New Global Threat Report Identifies Lateral Movement, Island Hopping as Key Cyberattack Tactics
VMware Carbon Black’s semiannual Global Incident Response Threat Report (GIRTR) is out. And it appears attackers continue to evolve.
VMware Carbon Black has a vast incident response (IR) partner ecosystem, comprising more than 100 leading IR firms. These partners use Carbon Black technology in more than 1,000 response engagements per year.
Aggregated data from these top IR firms shows that cooperation among attackers is increasing. That makes it more important than ever for the good guys to fight back.
“Because geopolitical tension is playing out in cyberspace, targets must boost defenses,” says Tom Kellermann, VMware Carbon Black head cybersecurity strategist. “Beyond politics, financial motivation is a top driver. That means organizations with decentralized systems protecting high-value assets, including money, intellectual property, and state secrets, continue to be at high risk.”
Three Research Highlights
The GIRTR includes eight key research highlights. Three demonstrate significant increases since the last report:
- Financial gain was the primary motivation for 90 percent of attacks. This is a sharp increase from 61 percent in the first half of 2019. It’s also a shift from previous years, when intellectual property theft and stealing customer information topped the list.
- “Island hopping” continues to rise. Forty-one percent of total attacks came from this advanced method, where attackers target enterprises via partners and vendors.
- IR pros said they experienced destructive/integrity attacks in about 41 percent of attacks, a 10 percent increase on the past two quarters.
The majority of today’s cyberattacks now include tactics like lateral movement, island hopping and destructive attacks, according to the November 2019 report. Advanced hacking capabilities and services for sale on the dark web compound the issue, as does an unprecedented collaboration among nation-states, according to the report.
What’s Island Hopping?
Like lateral movement, island hopping is a significantly intrusive cyberattack.
Island hopping allows cybercriminals to creep into systems at their most vulnerable points. They then hop to higher security sections of the network, the threat report explains.
Kellermann is anxious for enterprises to take note. “The most dangerous part about island hopping is how it’s being used,” he says.
In island hopping, criminals use enterprise infrastructure to attack that enterprise’s constituency. In plain terms, your IT systems begin attacking your customers’ IT systems, and your customers see the attacks as coming from your business.
“We need to change the conversation, because this goes way deeper than preventing data theft,” Kellermann adds. “Brand value and customer loyalty is at stake.”
What Else Should Concern Enterprises?
This most recent GIRTR also highlights the rise in custom malware, which the report defines as “coded with a specific purpose in mind, a sign of more sophisticated and well-financed attacks, as opposed to commodity malware, which is widely available for purchase or for free on the dark web.”
Custom malware was used in 41 percent of attacks, up from 33 percent in Q1 of 2019, according to the report.
“This increase should also worry enterprises because of the pass-along effect. These attackers are like Johnny Appleseed,” says Kellermann.
Kellermann explains why in three steps:
1. People who build custom attack code sell it on the dark web.
2. Buyers use that purchased code to attack a company with it.
3. Once that happens, the custom code builder (#1 above) can now teleport into the attacked company’s environment because he or she has administrative access to that attack code.
As communities of attackers come together, so, too, must defenders. And that’s exactly what VMware Carbon Black and top IR professionals are doing. They’re “fighting back as a global community with actionable intelligence and holistic strategies to mitigate the ongoing cyber insurgency online.”