Forrester data reveals that 55% of security pros reported their organization experienced an incident or breach involving supply chain or third-party providers in the past 12 months. At the same time, a recent Gartner survey found that 76% of supply chain executives say their company is facing more frequent disruptions than three years ago.
In light of increasing numbers of digital supply chain attacks in the headlines from even the most reputable organizations, how can organizations defend themselves?
What is a Digital Supply Chain?
A digital supply chain is the different software services and solutions an organization relies on to function. While exploited vulnerabilities in some of these services and solutions are critical to an organization’s operations and demand remediation strategies, it is important to understand that critical risks from the digital supply chain need to be addressed differently than those that are not critical..
For example, an insurance company’s digital supply chain may include payment processing solutions and portals, customer relationship management (CRM) platforms and multiple partners and outsourced contractors. The payment processor, who handles sensitive and personally identifiable information (PII) of the insurance company’s customers poses a critical risk if it is breached, while a website analytics tool that doesn’t have access to customer data, would pose a far lower threat.
In an era of increasingly connected software and services, it is important for organizations not only to identify which service and solutions are in their ecosystem, but also understand the level of risk they pose to your organization in the event of a security incident or breach.
Third-Party Breaches vs Digital Supply Chain Attacks
While both third-party breaches and digital supply chain attacks occur as a result of the exploitation of a vulnerability in an organization’s system or infrastructure, they are different in their scope, potential impact, target and attack vector. Both third party breaches and digital supply chain attacks are becoming more frequent, and at the same time, harder to defend against and mitigate.
In a third-party breach, an organization’s data is stolen or exfiltrated from a third party, supplier, partner, service providers, agencies and outsourced contractors. The recent T-Mobile breach, for example, exposed the data of 37 million customers, data that included personally identifiable information (PII) such as their name, address, phone numbers and data of birth. Attackers targeted T-Mobile specifically through the attack vector of a third-party API.
In contrast, a digital supply chain attack occurs when an attacker breaches one of your organization’s third parties services and continues to infiltrate through those third, fourth and fifth parties to its desired target. Since a digital supply chain attack targets many different organizations within a supply chain, it has the potential to inflict massive damage on hundreds of organizations. This is what happened with the SolarWinds attack, whose high-profile customers downloaded the compromised third-party Orion software, resulting in the ability of hackers to gain unauthorized access to data and networks of hundreds of high-profile customers, including the Pentagon, U.S. State Department, Microsoft and even FireFly, a top global cybersecurity firm.
3 Major Digital Supply Chain Attacks in 2023
This past year a number of notable digital supply chain attacks occurred. Advanced third-party security risk solutions such as Panorays can assist in managing and mitigating attacks and breaches similar to the ones below.
The MoveIT digital supply chain attack, a file transfer software, took advantage of a zero-day vulnerability to get access to organization’s networks so that they could gain administrative privileges, deploy ransomware and edit database information. The Clop ransomware gang responsible for the attack succeeded in affecting hundreds of organizations, including the BBC, Zellis, British Airways, Norton and the government of Nova Scotia. Many organizations were unaware they had been impacted as they did not know if the software was a part of their software ecosystem, or whether the third, fourth or fifth party using the software presented significant risk to them.
After detecting the MOVEit file transfer software on the external attack surface of its customers’ supply chain, advanced third-party security management solutions alert organizations of the specific suppliers vulnerable to the malicious MOVEit software. Using this information, they could easily build remediation plans and collaborate with suppliers to ensure that a patch is provided as soon as possible, mitigating damage. In addition, any breach that occurred in a customer’s digital supply chain as a result of the MOVEit software was quickly identified as originating from a third, fourth or n-th party and the alerts, reports and impact was managed accordingly. Security questionnaires were automatically sent to the relevant suppliers to understand the level of risk the vulnerability poses to the customers, and if necessary, provide a mitigation plan.
3CX, a VoIP provider of chat, video and voice over calls, had both its Mac and Windows operating systems infected with malicious code when its desktop applications were compromised. Wherever the application was installed, hackers had access, impacting organizations in a wide range of industries from healthcare to aerospace and hospitality. After deep investigation, however, hackers were found to have compromised the Mac and Windows desktop application through an employee’s VPN and an earlier manipulated version of X_TRADER, a software package provided by Trading Technologies. This made it a double digital supply chain attack – a digital supply chain attack that leads to another digital supply chain attack.
In this attack, early detection was crucial, mitigating widespread damage that could have impacted these organizations financially, legally, and with regards to its reputation, brand and ability to meet compliance.
