Mitigating Supply Chain Risk with EASM

Every organization today depends on a third-party vendor for something or another. From products and services to intellectual property, businesses in every industry rely on third-party vendors. With this reliance, however, comes risk. Not all third-party vendors maintain a strong cybersecurity posture. Being associated with a vendor essentially means trusting the protection of not only that third-party vendor but also every other company in that vendor’s vendor list.

‍

A software-based supply chain attack occurs when a malicious actor, often backed by a nation-state, breaches a software vendor's systems and modifies the code to suit their objectives. The goal of the attacker is to gain access to the vendor's customers, typically by exploiting a backdoor.

Supply chain breaches not only simplify the work of cyber criminals but also increase their impact. Service providers usually have backend integrations with all their clients, which means that a single breach can provide hackers with access to valuable personal data across multiple high-profile businesses.

Common Risks Introduced by Third-Parties

In 2017, Equifax, one of the three largest credit reporting agencies in the US, suffered a massive data breach that exposed the personal information of over 147 million individuals. This breach was a result of a vulnerability in an open-source software framework used by Equifax's web applications, which was maintained by a third-party vendor.

Not all the risks listed below are relevant to every third-party relationship however, most business relationships with third-party vendors will likely introduce a combination of the following risks-

1. Operational risk: Third-party vendors can introduce operational risk by failing to meet service level agreements(SLAs). This includes not delivering products or services on time, or providing subpar services. In addition, if a third-party vendor experiences a disruption or outage, it can have a ripple effect on the operations of the company they are serving.
2. Reputational risk: If a third-party vendor is involved in a breach, it reflects poorly on the organizations they work with. Customers and stakeholders might lose trust in the organization’s ability to protect their sensitive information. This leads to a decline in business and damages the brand's reputation hence, causing long-term financial losses.
3. Financial risk: This includes direct financial losses, such as breach-related fines as well as indirect financial losses, such as lost business opportunities, decreased market value or increased insurance premiums.
4. Compliance risk: If a third-party vendor fails to comply with regulations or breaches legal agreements, it may have serious consequences on the organization that hired them. This can result in legal and financial penalties, loss of customer trust, and damage to the organization's reputation.
5. Security risk: Any security weaknesses in the third-party vendor’s systems or processes can be exploited by attackers to gain unauthorized access to sensitive data. Most third-party vendors do not make cybersecurity their priority and hence might inadvertently compromise security.

It is important to note that this list is not exhaustive and there are several other risks that might be specific to the type of third-party vendors.

Strategies for Reducing the Impact of Supply Chain Attacks

1.Deploy Honeytokens

Honeytokens are fake resources that organizations use to distract attackers from their real, valuable resources. When an attacker interacts with these decoy resources or assets, an alarm sets off and the organization is notified about the breach attempt. They also reveal details about the breach and the methods used for conducting it. With this information, security teams can quickly implement the organization's incident response plan and prevent any damage to the organization’s genuine assets.

2. Implement Network Segmentation

A network architecture without segmentation allows hackers to move laterally within the organization's network until they reach a valuable asset. Network segmentation is a technique that divides a private computer network into smaller, isolated network compartments. This way, even if an attacker gets into the network through a compromised third-party vendor, the impact of the attack will be minimized. However, this strategy alone is not sufficient to stop sophisticated threat actors who may find ways to bypass it by gaining higher levels of access privileges.

3. Impose Multi-Factor Authentication (MFA)

According to Microsoft, 99.99% of attacks against user accounts can be prevented using Multi-Factor Authentication. MFA adds an extra security layer that makes it difficult for attackers to gain access to sensitive data. MFA requires additional forms of authentication, such as a security token or biometric verification, which are difficult for attackers to obtain or replicate. Hence, even with access to a third-party user's login credentials attackers cannot access the organization’s assets.

4. Limit Vendor Access to Data

It is dangerous to assume that a vendor’s reputation accurately reflects their cybersecurity posture. In case a third-party vendor is compromised, the chances of the breach impacting the organization can be significantly minimized if the vendor doesn’t have direct access to sensitive customer data, such as phone numbers, credit card numbers, and social security numbers. To reduce the overall attack surface, it is recommended that organizations limit the number of privileged access roles.

5. Constantly track the Third-Party Attack Surface

Organizations that trust third-party vendors to maintain the best cybersecurity posture are inevitably putting their assets at risk. To ensure the utmost security, it is important for organizations to not only monitor their attack surface but also their vendor’s attack surface. Utilizing an attack surface monitoring solution can help an organization’s third-party vendors discover vulnerabilities in real-time and patch them before they can be exploited.

