It’s important for businesses of all sizes to not only view their suppliers’ attack surface as their own but also extend some of their security protections.
Empower Your Suppliers Against Attack
The average business shares data with a complex network of third parties, depending on their operational needs. In a survey of security and risk professionals, Forrester learned that the average business has 4,700 third-party partners with some access to corporate data.
Third-party relationships extend your attack surface in ways that are hard to monitor and control. Just 14 percent of the respondents to Forrester’s survey said they were confident they could effectively track all their third parties.
Among the most insidious and potentially damaging of these threats is account takeover (ATO), where cybercriminals obtain email and password combinations and use them to gain unauthorized access to corporate networks. This provides criminals a springboard for a variety of attack types. Data collected from the criminal underground suggests there is a constant risk of ATO to large enterprises. SpyCloud research into risk among Fortune 1000 companies showed a total of 23 million exposed corporate credentials with a high rate of password reuse.
It’s important for businesses of all sizes to not only view their suppliers’ attack surface as their own but also extend some of their security protections to them. Doing so empowers suppliers to remediate the risks that threaten partner organizations.
Here is a rundown of 3 attack types that pose a risk to your business via your third-party ecosystem:
Business Email Compromise
2019 saw significant growth in business email compromise (BEC) losses: the FBI Internet Crime Complaint Center measured a 100 percent increase in BEC losses between May 2018 and June 2019. There was also innovation in attack techniques, including, notably, a case in which a fake voice was the lynchpin in the con. 2019’s growth and innovation could signal increases in the frequency of BEC attacks launched at – or through – your third parties.
Traditionally a threat actor might take over an email account and send a message internally about making a wire transfer or deposit to some “new vendor.” As BEC became more popular over the last few years, criminals recognized they could add legitimacy to their phony calls-to-action by sending them from an actual vendor’s account, resulting in what’s being called Vendor Email Compromise. The first step is hijacking a corporate account; the second is re-routing funds from that organization’s customers into criminal-controlled accounts, under the guise of a transaction problem or account change.
Enterprises can empower suppliers to prevent this fraud and associated damages. Sharing account exposure data directly with suppliers through your vendor risk management solution is the most efficient way to convey a sense of urgency for remediating the issues that put you both at risk, and seeing their actual risk data points their security team in the right direction. Alternatively, security teams can regularly check recovered breach data for email addresses connected to their suppliers, and share that information manually with them, though this could quickly become quite cumbersome. But helping third parties remediate vulnerabilities quickly can foster goodwill and strengthen your own organization’s overall security posture.
It is also worthwhile to perform this type of check before entering a partnership with a new supplier. Don’t grant data access to partners who are already vulnerable to attack.
Apart from financial theft, account takeover can also help threat actors launch data exfiltration attacks. Suppliers and partners often have access to valuable corporate secrets such as customer data, intellectual property, and competitive intelligence, making them valuable targets.
With access to a supplier’s compromised credentials, it’s likely that attackers will try using that stolen information to log into corporate networks, remote file shares, collaboration software, and more in search of data about partners and customers.
For example, many enterprises outsource development to contractors. If a developer’s login credentials appear on the criminal underground, an attacker can easily use that information to take over their account and gain access to secret account keys, providing access to a wealth of sensitive data.
Again, regular, proactive searches for breached credentials can help prevent these exfil attacks before they begin.
Enterprises already keep tight control over privileged access to data. In today’s security landscape, trusting that access and identity management policies is trusting too much. Most people do not know when they’ve been exposed, so enterprises need to have tools to verify that partners with privileged access have not become compromised.
Threat actors may again lean on the legitimacy of trusted partners to spread malware infections. With access to email and CRM systems, they may drop malicious links into seemingly innocuous emails or use spoofed invoices or other documents to deliver malware to target networks.
Other types of privileged access can enable even more nefarious delivery mechanisms. Using a contract developer’s compromised credentials, attackers may be able to commit code. If a criminal uses that access to distribute a backdoor, anyone who installs your software provides an open door to the attacker.
Similarly, if a criminal gains access to an ad syndication network, all of the organizations that then link to those ads become delivery mechanisms.
Cybercriminal tactics, techniques, and procedures are always evolving, and as underground services have democratized access to crimeware, the supply chain is an ever-more attractive vector by which criminals can test an enterprise’s defenses over time. Twenty-one percent of data breaches in 2018 were caused by third parties, and we expect that number to rise when the final 2019 tally is in. It’s imperative that businesses begin thinking of their suppliers’ attack surface as their own, extending security tooling through the supply chain and empowering third parties against account takeovers and the follow-on attacks they enable.