The rise of Island Hopping and Counter Incident Response
There’s a rapidly growing arms race between cyber defenders and cyber criminals, as advancements in cybersecurity technologies and practices are matched by sophisticated cyber criminals wielding novel techniques and methods. In order to better understand and prepare for the current state of this ongoing battle between defenders and attackers, we need to take a look at the common hacking trends in cyberspace as well as some best practices security professionals can employ to be sure that their networks are prepared for the new age of cyber crime.
The Rise of Island Hopping
Perhaps the most pronounced trend noticed throughout 2019 is the rise in “island hopping,” with a recent Carbon Black study finding that exactly half (50 percent) of today’s cyber attacks utilize the technique. The basic theory behind island hopping is one of attacking a secondary or tertiary objective through which an attacker can then gain access to their primary target. While the technique itself is not new, it has taken on new forms while increasing in overall prevalence. This should be a concerning trend for us all, as it implies that even if an organization has robust enough security to stand up to an attack, a lack of such a security posture on the part of the organizations they do business with can still leave them at risk.
The Types of Island Hopping
The three forms of island hopping that organizations should be aware of right now are network-based island hopping, watering hole attacks, and Reverse Business Email Compromise (BEC).
Network-based island hopping is the most common form of the technique and what is usually referred to by the term. With network-based island hopping, attackers infiltrate one network for the purpose of “hopping” onto an affiliate network. Recently, this has commonly come in the form of attackers targeting an organization’s managed security services provider (MSSP) to move through their network connections.
While much less common, “watering hole” attacks make up a solid portion of island hopping attacks seen in early 2019 (17 percent according to Carbon Black’s most recent incident response threat report). In these attacks, hackers will target a website frequented by partners or customers of the organization they are trying to breach. Most commonly, hackers will inject malware into the target site that will then infect the individuals using the site, providing the attackers with the information or access they need to move onto the next stage of their attack.
Reverse Business Email Compromise represents a newer trend in cyber crime occurring mainly in the financial sector. These attacks are achieved when a hacker successfully takes over a victim’s mail server to wage file-less malware attacks against members of an organization who are prone to trusting what seem to be legitimate emails coming into their inbox.
Attackers wage these sorts of attacks for several reasons, but we have seen a steep increase in attempting intellectual property theft, up 17 percent from last quarter. Financial gain remains the most common objective, representing 61 percent of island hopping attacks. When asked why their organizations were vulnerable to these attacks, “lack of visibility” was named the top barrier to incident response. Unfortunately, the difficulties facing security teams don’t end there.
Increasingly Sophisticated, and Destructive, Counter Incident Response
No longer content with the smash and grab attacks that once defined the hacking landscape, attackers are finding new ways of sticking around in their victim’s networks, even after being detected. In Carbon Black’s recent survey, 56 percent of respondents encountered instances of attempted counter incident response, up five percent from the previous quarter. Often, these efforts took the form of evasion tactics, where attackers bring down systems such as firewalls or antivirus solutions in order to buy themselves time to achieve their real goals.
The top form of counter incident response according to 87 percent of survey respondents, however, was undoubtedly the destruction of event logs. Such destructive tactics enable attackers to hide their tracks and prevent security teams from getting to the bottom of an attack. With 75 percent of respondents claiming that event logs are the most valuable artifact an incident response team needs to collect during an investigation, the effectiveness of this tactic cannot be understated.
Attackers in most counter incident response situations commonly leveraged lateral movement, with the practice occurring in 70 percent of reported security engagements. Furthermore, 40 percent of respondents saw lateral movement in 90 percent of attacks they witnessed. The difficulties that come with lateral movement are many, as hackers can cover their movements by mimicking regular traffic or even mask their activity by using popular admin tools such as powershell (seen by 98 percent of GIRTR respondents) or Windows Management Instrumentation (seen by 83 percent of GIRTR respondents).
How to Respond?
Looking at the challenges, it might seem that the outlook is bleak for security teams trying to secure their networks. But by following a number of key best practices, security professionals can better prepare themselves in the fight against cyber crime.
- Have a backup plan for setting up a new operating environment: Setting up a new environment in the case of an incident is often necessary, so be sure that you have a plan in place for getting one set up as quickly as possible.
- Don’t turn on the lights right away: When possible, take some time to observe your adversary after detection to see where they’ve gained access and what their objectives are. This will help ensure that when you do pull the plug on them, it will be for good.
- Back up your data: Attackers want to destroy your event logs, so don’t let them. Keep data backed up and stored in a safe place that only the security team can access
- Bring down the noise: New technology is providing security teams with more data than ever before, but it can be useless without a way of prioritizing and contextualizing it. Be sure to build a framework that will enable teams to make quick sense of what they’re seeing and conduct a measured, appropriate response.
- Plan and be prepared: Security incidents are inevitable, so having an incident response plan in place or even an incident response team on retainer ensures that you will be able to react quickly and efficiently.
- Rebuild from scratch and integrate endpoint detection and response: The best and simplest way to improve your security is to start from the ground up and be sure to build in new, advanced technologies that are bringing cybersecurity to new heights, such as endpoint detection and response.
Cybersecurity practices have been steadily improving in recent years. Technologies for the detection and mitigation of cyber threats have advanced by leaps and bounds, and security teams within organizations have never had more tools available for keeping their networks safe. But as cyber defense has become more sophisticated, so too have cyber criminals. Ever adaptive cyber criminals have responded to improvements in cybersecurity in kind using novel techniques that allow them to bypass security on target systems and achieve their various goals. Security incidents caused by skilled cyber criminals have become a reality for modern organizations, therefore overlooking cybersecurity isn't an option
About the Author:
Rick McElroy, Head of Security Strategy for Carbon Black, has 20 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education. McElroy’s experience ranges from performing penetration testing to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), and Certified in Risk and Information Systems Control (CRISC). As a United States Marine, McElroy’s work included physical security and counterterrorism services. His current role takes him all over the world working organizations to improve their security strategies and speaking on security and privacy.