The rise of island hopping and counter incident response
As cyber defence has become more sophisticated, so too have cyber criminals
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
There’s a rapidly growing arms race between cyber defenders and cyber criminals, as advancements in cybersecurity technologies and practices are matched by sophisticated cyber criminals wielding novel techniques and methods.
In order to better understand and prepare for the current state of this ongoing battle between defenders and attackers, we need to take a look at the common hacking trends in cyberspace as well as some best practices security professionals can employ to be sure that their networks are prepared for the new age of cyber crime.
Perhaps the most pronounced trend noticed throughout 2019 is the rise in “island hopping,” with a recentCarbon Black studyfinding that of today’s cyber attacks utilise the technique. The basic theory behind island hopping is one of attacking a secondary or tertiary objective through which an attacker can then gain access to their primary target.
While the technique itself is not new, it has taken on new forms while increasing in overall prevalence. This should be a concerning trend for us all, as it implies that even if an organisation has robust enough security to stand up to an attack, a lack of such a security posture on the part of the organisations they do business with can still leave them at risk.
Types of island hopping
The three forms of island hopping that organisations should be aware of right now are network-based island hopping, watering hole attacks, and Reverse Business Email Compromise (BEC).
Network-based island hopping is the most common form of the technique and what is usually referred to by the term. With network-based island hopping, attackers infiltrate one network for the purpose of “hopping” onto an affiliate network. Recently, this has commonly come in the form of attackers targeting an organisation’s managed security services provider (MSSP) to move through their network connections.
While much less common, “watering hole” attacks make up a solid portion of island hopping attacks seen in early 2019 (17 percent according to Carbon Black’s most recent incident response threat report). In these attacks, hackers will target a website frequented by partners or customers of the organisation they are trying to breach. Most commonly, hackers will inject malware into the target site that will then infect the individuals using the site, providing the attackers with the information or access they need to move onto the next stage of their attack.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Reverse Business Email Compromise represents a newer trend in cyber crime occurring mainly in the financial sector. These attacks are achieved when a hacker successfully takes over a victim’s mail server to wage file-less malware attacks against members of an organisation who are prone to trusting what seem to be legitimate emails coming into their inbox.
Attackers wage these sorts of attacks for several reasons, but we have seen a steep increase in attempting intellectual property theft, up 17 percent from last quarter. Financial gain remains the most common objective, representing 61 percent of island hopping attacks. When asked why their organisations were vulnerable to these attacks, “lack of visibility” was named the top barrier to incident response. Unfortunately, the difficulties facing security teams don’t end there.
Counter incident response
No longer content with the smash and grab attacks that once defined the hacking landscape, attackers are finding new ways of sticking around in their victim’s networks, even after being detected. In Carbon Black’srecent survey, 56 percent of respondents encountered instances of attempted counter incident response, up five percent from the previous quarter. Often, these efforts took the form of evasion tactics, where attackers bring down systems such as firewalls or antivirus solutions in order to buy themselves time to achieve their real goals.
The top form of counter incident response according to 87 percent of survey respondents, however, was undoubtedly the destruction of event logs. Such destructive tactics enable attackers to hide their tracks and prevent security teams from getting to the bottom of an attack. With 75 percent of respondents claiming that event logs are the most valuable artefact an incident response team needs to collect during an investigation, the effectiveness of this tactic cannot be understated.
Attackers in most counter incident response situations commonly leveraged lateral movement, with the practice occurring in 70 percent of reported . Furthermore, 40 percent of respondents saw lateral movement in 90 percent of attacks they witnessed. The difficulties that come with lateral movement are many, as hackers can cover their movements by mimicking regular traffic or even mask their activity by using popular admin tools such as powershell (seen by 98 percent of GIRTR respondents) or Windows Management Instrumentation (seen by 83 percent of GIRTR respondents).
How to respond?
Looking at the challenges, it might seem that the outlook is bleak for security teams trying to secure their networks. But by following a number of key best practices, security professionals can better prepare themselves in the fight against cyber crime.
Cybersecurity practices have been steadily improving in recent years. Technologies for the detection and mitigation of cyber threats have advanced by leaps and bounds, and security teams within organisations have never had more tools available for keeping their networks safe.
But as cyber defence has become more sophisticated, so too have cyber criminals. Ever adaptive cyber criminals have responded to improvements in cybersecurity in kind using novel techniques that allow them to bypass security on target systems and achieve their various goals. Security incidents caused by skilled cyber criminals have become a reality for modern organisations, therefore overlooking cybersecurity isn’t an option.
Rick McElroy, Head of Security Strategy atCarbon Black
This new malware utilizes a rare programming language to evade traditional detection methods
A new form of macOS malware is being used by devious North Korean hackers
I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday
