According to the world’s leading IR professionals, increasingly sophisticated attacks involving instances of ‘island hopping,’ counter incident response (IR), and lateral movement within a network are quickly becoming the new normal. Tom Kellermann, Carbon Black’s chief cyber security officer says the trend signals a cyber crimewave that’s continuing to evolve.
“Attackers are fighting back. They have no desire to leave the environment. And they don’t just want to rob you and those along your supply chain. In the parlance of the dark web, attackers these days want to ‘own’ your entire system,” Kellermann says.
While financial and healthcare organisations remain top targets, the manufacturing industry has seen a steep rise in incidents as cybercriminals aim to steal valuable IP. These motives and methods may reflect roiling geopolitical tensions — be it uneasy trade relations with China or what looks to be a new nuclear arms race with Russia — as nation states seek competitive advantage.
Carbon Black has one of the most robust IR partner communities in cybersecurity. These 100+ IR partners conducted more than 500 response engagements in 2018 and continue to use Carbon Black solutions in more than one engagement per day on average. Their insights chronicle experiences during these critical engagements.
# 1 Half (50%) of today’s attacks leverage ‘island hopping.’ This means that attackers are after an organisation’s network plus its supply chain.
#2 More than half of survey respondents (56%) encountered instances of counter IR in the past 90 days. 87% have seen this take the form of destruction of logs, while 70% witnessed evasion tactics.
#3 70% of all attacks involve attempts at lateral movement, as attackers take advantage of new vulnerabilities and native operating system tools to move around a network.
#4 Nearly a third (31%) of targeted victims now experience destructive attacks — an alarming by-product of attackers gaining better and more prolonged access to targets’ environments.
#5 The financial and healthcare industries remain most vulnerable to these attacks, but the threat to manufacturing companies has grown significantly. In the past 90 days, nearly 70% of all respondents saw attacks on the financial industry, followed by healthcare (61%) and manufacturing (59%, up from 41% last quarter).
Island hopping victims
Island hopping growing more dangerous
With half of today’s attacks leveraging island hopping, they aren’t targeting just a single organisation – they’re also intending to access the networks of anyone else on that company’s supply chain.
“At this point, it’s become part and parcel of a cybercrime conspiracy,” said Kellermann. “They’re using a victim’s brand against customers and partners of that company. They’re not just invading your house — they’re setting up shop there, so they can invade your neighbours’ houses too.”
The most prevalent island hopping victims are in financial services (47%), manufacturing (42%), and retail (32%). Worrisome, too, because of their access to confidential client work and IP, are professional services firms (16%).
Geopolitical tensions are likely manifest in this growing threat, particularly when it comes to financial and manufacturing organisations. Amid worldwide trade negotiations, evolving economic sanctions and an ever-globalising marketplace, nation state actors are seeking any competitive advantage they can get.
“Going after manufacturing companies for IP purposes reduces R&D costs for designing everything from aircraft, to cell phones to high-grade weapons,” said Ryan Cason, director of partner solutions at Carbon Black. “It allows them to get to market quicker, at a cheaper price point, to the detriment of their victim.”
Intellectual property theft rising
Consequently, we saw a steep rise in intellectual property theft as an attacker’s end goal, with 22% of respondents reporting this (as opposed to 5% last quarter). Financial gain remains the most common end goal, at 61%.
Why are organisations so vulnerable to island hopping? It comes down to a lack of visibility, which respondents (44%, up 10% from last quarter) named the top barrier to incident response.
“More often than not, the adversary is going after the weakest link in the supply chain to get to their actual target,” said Thomas Brittain, who leads Carbon Black’s Global IR Partner Program. “Businesses need to be mindful of companies they’re working closely with and ensure those companies are doing due diligence around cybersecurity.” Kellerman added: “There’s an implicit trust placed on a partner’s communications.”
