One of the most significant sources of cyber risk comes from the supply chain, a catch-all term for products and resources shared or used between organizations. These relationships increasingly are recognized and capitalized on by attackers, who analyze not only the attack surfaces of their direct targets, but also their targets’ partners, hoping that lax security on the part of one party may allow an incursion into the other.
Supply chain risks can manifest in a myriad of scenarios. It can come from the use of software made by other vendors. It can come from two organizations that share network connections or software for business. It can come from contracting or outsourcing arrangements. This has increased the importance of evaluating the cybersecurity controls of potential partners and suppliers with the aim of ensuring that weak controls within one organization do not translate into increased cyber risk for another. If a partner stores sensitive information, the security of that information is reliant on that partner’s information technology (IT) security practices, which lie out of direct control. The challenges around this are not trivial. How can an organization maintain an up-to-date image of the risks of one of its partners?
The same methods that attackers use to investigate weaknesses of their targets also can be used in defense. An organization’s attack surface is the sum of its internet-facing entry points that a threat actor can use to gain unauthorized access. A threat actor may need only to compromise a single supplier or software vendor before they can move to target other organizations laterally. This scenario has played out again and again, particularly with cybercriminals, nation-state actors and ransomware groups in attacks including NotPetya, SolarWinds and most recently MOVEit.
Common Vulnerabilities in Third-Party Attack Surfaces
Threat actors perform extensive reconnaissance using open source data and internet-wide scanning tools to analyze an attack surface for vulnerabilities. Issues that attackers may seize upon include:
Failure to Patch
If third parties fail to patch services quickly, security gaps will be left unaddressed. Threat actors take advantage of slow patching time after time. While some threat actors exploit vulnerabilities quickly after disclosure to maximize the potential success of an attack, they also can have success months or even years later. In August 2023, the U.S. Cybersecurity and Infrastructure Agency (CISA) published a list of a dozen of the most routinely exploited vulnerabilities in 2022. Of those, seven were disclosed prior to that year, with one secure sockets layer-virtual private network (SSL-VPN) vulnerability from 2018. The lack of patching by some organizations means attackers save resources by not needing to buy or research new vulnerabilities and subsequently exploits. Attack surface monitoring of a partner or supplier potentially can highlight unpatched, internet-exposed software, allowing one party to inform the other before a breach occurs.
Security Misconfigurations
IT systems and IT security controls are prone to human error. A significant percentage of breaches also are rooted in errors. For example, a developer working on an application programming interface (API) might mistakenly use production data rather than test data. Then, the API – which was supposed to run only on an isolated test network – is exposed to the internet by accident. Through scanning, attackers find the API endpoint and begin probing it to see what data it holds. Configuration mistakes extend to cloud services as well. Many cloud services use a shared responsibility model for cybersecurity, leading to customer-generated misconfigurations in the infrastructure, which may permit unauthorized users access to third-party systems or data.
Forgotten Assets
Obsolete user accounts may be forgotten. When employees leave, it is best practice to disable their accounts and access to applications. If this doesn’t happen, there is a chance that attackers may be able to obtain valid credentials for the accounts. Unused software applications may remain on networks. If those applications are not maintained and patched, it creates opportunities for actors to gain access to systems or inject malicious code.
Shadow IT
This is the term for applications, software and devices that employees provision and use without the explicit approval of the IT team. Since they are unknown to IT, the applications cannot be protected, allowing threat actors easier access to a third party’s systems. Shadow IT has become especially prevalent as organizations embrace cloud and remote working.
Employee Information
Locating employees' emails and social media accounts provides an entry point for attackers. Threat actors can target employees with phishing attacks, in which emails impersonating sources of authority are sent to trick them into clicking malicious links or divulging personal information that can be used to infiltrate a system
Intel 471’s Attack Surface Discovery
Scanning a third party’s infrastructure can reveal avenues that could be used to mount supply chain attacks. Intel 471’s Attack Surface Discovery, which is part of the Attack Surface Protection suite, allows organizations to see their own digital footprint as well as those of other organizations in their supply chain. The digital footprint is an image of risk at a point in time and it draws on more than 200 open source intelligence (OSINT) sources as well as network scans that can reveal public-facing software and assets.
