Article Lead Image

JeanbaptisteM / flickr (CC BY 2.0) | Remix by Max Fleishman

Why hackers are always faster than the companies they attack

One security firm has seen more than 1.2 billion successful exploits so far this year.


Patrick Howell O'Neill


Posted on Sep 29, 2015   Updated on May 27, 2021, 9:47 pm CDT

Despite what Hollywood tells you, most hackers don’t need to be geniuses.

Instead, many of the hackers besieging companies around the world in a rising tide of cyberattacks rely on an overwhelming speed advantage to sneak into systems before the companies can respond.

A new report from Kenna Security examining 50,000 organizations and more than 1.2 billion successful exploits this year shows that most businesses take up to 120 days to address even critical vulnerabilities in their systems, leaving what amounts to an open door for hackers to exploit in the long window before it is closed.

“Exploitation is almost guaranteed,” according to the researchers. 

By 40 days after a vulnerability becomes public, the chances that a company has been hacked rise to 90 percent if they haven’t fixed their systems. It takes most companies twice that long to put up proper defenses, leaving a months-long period in which hackers can waltz right in.

Hackers are simply faster than security teams, who are often stretched thin and don’t know which exploit to defend against first.

Kenna reports witnessing more than 1.2 billion successful exploits so far in 2015. That’s a 445-percent increase over 2013 and 2014 combined, when the number added up to 220 million. This aligns with numbers from the FBI.

Despite billions of dollars flowing into the rapidly expanding cybersecurity industry, security continues to perplex many companies.

“Security can be daunting,” John Weigelt, the Chief Technology Officer at Microsoft Canada, told the Daily Dot by phone. “It’s one of those areas of arcane knowledge. There’s a certain pride in understanding the details, but we, as security practitioners, need to work hard to make things simple.”

Weigelt argued that even the experts have become complacent and increasingly ineffective in the face of evolving threats. Worst of all, myths about the genius of hackers produce huge confusion about the reality of cyber vulnerabilities.

“We have to deflate myths around the sophistication of attacks,” Weigelt said. “There are a few attacks out there that require a lot of effort and political capital to do. But when we look at the threat environment, we see a lot of attacks using vulnerabilities for which patches were delivered long ago.”

Hackers almost always “use the cheapest and most available tools” because they work. The “vast majority of exploits happen on unpatched systems,” said Weigelt, who will be discussing the state of security at the BSides Ottawa security conference on Oct. 3.

The hackers who get the biggest headlines are known as Advanced Persistent Threats (APTs). These are the teams run by governments in Moscow and Beijing. They conduct cutting-edge targeted attacks that shred most traditional defenses.

But APTs are an infinitesimal sliver of the threat spectrum. For the most part, large automated waves of untargeted attacks wash over security teams and win simply by scale.

“Non-targeted attacks represent a vastly different challenge than the more widely publicized Advanced Persistent Threats,” the Kenna researchers explained. “Attackers in volume care less about who they hit and rather what they can get, which is why they also deploy automated methods that give them economies of scale. They can go farther, and hit more—all in hopes of finding data they can use (credit cards, [social security numbers], etc).”

Both Weigelt and the Kenna researchers noted that there are simple but effective remedies: Quickly updating machines, using malware detectors, and encrypting disks and communications>

But in the current climate—it’s hurricane season, if we can keep up the metaphors, and the waves are creeping higher—it’s easy for the global security industry to get overwhelmed and possibly even sink.

Kenna is a private, for-profit security firm, and its findings have not been peer reviewed. Like many security firms, Kenna makes money through threat and vulnerability management. The company therefore has a vested interest in the results of its research.

Photo via JeanbaptisteM/Flickr (CC BY 2.0) | Remix by Max Fleishman

Share this article
*First Published: Sep 29, 2015, 10:00 am CDT