As organizations increasingly rely on third-party vendors and suppliers for their day-to-day operations, their digital ecosystem also grows more complex. They may need to open additional ports and create endpoints to communicate with vendor systems and activate third-party services. These and other third-party dependencies create potential entry points for attackers, expanding the organization’s attack surface.
Not only that, but the expansion is further amplified by the vulnerabilities in your vendor supply chain—and their supply chain vendors, and so on. It’s a rabbit hole full of blindspots that can lead to an explosion of supply chain attacks.
A recent report revealed that supply chain attacks accounted for nearly one-third of the total volume of data breaches in 2023. In addition, compromise stemming from the supply chain cost more and took longer to detect and mitigate than other types of data breaches.
What Drives Supply Chain Attacks?
Attackers know that targeting the supply chain can give them access to multiple organizations at once. When a vendor suffers an attack, it is likely not the only victim. Threat actors are essentially hitting more than two birds with one stone, so to speak.
In the case of the SolarWinds and Okta security breaches, for instance, threat actors were able to hit thousands of customers, many of whom experienced subsequent hijacking attacks.
Therefore, supply chain attacks are very attractive to attackers. But aside from their lucrativeness, other factors may be at play. That includes limited visibility over third-party-connected assets and shadow IT.
Do You Have Visibility over Your Third-Party Dependencies?
Relying on third-party vendors and suppliers allows organizations to focus on their core services. However, the assets and dependencies created to enable these external services are bound to expand their attack surface.
For instance, companies using cloud-based customer relationship management (CRM) systems and third-party programming libraries across products and services must be able to determine the following:
- What root assets (e.g., domains and subdomains) are connected to the CRM?
- What dependencies are there? What IP addresses, ports, name servers, Secure Sockets Layer (SSL) certificates, and email addresses are connected to the root assets?
Third-party dependencies can get affected in the event of a supply chain attack, making them part of the attack path. Vulnerable libraries and widgets embedded into websites could fall prey to malicious exploits similar to Magecart.
As such, identifying and securing third-party assets is a crucial part of the overall external attack surface management (EASM) process.
Can You See What Your Employees Are Up to in the Cloud?
It may only take one employee using a company-managed device to access a personal account for a supply chain attack to ensue.
Using third-party services on corporate devices without IT approval contributes to the expansion of the attack surface. It is, therefore, no wonder that of the 77% of companies that experienced cyber incidents, 11% say they were caused by shadow IT use.
Knowing what applications employees use is necessary to identify and secure assets. That requires visibility into all technologies connected to the vendors, whether authorized or not. More than that, improving your employees’ cybersecurity awareness is also critical.
Is Your Supply Chain Picture Up-to-Date?
Shadow IT can easily be integrated into critical assets over time. What happens if they are forgotten or continuously overlooked? For example, marketing staff using an unapproved tracking pixel to monitor website traffic and conversions can expose connected assets and worse, sensitive data, to vulnerabilities in the pixel.
Even approved services can pose risks if their connections to assets are not properly discontinued when they are no longer needed. These stale connections can create vulnerabilities that attackers can exploit.
Maintaining an up-to-date picture of all connected assets and third-party technologies is critical as it provides organizations with a complete view of their external attack surface.
What Can You Do?
CISOs and security leaders need all the help they can get to gain control of their expanding attack surfaces and mitigate supply chain risks. That involves proactive strategies that include:
- Obtaining enhanced visibility: Done through continuous monitoring of your external attack surface, identifying newly added assets, misconfigurations, and vulnerabilities related to third-party dependencies.
- Vetting third-party suppliers: Done through rigorous vendor risk assessment and due diligence. Keep in mind that you inherit your supply chain’s security posture. Weak vendor security practices can leave your organization exposed if their systems get compromised.
- Gaining cloud and shadow IT asset visibility: Done by scanning cloud services and other technologies for accounts and dependencies, such as IP addresses, ports, subdomains, and email addresses.
- Conducting regular security awareness training: Done to educate employees about the dangers of shadow IT and other security risks.
- Creating and implementing a detailed vendor termination plan: Involves outlining all assets and accounts that must be decommissioned when vendor relationships end.
—
An organization’s supply chain undoubtedly expands its overall attack surface, giving threat actors more attack opportunities and entry points. Mitigating risks involves obtaining visibility over assets created from third-party relationships and shadow IT usage.
Find out how Attaxion can help uncover third-party dependencies and supply chain risks through comprehensive asset mapping capability. Start your free trial now.