A recent Nuix survey of 70 hackers at DEFCON 2016 found that 84 percent of respondents use social engineering as part of their attack strategy, and 50 percent change their attack methodologies with every target.
When asked why they change attack methodologies, 56 percent said they do so to learn new techniques.
Just 5 percent of respondents said they change methodologies because they no longer work.
Eighty-one percent of respondents claimed that they could identify and exfiltrate data from a target in less than 12 hours, and 69 percent said security teams almost never catch them in the act.
Among respondents, 24 percent see themselves primarily as students of technology, 21 see themselves as professional pen testers, and just 2 percent call themselves full-time hackers.
Two thirds of respondents said they enjoy hacking because they like the challenge, and 31 percent said they’re in it for the money.
Only 3 percent do it for ideological reasons.
Respondents are generally well-educated — 37 percent have a college degree, and 26 percent have advanced degrees. Just 21 percent have only a high school education.
Two thirds of respondents have between one and three technical certifications, and 20 percent have between three and five.
Still, 76 percent of respondents don’t believe technical certifications are a good indication of technical ability.
The most effective countermeasure that companies can deploy, according to 36 percent of respondents, is endpoint security, followed by intrusion detection and prevention systems at 29 percent and firewalls at 10 percent.
Among professional pen testers, 64 percent said their biggest frustration is that organizations don’t fix the things they know are broken.
Separately, a recent Barkly survey of IT managers and system admins at small and medium-sized businesses found that if given additional funding for security, 51 percent would invest in prevention first, followed by detection (26 percent) and recovery (23 percent).
Thirty-four percent of respondents would give their organization an F in attack prevention, while 24 percent would give their organization an A in prevention. Similarly, 43 percent would give their organization an F in detection, while 24 percent would give their organization an A.
The rankings are strikingly different regarding recovery — 49 percent would give their organization an A in recovery, and just 17 percent would give their organization an F.
According to the 2017 Thales Data Threat Report, 30 percent of senior IT security executives at large enterprises admit that their organizations are very or extremely vulnerable to attack.