Written by Rick McElroy, Head of Security Strategy, Carbon Black
The threat to the cyber landscape continues to evolve at a rapid pace. High profile data breaches demonstrate not only the huge financial cost of being attacked, but also the considerable reputational damage that organisations face. With hackers continually moving the goal posts how can security and incident response (IR) teams fight back and effectively outpace their adversaries?
One area where there has been a notable increase in attacks is via third-party supply chains. Advanced cyberattacks are evolving as attackers target supply chains and undertake ‘island hopping’ to the extent that today this hacking technique poses a serious and complex threat to business. Though it’s not a new phenomenon, this type of attack increased in prevalence in 2018 and is becoming more and more common.
So why is this?
There are a multitude of risks facing almost all major supply chains, from geopolitics to financial pressures to natural disasters to cybercriminals, which makes it harder for organisations to keep track. In particular, island hopping tends to be initiated in smaller organisations where cybercriminals infiltrate their target organisation through its smaller partner target. Often, these smaller companies have more vulnerable security systems than the larger target organisations, making them easier for hackers to access. Once in, hackers take advantage of the trust between the two companies and use their shared networks to reach the true target. At this point, the whole supply chain, including customer data, is at risk.
For those less familiar with island hopping, the name comes from a WWII military tactic used by the United States in the Pacific. Also known as leapfrogging, this involved capturing smaller, strategically located islands and establishing military bases there, as opposed to outwardly attacking mainland Japan. From these new bases, Allied soldiers would start the process again and continue until they reached their ultimate target.
Here at Carbon Black we’ve been tracking the resurgence of island hopping in the technology world and we’ve witnessed the tactic becoming more prevalent and dangerous. Once a quarter we undertake Incident Response (IR) partner investigations and our latest Global Incident Response Threat Report, shows that half of today’s surveyed attacks leverage island hopping, meaning attackers are not only after a network, but supply chains as well. Interestingly, our survey also found that attackers are ‘fighting back’ against security teams while also targeting supply chains. More than half of our survey respondents (56%) encountered instances of counter-incident response in the past 90 days. What’s more 70% of all attacks now involve attempts at lateral movement, our survey found, as attackers take advantage of new vulnerabilities and native operating system tools to move around a network.
So attackers are fighting back. They appear to have no desire to leave the environment. And they don’t just want to rob your organisation and those companies in your supply chain, they appear to want to ‘own’ your entire system.
In particular, our survey found that while the financial and healthcare industries remain most vulnerable to these attacks, the threat to manufacturing companies has grown significantly. In the past 90 days, nearly 70% of all respondents saw attacks on the financial industry, followed by healthcare (61%) and manufacturing (59%, up from 41% in our previous report). Likewise, as island hopping has become a more persistent threat, the technique has taken on new forms. Here are three that I’ve seen and would recommend organisations keep an eye on:
Network-based island hopping
This is what we typically think of when we think island hopping – an attacker leveraging your network to hop onto an affiliated network. Of late this has often taken the form of targeting an organisation’s managed security services provider (MSSP) to flow through their connections.
Website converted into a ‘watering hole’
Nearly one fifth of our survey respondents saw a victim’s website converted into a ‘watering hole’ – a technique aimed at ensnaring a victim’s customers and partners. This is one of the greatest ways to attack a brand and as such organisations need to make this a brand protection issue. This means CMOs need to have their own cybersecurity strategy in place as it relates to their digital marketing footprint.
Reverse business email compromise
This is a new trend, occurring primarily in the financial sector, wherein attackers take over the mail server of their victim company and leverage fileless malware attacks from there to those who trust it. Some are calling it the modern bank heist.
So as you can see, even as we become more adept defenders, attackers are doing everything they can to stay out front. They’re developing and sharing new techniques, exploiting new vulnerabilities, and finding new ways to remain invisible in a network in order to own the entire system. As adversaries seek to wreak havoc, businesses and IR teams need to stay on the cutting edge if we want to fight back with success. This means that businesses need to be mindful of the companies that they are working with, and ensure those companies are doing their due diligence around cybersecurity as well.