Supply Chain Risk

In the context of cybersecurity, Supply Chain Risk is the potential for a security threat to an organization's systems or data that originates from its third-party relationships. It is a risk that arises from vulnerabilities in a product or service's development, manufacturing, or distribution chain, which an attacker can exploit to compromise the end-user.

This risk is a significant concern because modern organizations rely on a complex ecosystem of suppliers, vendors, and partners for software, hardware, and services. A weakness in any one of these links can have a ripple effect, impacting every organization that uses that compromised product or service.

Key sources of supply chain risk include:

• Vendor and Third-Party Vulnerabilities: A third-party vendor may have weak security controls, making them an easy target for attackers. If that vendor's systems are compromised, an attacker can use that access to pivot to the organizations that use the vendor's products.

• Software and Hardware Compromise: A malicious actor can inject malware or a backdoor into a product during the manufacturing or development process. This compromise can then be distributed to every customer that purchases the product, giving the attacker a backdoor into their systems.

• Data Exposure: An organization may share sensitive data with a third-party vendor, which, if compromised, can lead to a data breach.

The primary defense against supply chain risk is to have a robust vendor management program, conduct thorough security assessments of third-party vendors, and use a zero-trust model to assume that all third-party relationships are a potential threat.

ThreatNG, an all-in-one solution for external attack surface management, digital risk protection, and security ratings, helps organizations manage Supply Chain Risk by providing an outside-in view of their third-party relationships. It identifies and assesses vulnerabilities that attackers could use to pivot from a third party to the organization.

ThreatNG's Role in Managing Supply Chain Risk

External Discovery

ThreatNG performs purely external, unauthenticated discovery to find and map an organization's third-party assets. This is crucial for managing supply chain risk, as it provides an inventory of all public-facing assets that have been added to the attack surface through third-party relationships. ThreatNG's discovery capabilities include:

• Subdomain Intelligence: It analyzes subdomains and performs an "Enumeration of Vendor Technologies from DNS and Subdomains". This helps an organization identify third-party vendors and the technologies they use.

• Technology Stack: ThreatNG identifies all technologies used by the organization under investigation. This can help to identify third-party vendors and their associated assets.

• Cloud and SaaS Exposure: It evaluates cloud services and Software-as-a-Service (SaaS) solutions, discovering sanctioned, unsanctioned, and open-exposed cloud buckets on AWS, Microsoft Azure, and Google Cloud Platform. This is critical for identifying assets that third-party vendors may have deployed without central oversight.

• Sentiment and Financials: ThreatNG's Sentiment and Financials module uncovers lawsuits, SEC filings, SEC Form 8-Ks, and negative news related to an organization. Attackers can use this information to craft a compelling social engineering attack.

• Domain Intelligence: This module performs a comprehensive analysis of a website's subdomains, DNS records, and SSL certificate statuses. This can help to identify third-party vendors and their associated assets.

• Online Sharing Exposure: It identifies organizational entities on platforms such as Pastebin and GitHub Gist. This can reveal a lack of control over what information is being shared externally.

Example of ThreatNG Helping: ThreatNG's Subdomain Intelligence discovers a new subdomain vendor.example.com, a third-party vendor is using. ThreatNG can then assess the security posture of this subdomain, which is a crucial part of managing supply chain risk.

External Assessment

ThreatNG assesses the risk of the newly discovered assets to provide context and prioritization. These assessments directly relate to the problems of supply chain risk.

• Supply Chain & Third Party Exposure: This score is derived from Domain Intelligence (Enumeration of Vendor Technologies from DNS and Subdomains), Technology Stack, and Cloud and SaaS Exposure. It provides a direct measure of an organization's exposure to its third-party vendors.

  • Example: ThreatNG discovers a new subdomain for a third-party vendor that has an exposed sensitive port and a known vulnerability. This would lead to a high "Supply Chain & Third Party Exposure" score, indicating the severity of the supply chain risk.

• Cyber Risk Exposure: This score considers parameters our Domain Intelligence module covers, including certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in "Code Secret Exposure," which involves discovering code repositories, assessing their exposure levels, and investigating their contents for sensitive data.

• Breach & Ransomware Susceptibility: This score is derived from external attack surface and digital risk intelligence, which includes domain intelligence (exposed sensitive ports, exposed private IPs, and known vulnerabilities), dark web presence (compromised credentials and ransomware events and gang activity), and sentiment and financials (SEC Form 8-Ks). This helps an organization understand if the new elements of its attack surface are susceptible to being breached.

