The industries most affected by island hopping attacks are finance, healthcare, manufacturing and retail.
The term ‘island hopping’ is not originally technological term – it comes from the military strategy. More precisely, the term comes from the World War II, from the strategy the US military used to get to mainland Japan via islands, such as Hawaii, Marshall Islands and Guam, to end the war.
An island hopping attack is a hacking campaign in which threat actors target an organisation’s more vulnerable third-party partners to undermine the target company’s cybersecurity defence and gain access to their network. The ultimate target of this type of attack is to get to the organisational precious data and information regarding its business and clients, projects, intellectual properties and alike.
Although not new, island hopping attacks have become increasingly popular. The Gartner’s Roadmap for Improving Endpoint Security confirms that the software and hardware-based supply chain attacks are trending up in recent years.
Wanting to hack a large organisation that has a substantial cybersecurity in place, cybercriminals target small organisations (e.g. suppliers or partners) in order to obtain the credentials of a large organisation. Cyber criminals use this technique to compromise network systems between these organisations after which hackers take advantage of compromising the security of a large company.
Who are potential targets?
A recent Endpoint Cloud Security Services provider Carbon Black published Global Incident Response Threat Report which found that cybercriminals are honing their ability to remain undetected inside organisations they have breached. The report uncovered that 55% of attacks involve island hopping, i.e. an attacker that infiltrates an organisation’s network to launch attacks on other companies along its supply chain. The report adds that the pandemic has left organisations increasingly vulnerable to such attacks as their employees move to remote work and less secure home networks and devices.
On the other hand, another Carbon Black report, Quarterly Incident Threat Report, states that in the 1st quarter of this year, 42% of financial firms, 32% of retailers and 32% of manufacturers were targeted by island hopping attack.
One of well-known cases of island hopping attacks affected US shopping giant Target in 2014. An extensive data breach targeted the company’s point of sale system, resulting in stolen payment information from 40 million of their customers. The attack cost Target about USD 300 million.
The attack on Target had not occurred directly. It began with a small company called Fazio Mechanical Services, a heating and refrigeration company. This Target’s supplier reported that they had been breached by cyber criminals, who stole Target credentials. It happened through an email cyberattack that took place at least two months before the attack against Target took place.
The Target Stores breach, for example, caused the termination of their CEO and the C-suite officers responsible for IT and cybersecurity. The company have spent over USD 250 million just to defend against the shareholder and customer lawsuits.
The Airbus SE announced in September 2019 that it has taken new steps to guard its systems against cyberattacks through the computer systems of subcontractors. This was provoked by very recent cyberattacks on the two of the company’s suppliers (Rolls-Royce Holdings Plc and Expleo) in an attempt to intrude employees’ personal information at Airbus SE.
A CrowdStrike’s report warned that 90% of respondents in their study confirmed that they incurred a financial cost as a result of experiencing a software supply chain attack. The average cost of an attack amounts to over USD 1.1 million!
The US Customs and Border Protection (CBP) also recently announced that an unnamed subcontractor transferred copies of license-plate images and travellers’ photos from federal servers to its own company network, without CBP’s authorisation. The major concern was that it was not just the breadth of the stolen data but also the number of people exposed by the third party.
The list of examples goes on. The Targets case study, however, clearly shows how island hopping attacks can puts small businesses in danger. This has been exacerbated by the current pandemic-provoked situation. With everyone working from home, there is a heavy reliance on collaboration tools and technology platforms. However, these very tools, if not effectively secure, can be used by threat actors to infiltrate organisations of all types.
As we recently advised, successful third-party risk management involves a great deal of trust between the organisations and their suppliers or partners. However, this trust must be verified.
The third-party risk is a very intriguing area for many companies as too many organisations lack a centralised way of evaluating their vendors. Hence, organisations should develop a comprehensive strategy for managing third-party security risks and avoid over-reliance on any single tool such as vendor security risk assessment, monitoring or just rating services.
One of ways to perform an effective risk management is given in the Third-Party Risk Management Guidelines: (1) planning to manage relationships with third-party vendors, (2) conducting due diligence on the third party selection, (3) legal counsel reviews of all contract proposals, (4) monitoring and periodically reviewing of the third-party relationships, and (5) termination and contingency planning, which can be taken in the event of contract default, breach or termination.
We have also advised that third-party organisations should demonstrate that they conduct regular third-party risk and security assessments with their vendors. This includes policies and processes aimed at protecting their and your systems and data. In that regard, the protected network access is one of the utmost important security checks. We also advise that your suppliers use the same preferred Managed security service provider (MSSP) and cybersecurity technology as your organisation.
Carbon Black’s Global Incident Response Threat Report advises to build the capacity to detect and respond across workloads. Cybersecurity is imperative in the transition to remote, cloud-run, working environments. Otherwise these environments become a one-stop shop for island hopping and other methods to commandeer the networks. Protecting cloud environments containers, applications and micro services, where most of the work is happening, is an imperative.
Furthermore, email security must be increased as many island hopping methods use email attacks, notable phishing, to snip credentials. Hence, robust email security solution is required to automatically detect signs of account compromise and distrustful emails.
Implementing strong identity management is another technical measure. Every user in an organisation must have a strong and unique password for each account in use. Also, the multi-factor authentication should be used to reduce the possibility of account compromise.
Strong endpoint protection is yet another measure for making sure the organisation is protected from malware attacks.
In a nutshell, there are various risk management methods to deal with third-party risks but the key point is to perform a thorough assessment before allowing any vendor to access your networks or informational resources. In other words, the third-party organisations must provide evidence that they are following cybersecurity ‘best practices’ before accessing your networks and resources.