Secondary targeting is where cyber adversaries attempt to gain access to networks of seemingly limited value, which share connectivity with a higher value target organisation. Companies that provide products or services through outsourcing arrangements are highly attractive.
As it has become more difficult for adversaries to directly compromise their targets, secondary targeting has increased and is now a significant threat for Australian businesses. The extent of the threat is largely dependent on the relationship between the outsourced provider and customer, in particular the extent of the provider’s accesses to client networks and databases.
The compromise of providers can enable cyber adversaries to target and exploit customer data and networks through a range of direct and indirect means, including:
- exploiting the direct connectivity that a provider has with customer data and networks
- modifying the provider's software or other products with malicious content, which is then installed on customer networks
- gaining access to credentials to allow seemingly legitimate access to the target network
- engineering sophisticated spear phishing emails to deliver malware and compromise a target network.
Protecting your network from secondary targeting
When you give other organisations access to your network, your network becomes exposed to their security posture. When you don’t know the risks associated with a connected network, it is much more difficult to mitigate them.
CERT Australia recommends building effective cyber security strategies into contracts to protect organisations when outsourcing, for example the Essential Eight. Key security controls should be applied to both the customer and provider networks with tailored security controls in place. Secondary targeting should also be included in incident management planning with the risk understood by the provider and client.
Other helpful information security strategies can be found on the Australian Signals Directorate website.
For any privacy complaints please contact the Office of the Australian Information Commissioner.