Along with these, it is recommended to conduct a thorough background check on all third-party vendors beforehand. OSINT tools can be utilized to gather publicly available information about potential vendors, their reputation and security posture. To learn more about OSINT and how it is used for corporate security, click here.

Supply Chain risk management and Compliance

In March 2022, The Prudential Regulation Authority (PRA) introduced new regulatory requirements related to third-party risk management and outsourcing. To strengthen the operational resilience component of the PRA rulebook, the Supervisory Statement SS2/21 specifies security requirements across two categories of third-party relationships material outsourcing and non-outsourcing third parties.

Firms have two options to manage third-party risk under Section 2.8 of the Supervisory Statement SS2/21:

1. To establish a comprehensive, all-encompassing third-party risk management policy that covers both outsourcing and non-outsourcing third-party arrangements. This policy should address all pertinent risks related to third-party relationships.
2. To develop separate policies for outsourcing and non-outsourcing third-party arrangements that are aligned, consistent, effective, and risk-based to ensure proper management of third-party risks.

Supply Chain Breaches Require a Unique Cybersecurity Strategy- EASM

Traditional methods for mitigating data breaches are not designed to address breaches involving third-party vendors. The methods used to carry out such attacks are unique to each incident. Supply chain attacks involve an attacker targeting the service providers of an organization and creating a pathway that eventually leads them to the target organization’s assets. Once attackers successfully breach a service provider's network, they can exploit vulnerabilities in vendor software or gain access to sensitive information. Thus, they can accelerate the first-party breach cycle by using privileged credentials to sign up for the vendor's services.

Although attacking the target organization directly yields the same results, attackers prefer using the third-party vendor route. They tend to exploit attack vectors that offer the least amount of resistance. Service providers are often targeted due to their poor cybersecurity reputation. The 2022 Cost of a Data Breach Report by IBM and the Ponemon Institute highlights this issue and indicates that vulnerabilities in third-party software are one of the most commonly exploited initial attack vectors in a data breach.

The current protection solutions for supply chain attacks focus on security products sold to software companies. These products analyze code and CI/CD scripts to identify known problems and vulnerabilities. However, they only protect against already known vulnerabilities, not zero-day vulnerabilities or attacks gained through supply chain attacks. Moreover, they don't protect customers from vulnerabilities and errors in products developed by their vendors.

Utilizing an External attack surface management(EASM) tool helps organizations not only monitor their attack surface but also their third-party vendor’s attack surface to ensure complete cyber resiliency. EASM can provide organizations with greater visibility and control over their external attack surface, enabling them to better manage third-party vendor risk and reduce their exposure to cyber threats.

To learn more about EASM *click here.*

How do EASM solutions help with Supply Chain Security?

External Attack Surface Management (EASM) can help with supply chain security vendor attacks by-

1. Conducting Vendor Risk Assessment- EASM tools conduct automated scans of third-party vendor systems to identify their security weaknesses. By identifying these risks, EASM can help organizations see a clear picture of their vendor’s cybersecurity posture.
2. Providing Continuous Monitoring: EASM can continuously monitor the external attack surface of third-party vendors to detect any anomalies. This allows organizations to quickly identify potential security breaches and implement their incident response plan.

Third-party vendors or acquired companies cannot be trusted to provide an accurate picture of their security. External Attack Surface Management (EASM) can help organizations manage supply chain risks by centralizing the oversight of their attack surface.

EASM can also perform security due diligence on acquired companies, ensuring that any risks associated with the new assets are identified and addressed before integration. It can identify internet-connected assets owned by third-party vendors or supply chain partners. Thereby, helping organizations understand their potential risks. Additionally, EASM can automate the routing of exposure notifications and remediation of unknown risks, making it easier to manage threats.

EASM can discover all unsanctioned, unmanaged cloud assets and services, while also securing unmanaged cloud assets. It also performs cybersecurity due diligence on ongoing and historical acquisitions to mitigate any known or unknown risks. This accelerates the integration of acquired assets and monitors the successful decommissioning of divested assets to reduce an organization's attack surface.

EASM provides an effective solution for reducing the attack surface. Utilizing an automated EASM tool like Horizon ensures that adding partners or acquiring a company will not increase security risks for the organization. By implementing EASM, companies can identify vulnerabilities, reduce risks, and improve their overall security posture against supply chain attacks.

‍