Threat actors targeting large organizations — even ones with effective cybersecurity defenses — will go to any length to get in. Even when the targeted organization does a good job at cybersecurity, attackers will exploit intermediaries to carry out their attacks.
Rick McElroy, head of security strategy at Carbon Black Inc., explained island hopping attacks, which are hacking campaigns where attackers exploit third parties that have some degree of access to the attacker’s ultimate network target.
While the island hopping attack strategy is not new, it is becoming increasingly important as attackers find new ways to gain access to enterprise networks that must accommodate greater numbers of third parties, whether they are remote employees, contractors, corporate customers or suppliers who must access resources remotely.
Editor’s note: This interview has been edited for length and clarity.
What are island hopping attacks?
Rick McElroy: The term island hopping actually came from World War II, from the U.S. strategy to get to mainland Japan to end the war. We had to go to Hawaii, then on to the Marshall Islands, Guam, and each one of those was used as a launching point for the next island hopping campaign.
Very similarly, in a cyber sense, that’s what you see: An attacker targets an entity; the attacker wants their data, but they’ve got great defenses, they’ve got a good team and the attacker is having a really hard time showing a return on investment for the time they’ve spent on these cyberattacks. But the attacker remembers through some of their recon that the target does business with another organization — for example, one of their downstream suppliers who makes boards for the targeted organization.
So, then, you see subversion of the hardware supply chain. You may see a case where an organization ordered food from the same website all the time for their employees, and the attackers learned that, hacked that website and then were using that as a watering hole to gain malicious information, which was then leveraged back to the target organization.
Is island hopping the same as pivoting to access a target?
McElroy: Yes, absolutely. I would even refer to it as the modern-day lateral movement. Lateral movement used to mean the attacker saying, ‘I landed on one endpoint on the network, and I want to get to the next one.’ Now, the attacker wants to leverage that entire connected ecosystem, and then they can do lots and lots of nefarious things.
Why do attackers use island hopping, and who is using this tactic?
McElroy: If you look at any of the major global threat reports, you’ll notice that most of the attacks come out of North America. Now, that sounds weird, because we’ve only got a couple of groups that do offensive activity for our government. But what’s happened is you really have a huge amount of the real estate in the infrastructure in America that’s been owned by the adversaries, and then that infrastructure is leveraged to attack other American-based things or other things overseas.
Rick McElroyHead of security strategy, Carbon Black
The attacks aren’t going to come from China, and they’re not going to look like they come from Russia. But we can’t just drop those countries from our firewalls as an effective defense because the data center down the road has all of the same botnets, and that’s what’s going to come after you.
People make decisions based on regions and not based on behaviors for security, which is not good — they’ve got to do it based on behavior.
Primary motivations will be things like return on investment — be it ransomware or cryptojacking — so I can actually use that endpoint or server to create cryptocurrency, which will then fuel my other nefarious criminal activity. But they really kind of leverage that brand.
Imagine you have this trusted provider in the cloud that everybody uses, and say we all stick our photos there. As an adversary, I want to be able to leverage that brand because there’s trust. We receive email. It says, ‘Upload things here;’ it says, ‘Log in to this page.’ And so, if I can start to break down that trust and use it against the organization, that’s when I can really do some significant damage because users and consumers are going to think that the message is coming from them. And it’s why Apple phishing attacks are still so big, why people click on phishing attacks for Facebook — it’s really about leveraging that brand against other organizations, leveraging the infrastructure that sits in North America to launch against each other and damage those brands both ways.
They want to leverage the good known about the brand against everybody that does business with them.
How can you detect an island hopping attack?
McElroy: No. 1: Have an incident response plan and a team that is funded and tooled. The best way you’re going to see this stuff again is to get visibility into the environment. A lot of the traditional tools out there don’t provide that, and that’s really going to be on the defenders themselves to choose the right level of visibility. But it’s probably going to be some network stuff — there will be some endpoint detection and response things that don’t need to look at DNS logs.
What they actually need to do is put this picture together over time. Now that they’ve got that picture over time, they can start to train their humans to start to find some of these things that the technologies aren’t finding. Once they start on that path, I can guarantee they’re probably going to find some stuff, and they’re going to have to start to lurk with that ecosystem to keep it clean.
In some cases, we have customers that, on a daily basis, notify downstream suppliers of malicious activity coming from their networks. In a lot of cases, you’ll see the very large providers actually starting to do one of two things: Recommend the same ecosystem of security providers — meaning, if you want to do business with us, this is our preferred managed security vendor and our preferred technology stack. We would prefer that everybody that does business with us runs on that. So, cost of business goes up for the downstream providers. The second is to have an incident response third party on retainer, so this is something that teams should be working on with their legal teams to have them on retainer — have that ready to go so that, if you do miss something as a team, they’re ready to run.
You see multiple different approaches out there on how a supply chain is looking to prevent these issues as part of that whole ecosystem. And then, of course, there’s a bunch of companies that are trying to quantify the supply chain risk, and they come up with a scoring mechanism for various entities that supply things, and then organizations can make better risk-based decisions on those.
What else can enterprises do to prevent island hopping attacks?
McElroy: There’s a number of different good security practices — things like having correct network segmentation so that contractors don’t necessarily get access to all of the servers, just the server they need to work on.
Multifactor authentication also goes a long way. And looking at technology that does password vaulting for controlling your admin and superuser accounts is huge.
If I was talking to someone today and they asked me, ‘What are the two areas that I should focus on from a detection perspective?’ I would say: Focus on lateral movement and credential harvesting. If you can be really good at detecting those two activities, you’re probably going to stop 80% to 90% of the attacks that are out there — or, at least, know about them when they’re occurring because, in almost every case, the adversaries have to get on another box and they have to get credentials to do it.
If you can interrupt that activity, that’s huge.
What else should people know about island hopping attacks?
McElroy: We’re starting to see this really disturbing trend of destructive attacks. For example, I put a piece of ransomware on your system, and you won’t pay me, and now I’m upset, so I’m just going to burn your infrastructure. You see this used for counter-incident response purposes: destruction of system data, destruction of logs, destruction of systems themselves if the attackers think they’re about to get caught. You see this as it relates to research and development — so, organizations that are on the forefront of things like automated cars, robotics and AI. There are certain actors out there that will look at that — they obviously want that R&D — so they’ll steal the R&D, and then they’ll burn the infrastructure to put the research teams even further behind.
My No. 1 piece of advice there is to insure that organizations have backups and have tested the restorations because that’s going to help you recover, whether it’s a Trojan, ransomware or cryptojacking. It’s going to help them get back online faster.