The threat to the cyber landscape continues to evolve at a rapid pace. High profile data breaches demonstrate not only the huge financial cost of being attacked, but also the considerable reputational damage that organisations face. With hackers continually moving the goal posts, how can security and incident response (IR) teams fight back and effectively outpace their adversaries?
One area where there has been a notable increase in attacks is via third-party supply chains. Advanced cyberattacks are evolving as attackers target supply chains and undertake ‘island hopping’ to the extent that today this hacking technique poses a serious and complex threat to business. Though it’s not a new phenomenon, this type of attack increased in prevalence in 2018 and is becoming more and more common.
For those less familiar with island hopping, the name comes from a WWII military tactic used by the United States in the Pacific. Also known as leapfrogging, this involved capturing smaller, strategically located islands and establishing military bases there, as opposed to outwardly attacking mainland Japan. From these new bases, Allied soldiers would start the process again and continue until they reached their ultimate target.
So why is this?
There are a multitude of risks facing almost all major supply chains, from geopolitics to financial pressures to natural disasters to cybercriminals. This diversity of risk makes it harder for organisations to keep track. In particular, island hopping tends to be initiated in smaller organisations where cybercriminals infiltrate their target organisation through its smaller partner target.
Often, these smaller companies have more vulnerable security systems than the larger target organisations. This makes them easier for hackers to access. Once in, hackers take advantage of the trust between the two companies and use their shared networks to reach the true target. At this point, the whole supply chain, including customer data, is at risk.
At Carbon Black we’ve been tracking the resurgence of island hopping in the technology world and we’ve witnessed the tactic becoming more prevalent and dangerous. Once a quarter we undertake Incident Response (IR) partner investigations. Our latest Global Incident Response Threat Report, shows that half of today’s surveyed attacks leverage island hopping. This means attackers are not only after a network, but supply chains as well.
Interestingly, our survey also found that attackers are ‘fighting back’ against security teams while also targeting supply chains. More than half of our survey respondents (56%) encountered instances of counter-incident response in the past 90 days. What’s more, 70% of all attacks now involve attempts at lateral movement, as attackers take advantage of new vulnerabilities and native operating system tools to move around a network.
Attackers fighting back.
Attackers have no desire to leave the environment. They don’t just want to rob your organisation and those companies in your supply chain, they want to ‘own’ your entire system.
In particular, our survey found that while the financial and healthcare industries remain most vulnerable to these attacks, the threat to manufacturing companies has grown significantly. In the past 90 days, nearly 70% of all respondents saw attacks on the financial industry, followed by healthcare (61%) and manufacturing (59%), up from 41% in our previous report).
Likewise, as island hopping has become a more persistent threat, the technique has taken on new forms. Here are three that I’ve seen and would recommend organisations keep an eye on:
- Network-based island hopping: This is what we typically think of when we think island hopping – an attacker leveraging your network to hop onto an affiliated network. Of late this has often taken the form of targeting an organisation’s managed security services provider (MSSP) to flow through their connections.
- Website converted into a ‘watering hole’: Nearly one fifth of our survey respondents saw a victim’s website converted into a ‘watering hole’ – a technique aimed at ensnaring a victim’s customers and partners. This is one of the greatest ways to attack a brand and as such organisations need to make this a brand protection issue. This means CMOs need to have their own cybersecurity strategy in place as it relates to their digital marketing footprint.
- Reverse business email compromise: This is a new trend, occurring primarily in the financial sector, wherein attackers take over the mail server of their victim company and leverage fileless malware attacks from there to those who trust it. Some are calling it the modern bank heist.
As you can see, even as we become more adept defenders, attackers are doing everything they can to stay out front. They’re developing and sharing new techniques, exploiting new vulnerabilities, and finding new ways to remain invisible in a network in order to own the entire system.
As adversaries seek to wreak havoc, businesses and IR teams need to stay on the cutting edge if we want to fight back with success. This means that businesses need to be mindful of the companies that they are working with, and ensure those companies are doing their due diligence around cybersecurity as well.
Carbon Black is a leading provider of next-generation endpoint security. Carbon Black serves more than 3,700 customers globally, including 30 of the Fortune 100.
As a cybersecurity innovator, Carbon Black has pioneered multiple endpoint security categories, including application control, endpoint detection and response (EDR), and next-generation antivirus (NGAV).
Leveraging its big data and analytics cloud platform – the Cb Predictive Security Cloud – Carbon Black solutions enable customers to defend against the most advanced cyber threats, including malware, ransomware, and non-malware attacks. Deployed via the cloud, on premise, or as a managed service, customers use Carbon Black solutions to lock down critical systems, hunt threats, and replace legacy antivirus. For more information, please visit www.carbonblack.com or follow us on Twitter at @CarbonBlack_Inc.