Island hopping is a type of cyberattack where the threat actors target an organization’s third-party partners in order to use them as an access point to the target organization’s network. A threat actor refers to any entity that is trying to compromise the company’s network. The benefit of island hopping is that the hackers can circumvent many of the target company’s defenses by exploiting a company that is already trusted by that company and using them to gain access. This situation is called a trust relationship between two companies, where one company has established a relationship with another company and gives them access to their network.
Island hopping has been on the rise in the last few years because it is a very efficient type of attack. Rather than trying to compromise a company that has good security awareness and defenses, it’s more efficient to compromise any easier target and use them to get entry into the organization you want to compromise. By taking advantage of the trust that business partners have with one another it means that this type of attack will always have a high percentage chance of success. Secondly, by compromising companies that have many business partners a threat actor can gain access to many companies at one. Allowing them to have multiple targets to choose from which will make them more profit than simply targeting one company. A famous example of this was the Solarwinds attack in 2021. For those of you who haven’t heard of Solarwinds, Solarwinds is a software company based in the US that provides services to hundreds of US companies. A threat actor was able to compromise Solarwinds, inject a malicious payload into their software update prior to its release to its clients and as a result all of the Solarwinds clients that downloaded that software update were infected with malware. According to best estimates this example of an island-hopping attack infected over 100 US companies including Microsoft and Fireye.
Source @bleeping computer
Now that you understand what an island-hopping attack is, we’re going to cover some of the most popular types of island hopping attacks. These are all different ways that an attacker can use a third-party to compromise their main target organization.
Network based island hopping is when an attacker compromises one company’s network and uses that to move directly into another company’s network. A computer network is simply a group of interconnected machines that can communicate with one another. Normally through security devices like a firewall or router, a company’s network should be isolated from other untrusted networks such as the internet. However, when companies have business partners, they may allow that company access to the company internal network in order to collaborate or give them access to certain resources. Hackers can take advantage of this by compromising a business partner and then using their network access to compromise their intended target.
A watering hole attack is a type of cyberattack where a hacker will observe or guess which websites employees of an organization like to visit and they will infect those websites with malware. Then when an employee navigates to that website, they will be infected, and that infection will spread to the company’s network via their corporate device. The name of this attack comes from the way predators would hunt prey in the wild. Many predators such as crocodiles for example will wait near and in a watering hole and when animals come to that source of water to drink, they will attack them there. The idea in that instance and in cybercrime is that rather than chasing after the target you simply wait for them to come to you. An example in the cyber world would be if a hacker decided to hack the website of a local coffee shop near the business they want to hack. This way when someone goes to that website to order a coffee or check the menu etc, they will be infected on their device and this will eventually spread to the corporate network once they connect their device to it.
A normal business email compromise (BEC) is when an attacker impersonates a high-level employee such as a CEO, Director, or VP to convince someone to act. A common example is trying to convince an employee to perform a wire transfer by leveraging that person’s authority through impersonation. A reverse BEC is when an attacker compromises a business partner and then sends fraudulent emails to the target company. This can be used to steal money from the company via wire transfers or some form of a scam. It can also be used to get someone to download malware that will give the hacker’s access to that company’s network.
Island hopping affects businesses by introducing an extra layer of risk. With island hopping attacks becoming more popular every business partner you have is now a potential entry point to your organization and it requires that companies have controls and processes in place to protect themselves from that risk.
In this section we are going to focus on how to defend against island hopping. Since this involves third party organizations some people may believe that there’s not much you can do to prevent this but that is not true. Having good third-party security processes is an important part of a good overall cybersecurity program.
User management is important for preventing employees from falling victim to many of the island-hopping attacks. Particularly in any type of reverse email compromise situation, it’s important that employees are trained on what are normal requests vs abnormal requests. Employees need to understand that fraud can happen and need to be vigilant when looking at emails that appear to come from their superiors within the company. Secondly, it’s also important to have good identity management to ensure that user accounts have limited permissions. This way even if they are compromised the hacker will be limited in the damage they can cause to the victim organization.
Penetration testing is important for good overall security hygiene. In this instance, you want to have your penetration testers evaluate your network to see if you have any insecure connections with any of your third-party partners, this way even if their network becomes compromised it won’t affect your company’s network. Also, you should coordinate with your third parties to ensure that penetration testing is being done on their network to ensure that they are secure and at a lower risk of being compromised. You can even include in your terms of service that you require your vendors to uphold certain standards of security, including doing penetration testing. However, be careful when doing penetration testing that you only perform testing on your own systems or devices, otherwise you need to get written consent from your business partners to include their infrastructure in the testing.
The last tip we have for defending against island hopping attacks is proper network segmentation. Network segmentation is an important part of your overall data loss prevention strategy, by ensuring that your network is properly isolated from your business partners you eliminate the risk of a hacker being able to move laterally from their network to yours and stealing company information/spreading malware. In the event that you do need to give a business partner some type of network access you should only give them access to a portion of your network, isolated in a Demilitarized Zone (DMZ). This is an area of your network that is isolated from the rest. This way you can give outside users’ access to the resources in the DMZ without risking the compromise of your entire network.
Island hopping is a type of cyberattack where the threat actors target an organization’s third-party partners in order to use them as an access point to the target organization’s network. This allows the threat actor to bypass many of the security controls of their target by using the trusted relationship between the target and their partners. There are three primary types of island-hopping attacks: watering hole attacks, network-based island hopping and watering hole attacks. To defend against this type of attack it’s best to focus on good network segmentation, regular and extensive penetration testing and good user management.