Has your corporate network been weaponised? Island hopping can compromise your brand and your country
By Rick McElroy – Security Strategist at Carbon Black
Since the dawn of the internet geopolitical tension has been the harbinger of increased cyberattacks. Over the years we have witnessed many incidents of nation state-sponsored actors launching campaigns to infiltrate and disrupt critical national infrastructure targets, following some tried and tested tactics. However, recent research carried out by Carbon Black among incident response professionals uncovered concerning intelligence that attack vectors are changing. The evolution of cyberattacks and the growing frequency of island hopping mean that companies risk becoming unwitting recruits in the global theatre of cyberwarfare. Let’s take a look at what our intelligence analysts and researchers are observing and what it means for businesses.
Nation-state threat activity – the enemy in our backyard
As sanctions, diplomacy and government rhetoric flow back and forth, below the geopolitical surface nation states continue to conduct “politics by other means” in cyberspace. Whether they’re aiming to steal intellectual property, conducting economic espionage by hacking the systems of their biggest competitors, or more directly intent on disrupting infrastructure, their first step is to gain persistence in the networks and systems of their targets. They’re the enemy in our backyard who is set on proving their capabilities and establishing strategic outposts from which to launch attacks at will.
And where are those outposts? They’re in the networks of the businesses that supply services to the ultimate target organisations.
So now, when you are defending your business against the latest ransomware attack or phishing campaign, it’s important to realise that your company may not be the primary target. It might instead be a strategic stepping stone on the way to a bigger prize – that bank, transport department or hospital that you have contracts with. It’s uncomfortable to hear that your business has effectively become part of an attack vector against your country, but this tactic is growing in prevalence and organisations cannot afford to bury their heads in the sand where island hopping is concerned.
The new threat environment – smarter and more agile adversaries
Why are we talking about this now? Because we believe that the game has significantly changed. Our most recent research among incident response professionals noted concerning trends that indicate our adversaries are growing smarter and more strategic. The kill chain has morphed and adversaries are now prioritising achieving advance states of persistence within their victims’ networks, living off the land to secure a platform for further malicious activity. Here are the red flags we discovered:
- 46% of incident response specialists had experienced counter incident response when mitigating attacks. The attacker changed tactic during the course of a campaign, demonstrating understanding of the expected response and acting to evade it. They are using basic psychology to sidestep incident response and continue the attack.
- 64% of IR professionals had experienced attackers launching secondary command and control after an initial attack was shut down.
- 60% of attacks involved attempts at lateral movement within the victim’s network.
- 36% of IR professionals have uncovered evidence of island hopping.
Taken together these figures are a canary in the coalmine. They point towards bids to establish persistence in networks through lateral movement and attempts to compromise the web of trust between companies. Adversaries are taking advantage of the hyperconnectivity of the supply chain to move not just from system to system, but from company to company. They’re establishing footholds in businesses that partner target organisations and weaponizing them as cover as they zone in on the true target.
So what does this mean for you as the defender of your network? It means that you need to ensure that you have visibility into your partner networks – everyone from marketing agencies to legal counsel – because your brand could be used to target the organisations that trust you. And you need to be conducting penetration testing in both directions, because the brands you trust could be used to target you.
Prediction: attacks will grow more destructive
Still more concerning is that the type of attacks that we are seeing are becoming more destructive. We’re not just talking burglary here – the theft of privileged data – we are talking arson. Infiltrators are now seeking to get in, get what they want, and cause chaos when they leave by destroying networks. We predict that we’ll see more of this tactic going into 2019 and it’s not something that your brand wants on its conscience.
For me there are three key takeaways for organisations that want to guard against becoming part of an attack vector:
Agility: We need to accept that, in cybersecurity, we are talking about human vs human activity, not tech vs tech. We need to understand the attacker’s motivations and we need to learn as much as we can about their tools, techniques and procedures so we can sharpen up our own defence. Part of that means lowering the volume on our incident response and giving our opposition less intelligence on our defence strategy. Maybe we shouldn’t always immediately shut down an attack before we’ve had the opportunity to learn what the real intention was?
Visibility: We need oversight of that web of trust to make sure that we understand the potential attack paths via partner networks so we can harden them as much as possible. It’s the network endpoints that are the islands that will be hopped and, now we’re facing an adversary that understands endpoint detection and response, we need to make sure that we can see and mitigate every anomaly in real-time. Products such as CB Response offer that visibility into emerging attacks so you can see the kill chain in action.
Proactivity: Instead of sitting and waiting for attacks to happen, we need to start proactively threat hunting so that we can get better understanding of the psychological profile of adversaries and put intelligent pressure on their primary tactics. And we need to be sharing what we learn among our own intelligence community.
In the middle of all of this, it’s important that network defence and incident response is framed not just as “IT” but as “protecting the brand”. Preventing the business from becoming a weapon in the hands of malicious nation-state actors (or any other kind of cybercriminal) is strategically imperative to the organisation and should be a Board-level concern. Once directors understand the damage potential of this kind of attack, you can bet it will be at the top of their agenda.