A recent study reported that most organizations partner with an average of ten third-party vendors to help them manage and grow their operations. Researchers also noted that a glaringly high 98% of organizations were found to have existing vendor relationships with at least one third-party that has experienced a breach in the last two years.
A breach in one vendor’s network can serve as a gateway to compromising the rest of the supply chain, but how can a business effectively manage risks coming from vendors over which they have no operational control? In this post, we explore how to build a third-party risk management program and offer guidance on best practices for responding to a breach in a vendor partner.
A Brief History of Software Supply Chain Attacks
Digital supply chain attacks represent a strategic shift for cybercriminals, offering a pathway to compromise multiple organizations through a single, often unsuspecting, point of entry. By infiltrating suppliers’ networks, adversaries can inject malicious code, compromise data integrity, and even manipulate physical processes in manufacturing and distribution. Attacks using this approach have risen in the last five or six years as evidenced by a number of high-profile incidents such as:
- NotPetya (2017) – malware entered systems through the compromised update process of Ukrainian accounting software, MeDoc. Initially disguised as ransomware, it was later revealed to be a destructive wiper malware, causing widespread disruption globally. Its impact was particularly severe due to its ability to spread rapidly across networks.
- BitPay/Copay (2018) – Attackers compromised the Copay wallet software supply chain, injecting malicious code that enabled them to steal cryptocurrency. The breach highlighted the vulnerability of cryptocurrency wallets, impacting users who unknowingly installed the compromised software.
- ShadowHammer (2019) – A sophisticated attack targeted the update process of ASUS Live Update Utility, compromising its distribution channel. Millions of users unknowingly downloaded a malicious version, allowing attackers to conduct targeted espionage. The attack was serious due to its widespread scope and the potential for espionage on a massive scale.
- SolarWinds (2020) – A highly sophisticated supply chain attack compromised the update mechanism of SolarWinds’ Orion software, impacting major organizations and government agencies. The attackers gained unauthorized access, posing a severe threat to national security by compromising critical systems and sensitive data.
- Kaseya (2021) – Exploiting a vulnerability in the Kaseya VSA software, REvil launched a ransomware attack that affected numerous managed service providers (MSPs) and their clients. This incident demonstrated the potential for cascading effects, impacting a large number of organizations through a single supply chain compromise.
- International Committee of the Red Cross (2022) – A cyber espionage group compromised the update mechanism of the ICRC’s software. The attack posed significant risks due to the sensitivity of the organization’s operations and the potential compromise of confidential humanitarian data.
- SmoothOperator (2023) – A supply chain attack attributed to North Korean-aligned threat actors on 3CX, a VoIP phone software supplier, involved the insertion of malicious code into software updates. The compromised updates affected numerous downstream clients. 3CX claims to have 600,000 customer companies across a broad range of industry verticals including automotive, hospitality, MSPs and Manufacturing.
Two main factors contribute to the increasing prevalence of digital supply chain attacks. Firstly, the growing complexity and interconnectivity of supply chains provide a broader attack surface for adversaries to exploit. Secondly, the reliance on digital technologies and the adoption of Industry 4.0 practices introduce new vulnerabilities. Smart manufacturing, IoT devices, and cloud-based systems, while enhancing operational efficiency, have all created new potential avenues for exploitation.
For small to medium-sized businesses (SMBs), the supply chain ecosystem often involves smaller vendors with limited cybersecurity resources, making them attractive targets for attackers seeking a foothold into larger enterprises. This interconnected web of dependencies, combined with the evolving sophistication of cyber threats, creates a perfect storm for the proliferation of supply chain attacks.
Storing Up Trouble for the Future | Data Breaches & Leaks
A major concern after a compromise of a third-party vendor is the potential misuse of data acquired from the breach. This ill-gotten information can become a potential tool for future malicious activities, ranging from identity theft and fraud to account abuse and external account takeover attacks. A third-party might be compromised while hosting a company’s data, or attackers may initially target the third party and then leverage that access to breach the target organization’s IT systems.
In the case of the 3CX attack, security researchers have found that stolen data from an older cyberattack on a different software firm was then used to launch the attack on 3CX. Given the intricate degree of connection between global vendors, it is likely that 3CX was not the only company compromised in the earlier-attack.
Building a Third-Party Risk Management (TPRM) Program
Based on the latest findings from the Ponemon Institute, third-party-based cyber attacks have increased from 44% to 49% year over year with key reasons including:
- Low rates of access governance and visibility control implementation at the organizational level via identity and access management tools
- Overprivileged vendor accounts and lack of zero-trust policies implemented at the network level
- Lack of continuous monitoring of third-party access to network resources and critical data
Establishing a robust Third-Party Risk Management (TPRM) Program is essential for business leaders to safeguard their organizations from potential introduced by their external partners.
