Using Dark Web Monitoring For Supply Chain Cybersecurity

The Threat to the supply chain

Supply chain cybersecurity is a persistent thorn in the side of organizations of all sizes. Threat actors have realized that compromising a supply chain company can act as a force-multiplier for them (why work hard to break into just one business when you can hack a supplier and gain access to many?) and have turned their attention to third party software as one of their favorite targets. 

This trend is illustrated by the fact that the supply chain was responsible for 62 percent of system intrusion incidents in the past year (according to the Verizon DBIR) and through attacks such as SolarWinds, one of the most infamous incidents of all time.

Getting to grips with supply chain cybersecurity

In spite of the known threat, security teams struggle to get to grips with managing their supply chain cybersecurity. In fact, concerning data released by the UK Government found that only 13 percent of businesses review the risks posed by their immediate suppliers. This isn’t apathy or laziness, it is the consequence of three intrinsic difficulties in applying cybersecurity to third parties:

1. Supply chains are large and complex – There is no getting around the fact that modern organizations are reliant on a complicated ecosystem of partners, suppliers, and vendors – which creates a tangled web of interconnected risk. It is difficult enough for organizations to get a hold on their own infrastructure’s security, let alone take responsibility for others.
2. Companies have limited access to their suppliers’ systems – Anything outside of an organization’s own infrastructure is difficult for security teams to gain visibility of. In many cases it is impractical (or, from a suppliers perspective, unreasonable) for a company to gain access to their supplier’s network or software in order to review its security.
3. Supply chain security relies on trust – An organization can write security requirements and compliance clauses into their contracts to their heart’s content, but it doesn’t change the fundamental fact that they then have to rely on their supplier to implement the correct security controls. Moreover, even if the supplier is sticking to the letter of the law, it doesn’t mean that cybercriminals won’t find a compromise that the Cyber Risk and Compliance team hadn’t thought of.

The inability to gain visibility or control of supply chain cybersecurity often means that organizations write it off as a futile task. However, there is an alternative source for monitoring threats against third parties that organizations can use to inform their supply chain threat management.

Monitoring the dark web for supply chain threats

Yesterday we officially launched the multi-tenancy capability of our dark web monitoring solution, DarkIQ, which allows our customers to add multiple company profiles to their account. One of the many benefits of multi-tenancy is that it gives enterprise security teams the ability to easily assess the clear, deep, and dark web exposure of their suppliers.

Continuously monitoring marketplaces, forums, and chats for their supplier’s key attributes – including employee credentials, IP addresses, company datasets, devices, and software – can alert the enterprise to suspicious activity that may indicate a potential attack against their supply chain. For example:

• Chatter about a supplier in a dark web forum – could indicate that the supplier has been identified by cybercriminals as a potential access point, so the organization should tighten its security around that particular third party.
• A supplier’s corporate credentials on a dark web leak site – might indicate that the company has already been breached and should prompt a closer view of the supplier’s security – especially if it hasn’t disclosed an attack. It will also alert the organization that the supplier is at further risk of being attacked again using employee logins.
• An exploit for a supplier’s software being sold on a dark web marketplace – would alert a company to the vulnerability, allowing them to patch before they are attacked.

We have seen these instances in the wild. Read our previous blog: Three Times Supply Chain Compromise Was Visible On the Dark Web for examples of how some of the biggest attacks via supply chain companies (including the likes of Kaseya and Kronos) began with cybercriminals discussing their plan of action and selling initial access on the dark web.

The benefits of monitoring the dark web exposure of multiple suppliers

As well as negating the limitations of applying cybersecurity to the supply chain by removing an organization’s reliance on access to their supplier’s infrastructure, dark web monitoring has the added benefits of also allowing organizations to:

• Identify attacks earlier in the Cyber Kill Chain – Monitoring the dark web allows organizations to spot cybercriminals while they are still in the early reconnaissance stages of their attack. This gives the security team valuable time to warn their supplier and take their own defensive actions if they identify suspicious behavior.
• Gather actionable threat intelligence – Knowledge of what vulnerabilities cybercriminals are developing, selling, or trying to compromise also helps organizations to prioritize their cybersecurity efforts and resources, armed with more knowledge on the most likely path of attack.
• Do their own risk assessments on their suppliers – Organizations can’t access their supplier’s infrastructure or run vulnerability scans on their software, but they can monitor the dark web to find out if they have been exposed without relying on the supplier at all.

NCSC Guidance

Dark web monitoring can also be mapped to many of the steps suggested by the UK’s National Cyber Security Centre (NCSC) in the supply chain cybersecurity guidance it released in October, including:

• Monitor supplier security performance – “Monitoring vulnerabilities in your supplier’s cyber resilience on a regular basis will help you to identify where there are shortfalls and to work with your suppliers to address them (before they are exploited and become an issue).”
• Maintain awareness of evolving threats and update practices accordingly – “it is important to recognize that the threat landscape, procurement and supply chains are continuously evolving […] Maintain awareness of emerging threats and use the knowledge acquired to update your supply chain cyber security accordingly.”
• Collaborate with your suppliers – “use your awareness of evolving threats and your suppliers’ cyber resilience to raise concerns regarding any identified vulnerabilities.”

The ability to assess the dark web exposure of their supply chain is a new way that organizations can gain the upper hand on cybercriminals, who rely on the lack of visibility into suppliers to execute their attacks.