3. Citrix Netscaler
The Citrix Netscaler digital supply chain attack was a series of attacks. First, hackers exploited CVE-2023-3519 in Citrix NetScaler ADC (Application Delivery Controllers) and NetScaler Gateway servers that allowed for unauthorized remote code execution, collect and exfiltrate Activity Directory data and elicit control over the systems. As soon as the exploit was identified, Citrix worked to release a patch for the vulnerability.
Next, attackers exploited CVE-2023-4966, known as the Citrix Bleed vulnerability, impacting Citrix NetScaler ADC and NetScaler Gateway products. In total, over 2000 Netscalers were affected by the attack, leading to compromised systems at Boeing; Toyota, Comcast and the Industrial and Commercial Bank of China.
After adding Citrix Netscaler to a list of current attackers, advanced third-party security risk management can detect where Citrix is a third or fourth-party for its customers, continuing to monitor it through various cybersecurity news sources to enable alerts as the attack evolves.
What We Can Learn from Digital Supply Chain Attacks in 2023
As we look retrospectively on digital supply chain risk from last year, we can identify a few trends and extrapolate various insights, including:
- It is crucial for organizations to be able to identify the level of risk criticality. As organizations increasingly rely on third party services, suppliers, vendors and outsourced contractors and risks to organizations scale, it is vital for organizations to be able to identify risk along their extended supply chain and prioritize it according to the level of criticality of those vendors.
- Early detection is critical. Similar to the SolarWinds attack, in the 3CX attack, damage was minimized because it was detected in weeks, not months. This highlights the need for greater visibility into the digital supply chain, extending to not only third parties, but also fourth, fifth and n-th party suppliers, services and outsourced vendors.
- Third parties often offer more vulnerabilities to exploit. Even if your organization has the budget and resources to have a strong cybersecurity policy in place, not every organization does. Vendors in your extended digital supply chain also may not adhere to the same privacy or compliance as your organization, offering attackers a better opportunity to find an attack vector that they can exploit.
Digital Supply Chain Management and Third-Party Risk
Organizations often turn to third-party security risk platforms to help them increase the resilience of their digital supply chain.
Other strategies include:
- Reducing your attack surface. Minimize publicly-facing assets, implement a regular vulnerability patch process, apply the principle of least privilege (POLP) and limit endpoints. All of these steps help to make it harder for attackers to exploit entry points to gain unauthorized access to your data and systems.
- Conducting regular vendor assessments. As the cybersecurity risks and threats evolve along with your attack surface, IT and infrastructure, it’s important to continually assess your vendors for their ability to set effective security controls, data security policies, and ability to meet regulatory compliance.
- Leveraging AI for third-party risk detection. AI models help facilitate quicker and more accurate threat intelligence, continuous vendor security assessments, and proactive strengthening of your organization’s digital supply chain.
How Panorays Helps You Manage Third-Party Risk
When organizations don’t have visibility into their extended digital supply chain, defending against cyberattacks is next to impossible. With proper digital supply chain management that includes a combination of AI-powered security questionnaires and external attack surface assessments, Panorays identifies the risks posed to your organization from the third, fourth, fifth and n-th parties in your digital supply chain. It then maps the different CEVs and KEVs existing within these different parties, ranking them according to the level of criticality they pose to your business. These suppliers, agencies, vendors and outsourced parties are then notified of the risk it presents to your organization, allowing them to collaborate and remediate the risk effectively, helping to build a more resilient digital supply chain for the future.
Want to learn more about how you can manage third-party risk across your extended digital supply chain? Sign up for a free demo today.
Digital supply chain risk is any critical risk posed to your organization from its third, fourth, fifth and n-th party services.These vendors along the digital supply chain can be suppliers, software services, partners, agencies, outsourced services – any vendor supplying a product or service to your organization. Organizations who are dependent on specific vendors in the digital supply chain for critical services are at increased risk for operational and service disruptions in addition to financial and legal risks and failure to meet compliance.
Digital supply chain management is important because it gives you better planning, control and delivery of the products and goods in your digital supply chain. This impacts your organization’s operational efficiency, finances, visibility and ability to meet compliance and security. A strong and resilient digital supply chain that is well-managed, for example, can adapt quickly to changes in the supply chain, such as customer demand, or data breaches in third, fourth or nth-parties.
Digital supply chain security is the process of ensuring that a third, fourth, fifth or n-th party is defending against unauthorized access to their data or systems to protect every other organization in the ecosystem. In other words, it involves extending greater visibility through tracking and identifying each party, which technologies they use and the critical risk they pose to your organization.