Supply chain attacks remain one of the most common ways through which threat actors can gain access to corporate environments, and recent incidents show businesses are continuing to struggle to get a handle on their third-party exposure.
Recent data breaches at Santander and Ticketmaster that exposed sensitive information of hundreds of millions of customers were linked to attackers infiltrating networks via a trusted third-party.
In this case, it appears the threat actors were able to gain initial access to Santander and Ticketmaster databases that were hosted by Snowflake.
Snowflake’s CISO, Brad Jones, pushed back on claims that the cyber criminals had exploited a vulnerability or misconfiguration in Snowflake’s platform, instead pointing the finger at customers failing to adequately secure their databases with multi-factor authentication (MFA).
Regardless of the specific initial access vector used by the attackers, the results have led to significant disruption, and weaknesses like this are rife in an increasingly interconnected and globalized business landscape.
Research from SecurityScorecard found that 29% of all breaches during Q4 2023 were attributable to a third-party attack vector, and 75% of external relationships that enabled third-party breaches involved software or other technology products or services.
Supply chain attacks are a major security blindspot
In a session at InfoSec Europe 2024 on identifying and mitigating supply chain risks, Haydn Brooks, CEO at Risk Ledger, outlined the major factors contributing to widespread concern around third-party vulnerabilities.
Brooks explained that a primary cause for this is because digitization has enabled organizations to outsource more, and through the years they have become more comfortable outsourcing broader parts of their business to suppliers.
Brooks also stressed that supply chains often extend far beyond third parties, and businesses fail to appreciate the extent to which they are exposed through organizations they were not aware of.
“It’s not just third parties, when you go to a supplier they will be outsourcing stuff to their own third parties, which become fourth parties,” he said.
Brooks asked if any of the security professionals in the audience had a list of the fourth parties that their third parties work with, which was met with resounding silence.
Speaking to ITPro, Tim Grieveson, SVP and global cyber risk advisor at Bitsight, reported supply chain threats have often been overlooked by executives in the past, adding that concerns around the lack of third-party visibility are frequently expressed when talking with fellow security leaders.
“We started talking about third-party risk, supply chain management, people risks,and how does that come together to be a holistic view in security? Because if you don’t understand your assets, how can you possibly prioritize them and then mitigate them?”
Jon France, CISO at ISC2, told ITPro said third-party risk is causing security leaders serious headaches, as addressing these issues is often complicated by a lack of oversight over the cyber resilience of other organizations.
“Talking about stressors, supply chain management and understanding your supply chain is a big one. What’s in my direct control is relatively simple… but knowing your supply chain beyond one step and then actually making them change or do something you want to do is tough”.
Squeezing security budgets are amplifying supply chain risks
Limited security budgets are another factor fuelling the plague of cyber incidents involving compromised third-party assets, according to Brooks, who asserted that budget cuts push businesses into further outsourcing which further expands their attack surface.
“A lot of security budgets are being tightened, a lot of business budgets are being tightened and the way businesses tend to deal with that is by looking for suppliers to outsource things to, and that’s led to a massive increase in the attack surface in people’s supply chains,” he said.
Brooks explained that this same process will apply to an organization's suppliers and this only exacerbates this process.
“If anyone in the audience is experiencing your security budget being squeezed, imagine your suppliers. Their budget was probably a lot smaller than yours to begin with and the pressure goes down the supply chain and gets bigger the further down the supply chain you go.”
As this mechanism continues, unraveling the complex web of dependencies becomes increasingly difficult, Brooks warned, noting this is why dealing with the fallout from such attacks is such a problem for organizations globally.
“You may be dealing with one supplier that actually has an incident that has a knock on effect to other suppliers of yours and it’s almost like a house of cards. If one of those cards gets knocked over then many others can be affected.”
