Island Hopping cybercriminals are exploiting trust in your ecosystem

‘Island Hopping’ exploits connections between a company and its partners’ networks.
30 April 2019

The technique is behind a growing number of breaches. Source; Shutterstock

It turns out trust doesn’t go a long way when it comes to your business’s cyber defenses.

Accenture’s Technology Vision 2019 report reveals that seven in 10 businesses could be particularly vulnerable to attacks via their ecosystems of partners.

The tactic in question, known as ‘Island Hopping’, comprises in its most common form indirect attacks via connected third-party networks.

Just 29 percent of business and IT executives globally know how diligently their partners are working regarding security, with more than half (56 percent) relying on trust alone.

According to Accenture, Island Hopping is steadily increasing, and attacks of its nature could account for nearly a quarter of the total value at risk from cybercrime over the next five years.

Earlier in the year, cybersecurity firm Carbon Black estimated that Island Hopping, which can take a number of different forms, could be leveraged in 50 percent of attacks.

As well as gaining access via a compromised third-party network, other forms include ‘watering hole’, where customers and partners are lured towards a compromised website.

Meanwhile, ‘Reverse business email compromise’ sees hackers take over email servers and dispense fileless malware, most commonly targeting financial enterprises.

While Accenture found that US and Germany had the highest levels of insight into their partners’ cyber resilience, rates were still below a third, at 35 percent and 30 percent respectively.

The UK sat somewhere midway (29 percent), while China (11 percent) and Japan (14 percent) had some of the lowest levels of insight into third-parties’ cybersecurity.

The disparities between markets, however, also demonstrates a cultural vulnerability among companies working with complex global supply chains. Accenture notes that Island Hopping can be used to exploit Fortune 500 companies which can have thousands of partners across the globe at any given time.

“Business perimeters used to be like a castle, where security teams could create thick walls to guard against attacks,” said Nick Taylor, Accenture UK’s Cyber Security lead.

“Now, business structures resemble something more like the London Underground, with thousands of entry points.

“Threat actors are preying on the weaker links. Smaller businesses, in particular, are seen as a means of infiltrating larger organisations.”

The report found that even in heavily-regulated industries, 57 percent of respondents said they simply place their trust in ecosystem partners.  

“Organizations must learn to collaborate on security,” Taylor continued.

“This doesn’t just mean with other businesses, but also with governments. Some of the most devastating attacks we’ve seen in recent years have been state-sponsored, which will take a combined effort to combat.

“With this type of attack on the rise, organizations will surely start to get rid of their weakest links. For those who get it right, security could be a real competitive differentiator and a make or break in deals.”

The report recommends that organizations take several fundamental steps as a starting points in combating Island Hopping attacks:

# 1 | Collaborate with the community

87 percent of executives recognize that they need to rethink their approach to security to defend not just themselves, but also their ecosystems. Netflix is among those leading the open-source security charge, sharing internally developed security tools with the world since 2014.

# 2 | Couple security with corporate strategy

Only 38 percent of businesses report including the chief information security officer when considering new business opportunities. GE, for example, has CISOs assigned to specific regions and business units to help inform decision-making at a more granular level.

# 3 | Think creatively about vulnerabilities

Businesses must learn to think like a hacker when threat modeling. A group of hackers made millions from insider information about publicly traded companies—not by attacking the companies themselves, but by targeting the newswire agencies that get early access to press releases from the world’s largest businesses.  

# 4 | It’s not just a spring clean

Large enterprises have hundreds, if not thousands, of third-party partners going through various stages of on and off-boarding. Each has varying levels of network access. Organizations must create a process which allows them to continuously reassess where their vulnerabilities are.