Enterprises need to protect against the myriad of different ways an attacker can get into their network. One method involves attacking third parties that have access to the enterprise’s network. These island hopping attacks are an extension of pivot or network lateral movement attacks.
Island hopping attacks occur when an attacker gains access to a third party with trusted access to an enterprise’s network. This initial access is used to further attack the enterprise. Attacks using third parties may look like an internal attack. For this reason, they may not be detected by traditional border protections.
How an island hopping attack occurs
An attacker who specifically targets an enterprise might use an island hopping attack in order to gain an initial foothold in a network to access other localized networks, intellectual property or sensitive data. Attackers may research companies that provide to identify vulnerable customers and then attack the provider as an avenue to their prime target.
Island hopping defense strategies
- Backups are critical to defense against island hopping attacks. Good backups will enable your enterprise to recover from ransomware and other cyberattacks.
- Perhaps equally as important is an incident response plan that goes into effect once an attack is detected.
- Enable zero-trust-related security controls, like multifactor authentication or network segmentation. These controls can limit access to other areas or islands in a network.
How to create an island hopping incident response plan
There are several key aspects of an incident response plan for an island hopping attack. First, look at logs from the affected systems for visibility and to identify what access was gained. Once an attacker gains an initial foothold, that access can be used to eventually gain full access to the enterprise through watering hole attacks. This can be accomplished by passing hashes with Mimikatz or executing other types of attacks.
With security tools, such as network and endpoint monitoring, in place to detect these types of attacks, enterprises can identify the scope of the attack and what access was gained. Monitoring new accounts or changes to systems helps identify when an account has been compromised and helps thwart island hopping attacks. To identify the full scope of an island hopping attack, this same visibility may need to be extended to the trusted third parties that have access to the enterprise network or to cloud services. Loop in the service provider so it can check its logs and systems, as customers typically do not have access to those files.