Stephen Finn -

Problem solve Get help with specific problems with your technologies, process and projects.

How can companies prevent and respond to island hopping attacks?

Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate risks from these indirect attacks.

Enterprises need to protect against the myriad of different ways an attacker can get into their network. One method involves attacking third parties that have access to the enterprise's network. These island hopping attacks are an extension of pivot or network lateral movement attacks.

Island hopping attacks occur when an attacker gains access to a third party with trusted access to an enterprise's network. This initial access is used to further attack the enterprise. Attacks using third parties may look like an internal attack. For this reason, they may not be detected by traditional border protections.

How an island hopping attack occurs

An attacker who specifically targets an enterprise might use an island hopping attack in order to gain an initial foothold in a network to access other localized networks, intellectual property or sensitive data. Attackers may research companies that provide to identify vulnerable customers and then attack the provider as an avenue to their prime target.

Island hopping defense strategies

  • Backups are critical to defense against island hopping attacks. Good backups will enable your enterprise to recover from ransomware and other cyberattacks.
  • Perhaps equally as important is an incident response plan that goes into effect once an attack is detected.
  • Enable zero-trust-related security controls, like multifactor authentication or network segmentation. These controls can limit access to other areas or islands in a network.

How to create an island hopping incident response plan

There are several key aspects of an incident response plan for an island hopping attack. First, look at logs from the affected systems for visibility and to identify what access was gained. Once an attacker gains an initial foothold, that access can be used to eventually gain full access to the enterprise through watering hole attacks. This can be accomplished by passing hashes with Mimikatz or executing other types of attacks.

With security tools, such as network and endpoint monitoring, in place to detect these types of attacks, enterprises can identify the scope of the attack and what access was gained. Monitoring new accounts or changes to systems helps identify when an account has been compromised and helps thwart island hopping attacks. To identify the full scope of an island hopping attack, this same visibility may need to be extended to the trusted third parties that have access to the enterprise network or to cloud services. Loop in the service provider so it can check its logs and systems, as customers typically do not have access to those files.

This was last published in September 2019

Dig Deeper on Emerging cyberattacks and threats

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What steps do you take in conjunction with third parties to reduce risk of indirect network intrusion?