"Island hopping", a century-old strategy that makes victims today

"Island hopping", a century-old strategy that makes victims today

"Island hopping" attacks have increased significantly in recent years, accounting for 50% of security events reported globally in 2019. According to the Global Incident Response drafted by Carbon Black, this year the most aimed at targets were: Financial banking institutions - 47%; Companies in the production area - 42%; Retail industry - 32%; Institutions in the health field - 21%; Professional service providers - 16%; Public institutions - 16%.

When hackers become strategists

According to specialists in the field of information security, "island hopping" is not as much an attack technique as a strategy, it is borrowed from the "weaponry" of the United States military.

"Island hopping" strategy (also known as "Leapfrogging") was created by the US Navy General Staff at the beginning of the last century as part of the battle plan by which the US was trying to control the growth of Japan's area influence on West Pacific ("War Plan Orange"). It was made public in 1920 by a British journalist whose works were also studied by Japanese imperial officers, who then used it successfully in the Southeast Asian offensive. Subsequently, "Island hopping" became the common strategy of the Allied troops fighting against Japan in the Pacific battles fought during World War II.

The principle of the US military strategy consisted essentially in the attack and gradual occupation of the small islands of the Pacific, with weaker defences, facilitating thus the taking over of the big ones, by isolating them and blocking the access routes.

Hackers have taken this approach and adapted it to their objectives, respectively, no longer focusing their efforts on penetrating and compromising the security systems of the target companies, but they do it by attacking the "weak links" in the ecosystem of suppliers and partners, gaining thus direct access to the IT infrastructure of the targeted organisations.

Don’t put so much trust in the ecosystem!

Increasing the frequency of attacks carried out by the "Island hopping" method is favoured by the fact that more and more large organisations are aggregating a vast ecosystem of partners and suppliers. The real problem, however, is that more than half of these organisations (56%) rely only on trust when it comes to assessing their partners’ level of security. According to the Accenture report Technology Vision 2019, only 29% of the executives of the companies have real information about the levels of compliance and security of the companies in the ecosystem.

The situation is encountered even in areas where security is a key element, strictly regulated, such as, for example, the financial-banking industry. According to the quoted analysts, 57% of financial institutions are mainly relying on trust when it comes to the protection measures of partners.

For this reason, Accenture estimates that "Island hopping" strategies are responsible for about a quarter of the total damage caused by computer attacks over the past five years.

Two „textbook” examples

In recent years there have been several cases where hackers have successfully used the "Island hopping" strategy.

The best known example is that of the American retailer Target, which in 2013 reported the compromising of data for over 40 million customers following a security breach that affected its POS system. However, the attack did not directly concern the victim company, but its partner - Fazio Mechanical Services, which provided Target with maintenance services for heating and cooling systems. Fazio Mechanical Services was compromised by a malware attack that allowed hackers to gain access to data in the retailer's computer network. The damage was about $ 300 million.

Another case of notoriety, more recent this time, is that of the Indian outsourcing service provider Wipro, which in April this year identified an abnormal activity in several accounts of some customer companies. Following the investigations, it was found that 12 of them were already the victims of an Advanced Persistent Phishing campaign carried out through the remote access screen sharing tools used by Wipro. Announcing the security breach has caused the Indian supplier's stock market value to drop drastically, in the order of millions of dollars.

Practical solutions to mitigate risks

In order to prevent this type of attacks, the holistic approach recommends an integrative strategy, namely the imposition and observance of common security policies, standards and strategies among all the partners in an ecosystem.

But this is an approach that few organizations can put into practice. One proof is the first global joint cybersecurity exercise in October 2018 - joined by companies such as JPMorgan Chase, American Express or Mastercard - which highlighted how singular the methods of response to attacks are and how different the very definition of a security breach is among the organisations.

Until such convergent strategies can be realised, ECKO specialists recommend a number of practical, efficient and affordable solutions, whereby one can control the risk of "Island hopping" attacks and improve one’s organization-wide security.

The first is to secure access to the company's resources by using multiple authentication solutions. Static login systems, with a single password, or - worse! - those left open to allow occasional users access (consultants, support providers, etc.) are safe victims of "Island hopping" attacks. The Time-based One-Time Password (TOTP) technology is a secure and validated method of access control, by introducing a second unique authentication factor, generated for a limited duration. For example, the FortiToken solution, provided by Fortinet and using the FortiGate platform, are accessible and provide a secure method of access, they also reduce the operational effort of IT departments.

Such a Two-Factor Authentification (2FA) solution is especially recommended for mobile employees working "on the road", from locations such as hotels, cafes, restaurants, airports. In most cases of this type, in order to access the WiFi network, the users must accept, in advance, a "certificate" issued by the owner / manager of the respective network, by which he assumes the right to decrypt, scan and re-encrypt the traffic (in order to control who and how they use the network). The problem arises, however, when the respective network is compromised - not at all rare as statistics show, with public hotspots being one of the most aimed at targets of computer attacks. If the hackers manage to get through the network protection systems, they have access to the user login data and can create serious damage following the classic "Man-in-the-middle" scenario. With a multiple authentication system, the risks are greatly reduced because, regardless of whether the static password is compromised or not, the second one is also required to complete the login, dynamically issued through TOTP technology.

Another recommended method, complementary to 2FA solutions, is to segment the network into multiple access levels. Thus, it is possible to control and restrict access to resources according to the defined categories of users, while preventing the lateral movement of attackers within the infrastructure if they still manage to penetrate it.

A third recommendation - useful and necessary not only for "Island hopping" attacks - is to implement a Backup and Disaster Recovery System, which will allow the fast restoration of compromised resources. You can read here: 10 reasons why Azure is the first choice in a Disaster Recovery strategy, more details on how Azure Site Recovery can help you with this.

All the solutions listed here are practical, accessible and easy to use. And - most importantly - they have high efficiency, especially if they are integrated. ECKO specialists can help you choose the technologies that are right for the business' needs and budget, and implement, configure and customize them to mitigate and control risks.

Therefore, if you want to make an informed choice, do not hesitate to contactat us!