding light for
security analysts and decision makers alike. Oftentimes, we see organizations that invest
in security technologies that mitigate a wide range of threats leave commonly attacked
ports and protocols wide open. Adversaries will choose the path of least resistance or
the one they are most familiar with—and far too often, these are the same. Overlooked or
assumed safety presents too much of a risk.

As you work your way through this paper, we encourage you to consider some of our
respondents’ answers in the same way we phrased the question: What is the return on
investment on various attack vectors? What works and what doesn’t? After you have
absorbed the information in this paper, apply that knowledge to your defensive and
offensive security investments. What works and what doesn’t? How can your organization
protect against what an adversary is likely to throw at you?

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 2
As with any SANS survey, we relied on our demographic questions to help depict what
part(s) of the world our respondents are coming from, what industries they represent, and
the size of their respective companies. A few notables from this year include:

• Companies with headquarters in the United States represent the lion’s share—a
whopping 83.4%—of this year’s respondents.

• A little over a third, or 35.1%, of our respondents work in companies with 500 people
or fewer.

• The largest segment of respondents (34.2%) work in the cybersecurity industry,

and roles range from security administrator/analyst to CSO/CISO/VP of security or
technology.

Figure 1 contains a brief breakdown of the respondents to this year’s survey.

Top 4 Industries Represented Organizational Size

Small
Cybersecurity (Up to 1,000)

Small/Medium
(1,001–5,000)
Technology
Medium
(5,001–15,000)
Government
Medium/Large
(15,001–50,000)
Banking and
finance Large
(More than 50,000)
Each gear represents 10 respondents.
Each building represents 10 respondents.

Operations and Headquarters Top 4 Roles Represented

Security administrator/
Ops: 121 Security analyst
HQ: 16 Ops: 92
HQ: 3
Ops: 149
HQ: 22
Security architect

Security manager
or director
Ops: 281
HQ: 261

Ops: 61 IT manager or director

Ops: 54 HQ: 2
Ops: 113
HQ: 2
HQ: 7
Each person represents 10 respondents.

Figure 1. Demographics of Survey Respondents

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 3
An Examination of Ethical Hackers
When we devised the format and questions for this year’s survey, we wanted to ensure
that we could capture the effort that adversaries—whether red teamers, penetration
testers, or gray hats—put into breaking into their targets. However, we’re aware that
welcome and unwelcome adversaries are very different. Some are present because we
asked, while others we never want to see.

In this paper, we call out the difference between sanctioned Adversaries, Welcome and Not
A sanctioned adversary (or an ethical hacker) is one that is
and unsanctioned adversaries. Sanctioned adversaries, also
hired to attack a particular network—think of red teamers
commonly known as ethical hackers, are hired to attack their
or penetration testers. Unsanctioned adversaries represent
targets. Unsanctioned adversaries, often just called hackers, the criminal element of attacks: black hats, criminal
choose their targets based on motive, opportunity, financial enterprises, and state-nexus espionage actors. The motives
gain, or intentional targeting (such as for corporate or state of sanctioned and unsanctioned adversaries may differ,
but their approaches are often identical. In fact, 45% of
espionage). While the “why” may be different, the vectors, success
respondents said if they used unethical measures, it would
rates, and observations share a nearly overlapped Venn diagram have a high or extremely high impact on their success.
of tactics, techniques, and takeaways.

Meet Our Hackers

It’s time to meet the hackers behind this year’s survey results. Our first set of questions
focused on understanding the background of our respondents to better assess their
responses and whether experience may guide
How long have you been conducting ethical hacking?
an adversary differently. A large majority—
nearly 84%—of our respondents have been 30% 28.4%
25.9%
18.8%
ethically hacking for 10 years or less (see 25%

Figure 2). 20%

In fact, the majority of respondents have 15%

10.5% 9.6%
been ethical hackers for one to six years. 10%

Because ethical hacking is conducted en 5% 4.2%

2.6%
masse by many security companies, this 0%
Less than 1–3 years 4–6 years 7–10 years 11–15 years 16–20 years 10+ years
range of experience was expected and one year

represents the commonly observed industry Figure 2. Years of Conducting Ethical Hacking
makeup. In addition, most of the respondents (87%)
hold a security certification, with common ones In which capability do you/have you served as an ethical hacker?
including SANS GIAC Penetration Testing (44%), CISSP Select all that apply.
(40%), Security+ (28%), OSCP (26%), and CEH (26%). Member of internal security
75.7%
team for organization
Most of the respondents have served or are currently Consultant for offensive
49.8%
security provider
serving as internal security (76%), but many have also
Bug bounty hunter 25.1%
worked as a consultant, bug bounty hunter, or hacker Independent
15.4%
for hire, all of which gives them experience from hacker for hire
Other 3.7%
several environments (see Figure 3).
0% 20% 40% 60% 80%

Figure 3. Experience as Ethical Hackers

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 4
We also asked respondents for their areas of specialty, again looking to see if these would
guide subsequent results. The top five specializations, as seen in Figure 4, are network
security, internal penetration testing, application security, red teaming, and cloud security.

