50% of cyber attacks now use island hopping

City office buildings image with overlay of security padlocks and network showing a data breach

Island hoppingis an increasingly popular cyber attack technique where cyber criminals infiltrate smaller companies, such as HR, marketing or healthcare firms, in order to access a larger target organisation.

It's a method that has seen a steep rise in usage over the past few years, with 50% of today's attacks using island hopping, according to Carbon Black's Quarterly Incident Threat Report.

The report revealed that the industries most affected by island hopping are financial (42%), manufacturing (32%) and retail (32%), although those numbers may well be higher as it is sometimes difficult to work out the journey of an attempted cyber attack.

"At this point, [island hopping] has become part and parcel of a cybercrime conspiracy," said Tom Kellerman, Carbon Black's chief cybersecurity officer. "They're using their victim's brand against customers and partners of that company.

"They're not just, say, invading your house - they're setting up shop there, so they can invade your neighbours' houses too."

At present, there are three main forms that island hopping takes, although new forms may manifest themselves in the future:

Network-based island hopping is the most well-known variant, where an attacker leverages a victim's network to hop' onto an affiliate network. Recent hacks of managed service providers (MSPs) are an example of this, where cyber criminals have been exploiting weak account credentials to access systems installed by MSPs to launch ransomware attacks.

Websites converted into watering holes' are a growing island hopping method seen by 17% of respondents. Hackers insert malware into a smaller target website often used by a large organisation, which then infects individuals coming to use that site. Attackers are then able to use that information to get access to the target organisation.

Reverse business email compromise (BEC) is a new trend, which has been seen in the financial sector. Hackers take over the email server of the victim company, and uses email to send malware attacks to a target company from the trusted recipient.

Organisations are vulnerable to island hopping because it only takes one weak link in the chain of companies they depend on to open up systems to an attack.

There are challenges when it comes to responding to an attack as well; 44% of those surveyed said that a lack of visibility prevented them from being able to respond effectively.

In the meantime, ensuring the security policies and procedures of both your own organisation and any partners you work with are up-to-date is a good place to start with ensuring you don't fall victim to island hopping.

Similarly, ensuring you have a solid backup and disaster recovery plan in place will help your business recover quickly, should the worst happen.

Island hopping webinar

If you want to find out more about island hopping, including how security teams can guard against its use in attacks, watch IT Pro's counter-incident response webinarnow. Presented in association with Carbon Black, the webinar also covers how hackers have begun using counter-incident response tactics to maintain their hold on target networks once they're discovered by security teams.

Adam Shepherd, our moderator, speaks to industry experts, including some of Carbon Black's top strategists, to find out what this means for your security model, and how you can learn from attackers' patterns to make your business safer.

Esther Kezia Thorpe

Esther is a freelance media analyst, podcaster, and one-third of Media Voices. She has previously worked as a content marketing lead for Dennis Publishing and the Media Briefing. She writes frequently on topics such as subscriptions and tech developments for industry sites such as Digital Content Next and What’s New in Publishing. She is co-founder of the Publisher Podcast Awards and Publisher Podcast Summit; the first conference and awards dedicated to celebrating and elevating publisher podcasts.