Reporting

ThreatNG's reports, which include Executive, Technical, and Prioritized (High, Medium, Low, and Informational), are essential for communicating the state of the organization's supply chain risk. These reports would detail newly discovered assets, their associated risks, and the specific vulnerabilities found.

Example of ThreatNG Helping: An executive report from ThreatNG would show a low security rating due to significant "Supply Chain & Third Party Exposure". The corresponding technical report would list specific findings, such as an exposed API key with a "High" risk level, and provide actionable recommendations, allowing the organization to enforce accountability and improve oversight.

Continuous Monitoring

ThreatNG performs continuous monitoring of an organization's external attack surface, digital risk, and security ratings. This is crucial for managing supply chain risk, as it ensures that the organization's inventory of public-facing assets is always up-to-date. As new assets are added, ThreatNG automatically discovers and assesses them, preventing them from becoming blind spots.

Example of ThreatNG Helping: A third-party vendor launches a new application on a new server. ThreatNG's continuous monitoring would automatically detect this new server, scan its exposed ports, identify its technology stack, and assess any associated vulnerabilities. This helps an organization enforce a policy that requires all new assets to be scanned before deployment.

Investigation Modules

ThreatNG's investigation modules allow for a deep dive into specific areas of the attack surface, which is vital for understanding new exposures.

• Subdomain Intelligence: This module analyzes subdomains for various factors, including HTTP responses, header analysis, cloud hosting, and open ports, and checks for subdomain takeover susceptibility.

• Cloud and SaaS Exposure: This module identifies sanctioned and unsanctioned cloud services, open exposed cloud buckets, and various SaaS implementations. This helps an organization find and secure assets that third-party vendors have deployed without central oversight.

• Sensitive Code Exposure: This module directly discovers public code repositories and uncovers digital risks by investigating their contents for various access credentials, security credentials, and configuration files. This is crucial for identifying accidental exposure of credentials that contribute to attack surface expansion due to a lack of oversight.

• Dark Web Presence: This module tracks organizational mentions and associated compromised credentials. It can identify credentials that have been compromised and are still active due to insufficient lifecycle management.

Example of ThreatNG Helping: An investigation using the Subdomain Intelligence module reveals that a third-party vendor's subdomain is vulnerable to a subdomain takeover. This allows the security team to notify the vendor and mitigate the risk before an attacker can exploit it.

Intelligence Repositories

ThreatNG's intelligence repositories, known as DarCache, provide critical context for assessing the risks associated with supply chain risk.

• Compromised Credentials (DarCache Rupture): This repository contains information on compromised credentials. If a third-party vendor's credentials are found in a list of compromised credentials, it is a direct indicator of increased supply chain risk.

• Vulnerabilities (DarCache Vulnerability): This repository includes information from NVD, EPSS, and KEV, providing a holistic approach to managing external risks by understanding their real-world exploitability and potential impact.

• Ransomware Groups and Activities (DarCache Ransomware): This repository tracks over 70 ransomware gangs. This information could be used to identify if a third-party vendor is being targeted by a ransomware gang that uses supply chain attacks as an initial entry vector.

Example of ThreatNG Helping: The DarCache Rupture repository identifies a set of compromised credentials, including a service account password for a critical third-party application. This provides a direct indicator of a threat to the organization's supply chain.

Synergies with Complementary Solutions

Other security solutions can complement ThreatNG's external focus on supply chain risk.

• Complementary Solutions: Vendor Risk Management Platforms (VRM): ThreatNG's external discovery and assessment of third-party vendors' attack surfaces can be fed into a VRM platform. This allows an organization to automate the monitoring of its vendors' security postures, providing a continuous, outside-in view of their risk.

• Complementary Solutions: Cloud Security Posture Management (CSPM): ThreatNG's external discovery of exposed cloud assets and services can be complemented by a CSPM. The CSPM would perform a deeper, internal scan of the cloud environment to ensure that the newly discovered assets adhere to internal security policies and do not have misconfigurations that could lead to further attack surface expansion.

• Complementary Solutions: Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) Platforms: ThreatNG's alerts on newly discovered assets or critical vulnerabilities can be ingested by a SIEM for consolidated logging. A SOAR platform can then use these alerts to automate response actions, such as isolating a newly discovered, vulnerable asset or triggering a workflow to notify the team responsible for the asset.

• Complementary Solutions: Governance, Risk, and Compliance (GRC) Platforms: ThreatNG’s External GRC Assessment identifies exposed assets, vulnerabilities, and digital risks from an outside-in perspective and maps these findings directly to relevant GRC frameworks. This information can be fed into an internal GRC platform to automate the tracking and management of compliance gaps, helping to enforce stronger oversight and control.