What types of ethical hacking do you specialize in? Select all that apply.
80%
71.2%
67.4%
60% 58.1%

42.7% 41.6%
40%
30.0%
21.3% 19.9%
20%

2.2% 1.5%
0%
Network Internal Application Red Cloud Code-Level Product/ Mobile Other None of
Security Pen Testing Security Teaming Security Security IoT Security Security the above

Figure 4. Areas of Specialization

These results come as no surprise, because they represent the architecture and testing
designs of most organizations. For example, these days most organizations are deploying
custom applications and have moved part of their infrastructure to the cloud. We would
expect these areas of focus to grow year after year, because ethical hackers hone their
craft to reflect their environment and/or their customers’ needs.

Speed
Our survey covered a wide range of topics, from asking how quickly ethical hackers
could breach the perimeter of an environment to how quickly they could shift tactics if
necessary. Speed became a central theme of questions, just as it is likely a top concern
of security teams. Mean time-to-detect (MTTD) and mean time-to-contain (MTTC) speeds
are often compared against adversary speeds, establishing acceptable time frames for
detection and response and,
In an ethical hack that involves breaching the perimeter, how long on average does it take to
when those time frames are
discover an exploitable exposure that enables access to the targeted environment?
unrealistic, making the case
30%
for significant investment in 27.6%
25.2%
25%
prevention.
20%
More than half of respondents 16.3%
15%
(over 57%) stated they could 11.4% 10.6%
10%
successfully discover an
5% 4.5% 4.5%
exploitable exposure in 10
hours or less (see Figure 5). 0%
<1 hour 1–2 hours 3–5 hours 6–10 hours 11–15 hours >15 hours Unknown/
Unsure

Figure 5. Time to Exposure Discovery

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 5
Reconnaissance and exploit discovery is one of the hardest Respondent Specialty vs. Speed of Entry
phases for defenders to proactively identify—oftentimes they
<1 hour 1–2 hours 3–5 hours 6–10 hours
may not be aware of a weakness until it is exploited. Given the 11–15 hours >15 hours Unknown/Unsure

speeds reported by our respondents, this supports the need for 1%

5%
Application 13%
proactive discovery and prevention and exploitable exposures, Security
8%
3%
i.e., attack surface management, penetration testing, etc. 8%
20%
0%
This question also surfaced an issue we see in many SANS 5%
Code-Level 7%
surveys, and one worth calling out this early on. Nearly 28% of Security 2%
4%
3%
respondents to this question stated that it was unknown, or 9%
they were unsure of, how quickly they were able to identify an 3%
8%
21%
exploitable exposure. Possible explanations include: Network Security 10%
3%
7%
• Ethical hackers do not keep track of or are unable to 20%
3%
equate how much time perimeter discovery may take. 7%
Internal Pen 16%
This leads us to ask whether this a viable metric that Testing 2%
11%
7%
organizations would benefit from. 21%
3%
• Is there an assumption that an ethical hacker will get in— 4%
10%
Red Teaming 9%
therefore, measuring this metric offers no value? 2%
2%
11%
• This is not the area where ethical hackers focus their
2%
time and efforts. We’ll examine Unknowns/Unsure in 7%
13%
Cloud Security 7%
subsequent questions to see if this trend continues. 2%
2%
11%
We posit another possibility here – outcomes from ethical 0%
3%
hacking results may be measured in overall outcomes. An Product/IoT 6%
Security 0%
5%
organization might ask, “Were you able to get in?” and expect a 2%
6%
report of techniques, and not necessarily a breakdown of how
0%
quickly each step occurred (although many offensive security 2%
6%
Mobile Security 4%
professionals do keep such metrics). 1%
2%
5%
We were also curious to see if our results differed based on 0%
0%
respondent specialty. Figure 6 provide a cross-section of this data. 0%
Other 1%
0%
0%
0%
0% 5% 10% 15% 20% 25%
Respondent Specialty vs. Speed of Finding Exposure

