Executive summary
Many companies face various risks across their supply chain, which are increasing, especially cyber threats. Studies indicate that nearly all companies have at least one supplier that has recently, currently, or will soon be breached, and many more will be compromised in the next year. Further research shows that in nearly every company that suffers a breach, precursor signals of the breach could have been found on the dark web if the company was looking for them. Resecurity’s research reveals that over 60% of all company breaches originate from a company within their supply chain, which increases to over 90% if technology providers are included. Although some companies assess the risk of potential suppliers during the evaluation phase, very few have the resources or mandate to monitor all their suppliers continuously. An organized CTI effort can provide companies with an economical and easy way to monitor their suppliers and determine their risk profile and the likelihood of a breach by implementing CTI practices. This paper draws many parallels to Resecurity’s previous paper, “Active Dark Web Intelligence for M&A.” CTI research can answer critical questions that can help companies understand the risks associated with their supply chain, including:
- Standard suppliers, by evaluating the precursors of a breach:
- How does this supplier compare to the cybersecurity risk with its competitors and other suppliers?
- If the company is a technology supplier and has released a new security patch, is (or will) the N-day they have patched being actively exploited by threat actors?
- Has a data breach or loss been detected that could cause regulatory or privacy concerns and materially affect their company or pose a risk to their customers?
- If my customers monitor their supply chain, what are they observing about my company?
- Critical suppliers, identifying actual breaches:
- Is the supplier experiencing a data breach, or has it experienced an undisclosed one in the past?
What is the likelihood of the supplier being targeted, and will this result in a material data breach?
How does this breach impact my company as their customer? Has the supplier leaked strategic IP that affects my company, employees, or customers?
Has the company been involved in an unknown or undeclared material breach, as the recent SEC rule 7 defined? Did my company inherit these identified issues?
Is the supplier at risk of an insider threat from disgruntled employees offering data or services on the dark web that could impact my company or customers?
If my competitors monitor the dark web for breaches of their competitors, what are they observing about my company?
| In May 2023, a group of hackers, known as CL0P (TA505), started exploiting a zero-day vulnerability in MOVEit – a file transfer software managed by Progress Software. The breach by the numbers:
More than 62 million individuals were impacted. Over 2,000 organizations were breached. Approximately 84% of breached organizations are US-based. Approximately 30% of breached organizations are from the financial sector. The financial impact of the attack is over $10 billion.
|
Organizations inherit the cybersecurity risks of their suppliers. Unfortunately, many companies do not conduct adequate cyber risks to determine if a supplier has been breached or if there are precursors of a breach available to the threat actor to breach the company if they elect to. This lack of involvement can increase the risks of inheriting risks. Controlling cybersecurity risks can be increasingly more complex in the fast-paced business world. At the same time, information security departments need more personnel and resources to keep attackers at bay.
CTI can monitor for cyber risks in the company’s supply chain
Supply chain or third-party vendor disruptions can cause operational chaos. Specifically, if an organization experiences unauthorized access can lead to negligence claims, significant fines, contract disputes, potential lawsuits, loss of revenue, and even reputational harm. Therefore, companies must secure their data by having robust vendor agreements that address data security and outline their responsibilities in case of a breach. They also should monitor their suppliers for a potential breach that could impact their company or customers.
| In January 2024, the US Department of Health and Human Services received reports of 24 healthcare data breaches, affecting 10,000+ records each. Perry Johnson & Associates, Inc. (PJ&A), a transcription service provider, reported two of the breaches. In November 2023, a cyberattack affected almost 9 million individuals. Concentra Health Services and North Kansas City Hospital added to the total of over 13.45 million affected individuals. Source |
| In April 2023, Shopify suffered a data breach that affected over 100,000 merchants who used their online store services. The breach occurred due to a malicious code injection in a third-party app called Mailchimp. Attackers accessed customers’ names, email addresses, payment information, and order details. Shopify faced lawsuits, regulatory scrutiny, and potential fines. Source |
| In Jan. 2023, Peloton announced that Strava’s third-party software caused a security flaw that exposed personal and health data of 3 million users. Names, emails, workout stats, and heart rate data were compromised. Peloton faced legal action and reputational damage as a result. Source |
| In 2021, T-Mobile disclosed a data breach that compromised the personal information of over 50 million customers. The breach was due to a compromised server rented from a third-party cloud provider, resulting in lawsuits, regulatory scrutiny, and potential fines. Source |
| In 2021, a ransomware attack on Colonial Pipeline caused operational disruption for several days. The cybercriminals exploited a leaked password from a third-party vendor, leading to gas shortages and price increases in the US. Despite paying $4.4 million as ransom, Colonial Pipeline suffered significant losses from the attack and recovery efforts. Source |
It is common for companies to do CTI analysis to protect themselves. Some companies use internal resources, and others use external resources to determine the supplier’s cybersecurity posture, including a perimeter scan of the supplier’s network, scans of low-end cybercrime data (TOR), and a review of the company’s source code. CTI can enhance this vetting by focusing on threats based on access to the Surface Web, Dark Web (TOR) / Deep Web, and Vetted / invite-only cybercrime communities. This allows for the following questions to be answered with high confidence:
Is the supplier breached, and if so, by whom? What is their motivation? What data has been leaked?