Scenario: Exposed Remote Desktop Protocol
Company A undertakes a scan of organization B’s external-facing IT assets to assess its third-party and supply chain risk. Company A discovers that organization B has two exposed remote desktop protocol (RDP) ports, which frequently are targeted by initial access brokers (IABs), ransomware actors and other cybercriminals trying to steal data. Upon investigation, organization B discovers that both RDP services were provisioned without permission and that the IT security section was unaware, a type of shadow IT deployment. After being notified, organization B takes the RDP ports offline.
This scanning can be undertaken regularly on a weekly or monthly basis, and alerts can be set to trigger on changing parameters between scans. Continuous monitoring of third parties can give an up-to-date view of evolving risk. Intel 471’s Attack Surface Management product, a component of Attack Surface Protection, allows for this regular scanning and alerting of, for example, those partners with which sensitive information is shared and exchanged.
Scenario: Unpatched Exchange Server
Company C has set up a regular scan of a partner’s network using Attack Surface Management, which includes checks for open ports, services and applications that a partner may be exposing. After the scan, company C gets an alert that the partner has exposed an Exchange Server that is vulnerable to CVE-2021-26857, which is a remote code execution (RCE) vulnerability. The partner is warned and the impacted server is taken offline until it can be patched.
Digital footprints regularly collected with Attack Service Management become more valuable when paired with cyber threat intelligence (CTI) data from Attack Surface Intelligence, the third leg of Intel 471’s Attack Surface Protection suite. This intelligence is collected from cybercriminal forums, such as so-called dark or deep web sites, underground marketplaces, Telegram channels and directly from threat actors. This is the ground truth of threat actor activity. Attack surface research and CTI are complementary in the sense that both are aimed at detecting weaknesses beforehand and prevent eventual malicious behavior. Below is an example of how knowledge of an organization’s digital footprint can be leveraged to deliver a proactive warning to a critical partner of the chance of an impending security incident.
Scenario: File Transfer Software Targeted
An insurance company is a partner of a health care organization, which uses managed file transfer (MFT) software to exchange voluminous files on a daily basis. Through regular scanning, the insurer knows the health care company runs a public-facing subdomain with a portal for MFT software. Using CTI, the insurance company learns that threat actors are discussing a possible zero-day vulnerability in the MFT software. Although the software that the vulnerability affects is not stated explicitly, discussions in the cyber underground give some clues as to which vendor may be affected. Before proof-of-concept (PoC) code for the vulnerability is developed, both companies are able to evaluate the risk, undertake mitigations and remove sensitive data from the MFT software.
Scenario: New Vulnerability in SSL-VPN Software
A new vulnerability has been disclosed in an SSL-VPN gateway. After company A undertakes a regular scan using Attack Surface Management, it discovers that its partner is running the vulnerable software. CTI collected by Intel 471 as part of Attack Surface Intelligence reveals that a threat actor has developed PoC code, and it is possible that exploit code will be available for sale soon, meaning that company A's partner should prioritize patching.
Scenario: CTI Indicates Malware on Server
As part of monitoring the attack surface of a partner, organization C conducts a search of the partner’s IP address range. The search reveals data collected by Intel 471’s Malware Intelligence module, which tracks the activity of the top 200 malware families, including botnets. The search uncovers that a server within the partner’s network appears to be acting as a command and control (C2) server for a type of malware. The partner can be warned of the infection and remediate the machine.
Third-party and supply chain attacks illustrate that the task of reducing risk doesn’t lie within the boundaries of a single organization. Supply chain attacks present the frustrating scenario where an organization can do everything mostly right – a well-honed patching program, strong identity management controls, quality controls to catch configuration errors – yet still be compromised because of the unfortunate circumstances of a partner or vendor. These risks never can be eliminated completely, but as outlined above, there are demonstrable steps that can be taken in advance that could prevent a breach. For more information on how the Attack Surface Protection suite can help, please contact Intel 471.