3.4% 8.3% 22.8% 13.8% 4.8% 13.8% 33.1%

Application Security
1.3% 17.3% 24.0% 13.3% 5.3% 9.3% 29.3%
Code-Level Security <1 hour
4.5% 11.4% 29.5% 14.2% 4.0% 9.1% 27.3%
Network Security 1–2 hours
4.8% 10.1% 23.8% 16.7% 3.6% 10.1% 31.0%
Internal Pen Testing 3–5 hours
6.5% 10.2% 22.2% 21.3% 5.6% 13.0% 21.3%
Red Teaming 6–10 hours
3.9% 15.5% 30.1% 3.7% 3.9% 4.9% 26.2%
Cloud Security 11–15 hours
1.8% 12.7% 25.5% 21.8% 1.8% 10.9% 25.5%
Product/IoT Security >15 hours
2.0% 10.0% 30.0% 18.0% 4.0% 10.0% 26.0%
Mobile Security Unknown/Unsure
60.0% 20.0% 20.0%
Other
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 6. Respondent Specialty vs. Speed of Entry and Exposure

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 6
Our data shows that the
Once you have discovered an exposure, how long on average
majority of respondents with does it take for you to break into an environment?
experience in application 30%
security, network security, and 25.1% 25.1% 20.6%
25%
internal penetration testing
20%
were able to find an exploitable 15.0%
15%
exposure in five hours or less.
10%
Regardless of specialty, few 7.3%
5% 4.0%
respondents were able to find 2.8%

an exploitable entry point in 0%

<1 hour 1–2 hours 3–5 hours 6–10 hours 11–15 hours >15 hours Unknown/
Unsure
less than an hour.
Figure 7. Length of Time on Average
The results in Figure 6 lead to our next question, which asks how long it takes an ethical from Exposure Discovery to Breach
hacker to move from discovery to exploit. Figure 7 again shows that an overwhelming
majority (more than 58%) can exploit and break into an environment in five hours or less.

With regards to speed, “discovery of an exploit” and

Key Defender Metric
“exploitation leading to intrusion” are significant metrics that Many respondents indicated that they could discover exposures
any organization should be tracking, especially in relation to within an environment and exploit them in 10 hours or less.
the distribution of investment across prevention, detection, That time becomes a benchmark measuring how adequately an
response, and recovery. organization is positioned to prevent exploits. Those that fail
must be able to detect and contain exploits before the attacker
We also saw speed play an important factor in the survey escalates privileges, accesses the target, and exfiltrates.
in one way that many would not expect. We asked our
respondents about the most significant factors contributing to vulnerable attack
surfaces—what are organizations doing that open them up to compromise? As we
can see in Figure 8, pace of application development/deployment and third-party
connections are the top two factors for vulnerability exposure. Figure 8 expands on
these findings a bit more.

Unfortunately, we find that these results align with what many in the industry have been
struggling with from a visibility and an identification perspective.

Which of the following do you feel are the most significant factors in making attack surfaces vulnerable to compromise?
Select your top three with First being the most significant.

T hird-party connections
15.9% 4.2% 9.3% 3.7% 11.7% 8.9% 8.4% 5.1% 18.3% 11.2% 2.8%
Increase in mobile devices
Third
A doption of cloud infrastructure
A doption of SaaS/app services
10.0% 6.6% 10.9% 3.8% 11.9% 11.4% 8.4% 9.5% 11.9% 11.2% 0.9% R emote work
Second Increasing users connected to networks/apps
Increase in IoT, interconnected devices
14.7% 6.1% 11.4% 7.1% 11.9% 10.4% 5.7% 10.0% 9.5% 9.5% 1.9% Increase in sensitive data
First Increased pace of application development/deployment
Mergers/acquisitions
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Other