Are there precursors of a breach that a threat actor could use to breach the supplier if they elected to do so?
| Resecurity’s analysis has determined that only relying on data from the surface web and TOR will miss over 75% of the precursors of a breach and actual breaches. |
One size does not fit all
Companies and their CTI vendors must understand that a single solution does not meet every company’s needs. To address this, companies and their CTI vendors must collaborate to determine their needs and constraints. The CTI vendor must assist their customers in selecting the right combination of services to meet their requirements, including budget, timeframe, confidence, rules of engagement, and depth of insights.
This visibility is critical in providing accurate CTI. For example, Resecurity provides our customers insights based on:
- Continuously monitoring over 31k sources.
- Tracking over 38M threat actors
- Has collected, and continues to collect, billions of compromised credentials in the possession of threat actors.
- Has collected and continues to collect botnet records for billions of malware-infected devices.
- HUMINT researchers can dig deeper to answer questions that can’t be answered by analyzing dark web data.
- Managed threat detection, including 0-day and N-day discovery and analysis.
- Industry-leading primary research, digital forensics, Red teaming, identity protection, and more.
The type of information that is available
Through Resecurity and other analyses, it has been observed that there is a high correlation between the precursors of a security breach and an actual breach. Three common precursors: By analyzing dark web data, HUMINT researchers can dig deeper to answer questions that can’t be answered. This data is traded among threat actors, sold in bulk, or sold by initial access brokers. In addition to these observable precursors, Resecurity HUNTERS provides additional intelligence about undetected breaches through traditional methods. Companies can use this data to prevent threat actors from using it as a beachhead in their company’s or supplier’s networks.
Breach data
The trend of compromised accounts discovered on the dark web indicates the timing of breaches of services the company and its employees use.
For example, analysis of trends for a random Fortune 500 company, which is a supplier to nearly all customers in the US. Areas of concern:
6,273 compromised employee accounts were discovered on the dark web from 1/1/22 until 11/30/23. With a concerning trend of more compromised accounts of their employees leaking into the dark web.
Seven concerning spikes in the data indicate the company was breached or a significant company in their supply chain was breached.
Botnet data
The trend is that the number of PCs used by this company’s employees was compromised with malware. When the PC was compromised with malware, the employee’s username, password, device fingerprint, and security tokens were also compromised. Threat actors typically buy the rights to push their malware to these devices, after which they have complete control over the victim’s PC.
For example, an analysis of trends for the same random Fortune 500 company shows additional areas of concern:
- 5,406 PCs used by their employees were infected with malware from 1/1/22 until 11/30/23.
- A concerning trend of PCs being infected with malware since Q3 2022.
Dark Web Data
Monitoring data from the dark web can reveal threat actors planning to breach a company or how to monetize a breached or soon-to-be breached company.
Key takeaways:
CTI services can aid companies in understanding and reducing risks originating from their suppliers.
One size does not fit all. The scope and scale of these options are scaled up and down to meet the individual customer’s and engagement’s needs and budget:
| Common offering | Summary | Timing | Used for |
| Self-service evaluation of a potential supplier | Companies can use Risk to determine the cyber-risks of a potential supplier | Can be done in as little as 15 minutes | Used to identify the relative risks of one supplier compared to other potential suppliers or their current suppliers. |
| Ongoing supplier portfolio monitoring | Ongoing monitoring of a portfolio of suppliers.
Ongoing reporting of alerts for emerging threats |
Ongoing | Used to identify the relative risks of all their suppliers. |
Conclusion
When companies vet their suppliers, they often use third-party services with limited visibility, such as a simple perimeter scan of the supplier’s network. Some companies delve deeper and rely on a CTI vendor for a more comprehensive scan. However, they usually depend on vendors who can only access TOR and the surface web, which gives their clients incomplete visibility and often results in missing essential issues they are concerned about. As a result, they usually miss more significant events than they discover.
About the Author
Shawn Loveland is the COO of Resecurity. He is an experienced professional in the technology and cybersecurity field with over 35 years of industry expertise. He has worked for both small and large companies and has received 15 US patents and numerous international patents in computer security and telephony.
As the COO of Resecurity, Shawn aids Resecurity in providing practical solutions to our clients against the current threat landscape. He conducts proactive threat research and helps clients assess their Cyber Threat Intelligence (CTI) programs. He also provides customized intelligence services tailored to meet their unique needs. Before joining Resecurity, Shawn was responsible for dark web intelligence at Microsoft.
Shawn can be reached online at (Shawn Loveland | LinkedIn) and at our company website, https://www.resecurity.com/