The following questionnaire can be used as a guideline to get started:
Establish a Standard Vendor Assessment Process
- What base contractual obligations outlining security responsibilities are required for the industry and business?
- What due diligence practices, including the evaluation of the vendors’ cybersecurity measures, regulatory compliance, and overall risk posture, are in place
- What cybersecurity frameworks are required for the third-party vendor? Are they fully compliant with those regulations and been audited to ensure compliance with regulatory requirements?
- Does the vendor have a history of suffering data breaches?
- What laws are in place within the vendor’s country that require them to disclose data or other important information?
Get to Know Your Vendor’s Cybersecurity Strategies
- What is the level of sensitivity of the data or services the vendor expected to handle?
- Is the vendor able to provide the required industry standard security certifications?
- Does the vendor have cybersecurity insurance?
- Does the vendor’s tool stack and system support single-sign on (SSO)?
- What types of data will the vendor’s system or service be storing, processing, and/or accessing?
Establish All Contractual Security Expectations & Requirements
- What cybersecurity service level agreements (SLAs) are needed for the partnership?
- What current security risks does the vendor face, or foresee itself facing in the near future? What solutions or processes are in place to mitigate these risks?
- What security measures are currently in place to fulfill capabilities like continuous monitoring, breach alerts/notifications, endpoint/cloud/identity security, data access, etc.
What To Do If Your Third-Party Vendor Is Compromised
In the event that a third-party vendor is under active cyberattack or has found evidence of breach, business leaders and security teams can use the below checklist to act quickly and contain the potential fallout.
1 – Containment, Remediation & Documentation
Activate the incident response plan (IRP) immediately. This involves isolating the compromised systems, containing the breach, and assessing the extent of the damage. At the same time, establish secure communication lines with the affected vendor to collect any crucial insights or details into the nature of the attack, what potential data was compromised, and any details on pathways exploited by the cyber attackers. To do so, interview those who first discovered the breach and document the investigative process.
2 – Forensic Investigation & PR Communications
Forensic investigations play a critical role in uncovering the origins and methods of the cyberattack. Engaging cybersecurity experts to conduct a thorough analysis can help determine the extent of the compromise, identify the specific tactics used by the attackers, and provide valuable insights to fortify defenses against similar threats in the future.
Initiate any public relations and external communications strategy to provide transparent and timely communication with relevant authorities, customers, stakeholders, and the public to maintain trust and credibility. Craft clear and accurate messages that outline the incident, the steps taken to address it, and the measures implemented to prevent future occurrences.
3 – Thorough Reviews & Intel Sharing
Collaboration and transparency are crucial in this phase. All affected parties can mutually benefit from sharing threat intelligence and agreeing on next steps to remediate the vulnerabilities that led to the breach. Simultaneously, organizations should initiate a thorough review of their own systems to assess whether the breach has cascaded into their networks, and if so, take immediate steps to address and neutralize the threat.
4 – Lessons Learned, Audits & Continuous Improvement
Post-incident, a rigorous evaluation of the vendor’s cybersecurity practices can help prevent future attacks. This includes a reassessment of the vendor’s security protocols, risk management strategies, and overall cybersecurity hygiene. A thorough audit will help determine the effectiveness of the vendor’s response to the incident and ensure that appropriate measures are in place to prevent a recurrence.
As part of the ongoing cybersecurity strategy, organizations can prioritize continuous monitoring and assessment of their third-party vendors. This involves regularly scrutinizing the security posture of vendors, ensuring compliance with established security standards, and staying vigilant for emerging threats. Establishing a robust vendor risk management program that includes periodic security assessments, penetration testing, and vulnerability scanning help maintain a proactive posture going forward.
Ultimately, the key to navigating the aftermath of a third-party vendor cyber compromise lies in a combination of rapid response, open communication, collaborative remediation efforts, and a commitment to ongoing vigilance and risk management.
Given the amount of sensitive data and assets organizations share with their third-party vendors, any attacks they face can reverberate through the entire network and set off a chain reaction. Global reliance on third-party vendors in the business landscape comes with a set of inherent cyber risks that organizations across all industries must grapple with. These risks stem from the closely-connected nature of supply chains, where vendors often have access to sensitive data and systems.
To safeguard organizations from third-party related cyber risks, C-level executives and security leaders continue to rely on autonomous, AI-driven cybersecurity platforms like SentinelOne for all-around protection. Learn how SentielOne’s Singularity™ XDR defends across all possible attack surfaces by contacting us today or booking a demo.