Figure 8. The Most Significant Factors in the Vulnerability of Attack Surfaces

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 7
On the topic of attack surface
Which of the following types of exploitable perimeter exposures do you most often find?
exposures, respondents were asked Select all that apply.
which attack surface exposures they
Vulnerable configurations 72.7%
most frequently run into. Supporting
these findings, misconfigurations, Exposed web services 63.6%

vulnerable software, and exposed Vulnerable software 63.6%

web services are highly correlative Sensitive information 59.1%

to increased pressure to deploy new Authentication or access
51.1%
control weaknesses
applications that support business Default account/credentials 48.3%
initiatives as seen in Figure 9.
Abandoned domains/subdomains 24.4%
Interestingly, we found there was Other 1.1%
little impact in relation to specialty 0% 10% 20% 30% 40% 50% 60% 70% 80%

and exposure prevalence. This is Figure 9. Most Common Exploitable Perimeter Exposures
likely due to the fact that an adversary who is
charged with compromising an environment
will look for the path of least resistance (i.e.,
vulnerable applications, information disclosures,
etc.) that is most prevalent across layers of the
attack surface.
How often do you encounter improperly configured or insecure
We asked respondents with cloud security public cloud/IaaS assets?
experience how often they encountered
improperly configured or insecure cloud/IaaS Rarely (1-15%) 4.6%

assets. As seen in Figure 10, there’s an even Less than half the time (16-50%) 42.5%

split between “less than half the time” and More often than not (51-90%) 41.4%
“more often than not,” with small percentages Always (>90%) 8.0%
that rarely see (4.6%) or always see (8.0%) Unknown/Unsure 3.4%
misconfigured public cloud or IaaS assets. These 0% 10% 20% 30% 40% 50%
stats support an unfortunate truth that, as we see Figure 10. Incidence of Insecure Public Cloud/IaaS Assets
in previous figures, organizations develop and
deploy applications that expose vulnerabilities,
insecurities, and improper configurations for
adversaries to take advantage of.

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 8
Key Stages of an Attack
Once an adversary is inside an environment, execution of subsequent stages
(gaining access to the target and exfiltrating data) occurs even faster than
reconnaissance and initial exploitation. However, once initial intrusion occurs,
an adversary is more open to
detection. Once you have gained initial access to an environment, how long on average does it take you
to gain access to your target by escalating privileges or via lateral movement?
Figure 11 looks at the time
50%
required to escalate privileges
and/or move laterally among 40% 36.3%
targets within a victim 30%
network, showing that 36% of 21.4%
20%
respondents said they could 15.8% 14.0%
escalate or move laterally 10%
4.2% 5.1% 3.3%
within three to five hours and 0%
<1 hour 1–2 hours 3–5 hours 6–10 hours 11–15 hours >15 hours Unknown/
that a concerning 20% can do Unsure

so in two hours or less. Figure 11. Time to Access Target

We found it interesting that the majority of respondents
consistently fell in the “five hours or less” time frame. Key Defender Metric
We see adversaries consistently saying they are able to perform
Unsanctioned adversaries are rumored to move within
intrusion actions within a five-hour window. Whether it’s lateral
minutes across networks, and many cybersecurity vendors movement, privilege escalation, or data exfiltration, security
claim that attacks occur within seconds. We were curious teams should be measuring their ability to proactively identify,
to see if we overlaid experience on these results, does that and detect and respond as quickly as possible.

increase or decrease our respondents’ abilities?

Following up on the concept of Once you have gained access to target data and systems, how long on average
speed of intrusion, we asked does it take to collect and potentially exfiltrate data?
our respondents how quickly 25% 24.6%
22.7%
they were able to collect and
20%
potentially exfiltrate data. 16.1% 15.2%
Figure 12 provides these results. 15% 13.3%

Within these results we see the 10%

continuation of faster speeds, 5.2%

5%
2.8%
with nearly 64% being able
0%
to operate within the 5-hour <1 hour 1–2 hours 3–5 hours 6–10 hours 11–15 hours >15 hours Unknown/
Unsure
window. However, as we can
Figure 12. Time to Collect and Exfiltrate Data
see above, ethical hackers are much more confident (to the
tune of over 41%) that they can collect and exfiltrate data in
two hours or less. This is a shift that we expected and could The Acceleration of Speed
have predicted—as adversaries get further along in their It is not surprising that adversaries take longer to enter a
network and escalate privileges than they do to execute the final
attacks, they often either gain speed advantages due to lack
stages of an attack, such as data exfiltration. Those can be done
of detection or become so familiar with the environment that quickly because the adversary has already established lines of
exfiltration is simply another step in an already-established communication, has access, and has identified key systems.
infrastructure.