Counter-incident response more destructive
To outwit defenders, attackers are finding new ways to stay inside their victims’ networks. In the past 90 days, 56% of respondents encountered instances of attempted counter IR — up 5% from last quarter alone. Again, financial and manufacturing are top targets, with 36% of IR professionals seeing these instances within financial organisations and 27% in manufacturing.
A full 70% of respondents said counter IR took the form of evasion tactics. As Brittain described it, “An attacker is going to turn off antivirus, firewalls, anything that’s going to send a trigger upstairs, because the longer they have to achieve their goal — whether it’s lateral movement, island hopping further up the supply chain, or data collection — the better chance they’ll have for success.”
These tactics reflect the growing prominence of lateral movement in a network, which now occurs in 70% of incidents. Nearly 40% of respondents said lateral movement took place in 90% of attacks or more.
Even if an organisation kicks an attacker out of a system, the attacker will often have methods for lurking around and eventually getting back in undetected. For instance, 40% of respondents encountered instances of secondary C2 used on a sleep cycle. The increased use of steganography — essentially, hiding data in other content types like images, videos, and network traffic — means that these attackers may be hanging out in a network without IR teams knowing they’re there.
As with island hopping, visibility is key: “Having an endpoint detection and response (EDR) tool on your endpoints can help you detect when a scripting host is called and can also warn when an application injects itself into another one,” said Cason.
Five IR best practices
#1. Have a backup plan for setting up a new operating environment — and make sure it can be online in a few hours. As one IR professional said, “It’s really quick to set up a new Office 365 system, but you need to have a playbook in place to do so, plus established lines of communication between the IR team and their client.”
#2. Don’t turn on the lights right away. That is, don’t immediately terminate the command and control system, and don’t let the adversary know you’re watching them. To observe lateral movement and isolate targeted systems, being clandestine is key. Having EDR capabilities on all endpoints is also vital.
#3. Store data. You need to store 30 or more days of data from all endpoints to preserve the environment and combat the destruction of logs that has become so prevalent. Cordon off a protected, central source that only you can access.
#4. Bring down the noise. New technologies mean organisations and IR teams can collect (and monitor) more data than ever before. Alert fatigue, according to IR professionals, is real. So to detect attackers, it’s crucial that this data is contextualised. One IR professional suggests that, rather than working top-down with an overwhelming number of alerts, you need to build up rules manually.
This means cross-referencing alerts against a given organisation’s threat profile, as well as their specific environment and mission, and then aligning those contexts with various watchlists (e.g.; the MITRE ATT&CK framework).
#5. Rebuild the environment from scratch and augment existing capabilities with EDR. So, as one IR professional said, “If you get reinfected, we’ll have the spotlight, the tapes, and the analysis of the root cause.”
Dangerous new cyber crimewave
The growing prevalence of island hopping, counter IR, and lateral movement is ushering in a new wave of dangerous cybercrime — particularly in the financial, healthcare, and manufacturing sectors.
These methods aren’t only effective in financial theft, espionage and data collection. They abet attackers in being outright destructive. An alarming 30% of respondents have seen destructive or integrity attacks on targeted networks in the past 90 days.
Nation states in the grip of geopolitical conflict could be behind this new wave of attacks, but there are also terrorist groups, organised crime and others who have gained prominence with the help of shadow brokers selling tools and information on the dark web.
There are a growing number of bitcoin schemes in the financial sector that disguise a broader transfer of funds, a trend of reverse business email compromise attacks, and, as always, the spectre of cyberattacks manifesting themselves in the physical world — be it attacks on hospital systems or IP theft that contributes to what might be a new nuclear arms race with Russia.
Even as we become more adept defenders, attackers are doing everything they can to stay out front. They’re developing and sharing new techniques, exploiting new vulnerabilities, and finding new ways to remain invisible in a network to ‘own’ the entire system.
As our adversaries seek to wreak havoc, businesses and IR teams need to stay on the cutting edge if we want to fight back with success.