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 9
Finally, we asked our
How long on average does it take to complete an end-to-end attack
respondent adversaries to (breach perimeter, gain access to targets, and potentially exfiltrate data)?
take a cumulative look at their 25%
22.7%
intrusions and reveal how long 20.4%
20%
an average end-to-end attack,
incorporating all the stages 15% 14.2% 13.7% 13.3%
11.8%
above, takes. Figure 13 outlines 10%
those results.
5% 3.8%
Given the various individual
0%
time frames we examined <5 hours 5–10 hours 11–15 hours 16–20 hours 21–25 hours >25 hours Unknown/
Unsure
above, the cumulative time
Figure 13. Time to Complete an
frames are more dispersed. Again, we see a statistical outlier of ethical hackers End-to-End Attack
who can complete an attack in less than five hours, but the results show a
fairly even spread from 5–10, 11–15, 16–20, and 21–25 hours. One-fifth of the
respondents said they needed 25 hours or more, but without details of those
attacks (size of the network, scope of the intrusion, defense mechanisms, etc.),
it’s tough to tell what types of hurdles they encountered.

It’s notable that another one-fifth of the respondents (more than 23%)
responded with they do not know or are unsure how long an end-to-end
attack takes them. We’ve already stressed the need to keep track of intrusion
metrics, but this is a clear issue for offense and defense alike. A lack of metrics
for determining how long intrusions take can create issues for benchmarks
that security teams cannot rise to.

Ethical Hacking Speed Bumps

If your initial attack vector fails, how often on average are you able to
Of course, while we highlight that adversaries successfully pivot to a new method to bypass preventative measures?
can move at speeds that defenders must keep
Rarely (1-15%) 11.6%
up with, it does not mean that ethical hackers
Less than half the time (16-50%) 36.7%
(or unsanctioned adversaries!) never run into
More often than not (51-90%) 34.0%
speed bumps. In fact, it’s not uncommon for an
adversary’s preferred method often is blocked or Always (>90%) 3.7%

limited, meaning they must shift to other tactics. Unknown/Unsure 14.0%

Figure 14 examines the results of this question. 0% 10% 20% 30% 40%

Figure 14 Frequency of Pivoting Attack Methods

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 10
Only 38% of respondents can pivot to new bypass methods more than half the time.
Security teams get a welcome win when they can force adversaries to switch to unfamiliar
tactics or techniques. We coupled these results with experience, to see how ethical
hacking experience contributed to the ability to pivot and use new techniques. Figure 15
outlines these results.

How easy can you pivot to a new tactic if your original tactic fails, based on experience?

36.0% 40.0% 12.0% 4.0% 8.0%

Rarely (1-15%)
1–3 years
41.8% 24.1% 20.3% 10.1% 1.3% 2.5%
Less than half the time (16-50%) 4–6 years

17.8% 34.2% 20.5% 17.8% 2.7% 6.8% 7–10 years

More often than not (51-90%)
11–15 years
25.0% 37.5% 12.5% 12.5% 12.5%
Always (>90%) 16–20 years
23.3% 50.0% 16.7% 6.7% 3.3% 20+ years
Unknown/Unsure
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 15. The Effect of Experience

As we can see in Figure 15, experience is a contributing factor to an adversary’s ability to on Ability to Pivot
pivot to a new technique. Respondents with one to three years of experience were most
likely to say that they are able to pivot less than half the time. Those with four or more
years of experience are able to pivot more easily to bypass preventative measures, and
those who said they could always pivot successfully were most likely to have four to six
years of experience.

On a free-form engagement, which attack vector

Tools, Tactics, and Techniques is most likely to have the greatest return on investment?
Select the best answer.
An important consideration for adversaries is where they
are likely to find the most success. Adversaries consider Social engineering 32.1%
their business models just as any other business—and they
Phishing attacks 17.2%
will ask themselves where they will find the greatest return
Web application attacks 9.1%
on investment, which technique will yield the most success,
Password attacks 8.1%
which should they pursue, and which should they abandon.
Ransomware 7.7%
Figure 16 reveals the attack vectors that respondents said
Active directory attacks 7.2%
gave the highest return on investment.
Wireless attacks 4.3%
As seen in Figure 16, it should come as no surprise that
Malware attacks 3.8%
social engineering and phishing attacks are the top two
Replay attacks 3.8%
vectors, respectively. We’ve seen this time and time again,
Zero-day exploits 3.8%
year after year—phishing reports continually increase, and
adversaries continue to find success within those vectors. Man-in-the-middle attacks 1.4%

The top five vectors are rounded out by web application DNS spoofing 1.0%

attacks, password attacks, and ransomware. A close sixth Other 0.5%

place is Active Directory attacks, at 7.2% of respondents. 0% 10% 20% 30%

Figure 16. Attack Vectors with Greatest Return on Investment

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 11
It’s worth noting that respondents had to choose one best answer for
this question. However, we expect that many overlaps occur with these
techniques/vectors. Ransomware intrusions (known for their monetary
success) often involve Active Directory attacks and can be initiated via
spearphishing. But intrusions that combine multiple
tactics and techniques can get expensive either On a free-form engagement, where do you
most frequently source your tools?
from a tooling, resource, or potential-detection
perspective. Furthermore, many of the latter stages Open-source tools 58.7%
of an attack can be automated or driven by toolkits
Public exploit packs 14.4%
rather than by custom adversary tools/scripts.
Commercial tools 11.5%
We explored this topic further. Figure 17 looks at Custom tools you
6.7%
write yourself
where respondents source their tooling.
Private exploits 5.8%
As seen in Figure 17, it should come as no surprise Other 2.9%
that nearly 60% of respondents prefer open source 0% 10% 20% 30% 40% 50% 60%
tools. This is a hallmark of the hacking community Figure 17. Tool Sourcing
(sanctioned and unsanctioned)—free and open-source tools, proof-of-
concept code, and post-exploitation toolkits available to any and all.
In fact, commercial tools were preferred by only 11.5% of respondents,
clearly indicating that if hackers need tools, they prefer open-source.

Watching the Defenders

Finally, we asked respondents their opinion on how On average, how many organizations have adequate detection
the defenders they encounter are performing. After and response capabilities that can identify and stop an attack
before target data and systems are accessed?
all, their own success rates directly correlate to
how unsuccessful the defense is. Figure 18 shows Few (1-20%) 35.0%
the results to our first question about adequate Some (21-50%) 39.2%
defenses. Many (51-75%) 14.7%
The results presented in Figure 18 are astounding. Most (>75%) 0.7%
Nearly three quarters of respondents indicated that Unknown/Unsure 10.5%
organizations have only a few or some detection 0% 10% 20% 30% 40%
and response capabilities to effectively stop an Figure 18. Defenders’ Ability to Stop an
attack. These are among the most revealing results from this survey. Attack Before Systems Are Accessed
Adversaries realize that the ability to detect and respond is still
significantly inadequate and use this to their advantage.

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 12
To see technology-specific detection and response
How would you categorize the ability of most organizations
capabilities, we drilled down deeper in our survey to prevent, detect, and respond to cloud-specific attack techniques
questions. For example, respondents were asked for (i.e., exposed services, account and asset discovery techniques,
cloud account data transfers, etc.)?
their observations on the ability to prevent, detect,
and/or respond to cloud- and application-specific Highly Incapable 13.6%
attack techniques. Note: only respondents with Moderately Incapable 37.5%
specialties in cloud and application security were
Neutral 18.2%
surveyed. Figures 19 and 20 have those results.
Moderately Capable 17.0%
As seen in Figures 19 and 20, we arrive at the same Highly Capable 9.1%
place of inadequacy. Unfortunately, compared to
Unknown/Unsure 4.5%
our adversaries, organizations are ill equipped to
0% 10% 20% 30% 40%
respond to various types of attacks. One positive
Figure 19. Ability to Prevent, Detect, and
result was an uptick in capabilities of application- Respond to Cloud Attack Techniques
specific attacks, because we look for defense
success wherever we can.
How would you categorize the ability of most organizations to prevent,
detect, and respond to application-specific attacks?
Closing Thoughts Highly Incapable 13.3%

Moderately Incapable 32.2%

This inaugural edition of our ethical hacking survey
provides unique insights into the mind of today’s Neutral 18.9%

adversary. We set out to understand how attackers Moderately Capable 26.6%

might approach an environment, where they find Highly Capable 6.3%

success in their attacks, and how easy it is for Unknown/Unsure 2.8%
them to switch their tactics and techniques. We 0% 10% 20% 30% 40%

also wanted to get an adversary’s, rather than a Figure 20. Ability to Prevent,
defender’s, perspective as to whether organizations are detecting attacks or not. Detect, and Respond to
Application Attack Techniques
Many of our surveys and whitepapers focus on a defensive perspective, often soliciting
opinions from organizations defending against attacks. This survey yielded a new and
welcome perspective. Hearing how adversaries had to change tactics and techniques
or pivot in an environment can help organizations realize where they are making good
investments and where they need to tighten up controls and policies. Remember, there
are two sides to every story. Understanding how they work together can help you build
resilient cyber defenses.

Sponsor

SANS would like to thank this paper’s sponsor:

Think Like a Hacker: Inside the Minds and Methods of Modern Adversaries 13