The Third-party Attack Angle: Why It’s Increasing and 8 Tips to Bolster Defenses

Cybercrime has become a common headline news topic. But in recent years, there has been a notable spike in reports of hacks and breaches that reference third-party software or the “digital supply chain” In 2023, Bank of America, Home Depot, T-Mobile, Okta, and Citrix all saw such attacks. 

The alarming trend continues with the recent, targeted ransomware attack on a cloud-based software-as-a-service (SaaS) company. The attack has been extensive, impacting more than 15,000 of their clients across the U.S., and timed during the busy season for maximum disruption. The impact has been costly, with CBS reporting that the outage caused by the attack could result in over 100,000 fewer sales in June 2024. The attack will undoubtedly also deliver a blow to the company’s reputation within their industry.

The Third-party Vector Risk 

So why are attacks, such as the one on with this company, happening with greater frequency? From the hackers’ perspective, it’s easy to see the appeal of reaching targets indirectly through vendors and cloud providers. Cybercriminals know that big attractive targets like major financial services and healthcare organizations will have robust defenses around their own assets. But they also know that these organizations likely have relationships with dozens or even hundreds of SaaS applications and other IT providers. 

Starting there instead—with third-party software providers—provides access to a multitude of threat vectors that can yield significant results from one exploit. Once attackers gain access to that data and those networks, they can launch ransomware attacks of their own or simply sell access to others. 

Will all of these parties maintain comparable defenses? Maybe, maybe not. Just as important: Can the apps’ customers—the intended targets—monitor and police all their vendors to make sure they’re taking all of the appropriate security measures?

Minimizing the Risk Footprint

“There’s a tremendous amount of inheritance risk that you take on with supply chain software—and you don’t always have visibility within your supplier as to what they’re doing about security.” –Chief Risk Officer

Supply chain and vendor security are top of mind for CISOs, including those who took part in the recent Pure Storage CISO roundtable. They named it one of the biggest InfoSec challenges they face.

Here’s how CISOs at leading organizations are protecting themselves, reducing risk, and staying out of the headlines.

1. Engage with the reality of the new threat landscape 

CISOs and their teams clearly have plenty to do, but there’s an essential task to add to the list: instituting new policies and procedures around procurement, auditing, and monitoring of third-party providers. An ad hoc approach—or hoping vendors will protect you—is definitely not the best path forward.

2. Tame SaaS sprawl 

Every additional application is a potential attack vector. Many organizations have multiple integrations with SaaS providers. A thorough assessment might find ways to eliminate some unnecessary apps. Perhaps certain applications lack the benefits to justify newly emergent risks. Others could be made expendable by building applications in-house. Finally, the problem of engineers and staff setting up their own productivity enhancements with third-party providers—known as “shadow IT”—adds to SaaS sprawl. 

3. Put providers under a microscope 

Develop processes for assessing the security posture of the third parties connected to your networks. In-depth questionnaires and even independent audits might be appropriate, but the process should be thorough. To help, a new class of tools has appeared on the market: Third-party cybersecurity risk management (TPCRM) platforms can help manage both assessment and ongoing monitoring. 

4. Create custom compliance 

Audits can determine security posture and risk assessment, but often this information will simply conform to compliance using established standards like SOC 2 and ISO 27001. But these are baseline, one-size-fits-all guidelines. If your business’s risk profile is more complex, consider developing your own compliance regime, with specifics derived from actual business processes to screen prospective vendors and monitor ongoing relationships.  It’s important to understand, from my experience, that no one cares about your “stuff” (infrastructure, apps, security, etc) like you do.  You can’t just throw a service over the wall and expect good results. You get what you INspect, not what you EXpect…

5. Foster collaboration

Decisions to procure third-party solutions often involve numerous departments such as IT, purchasing, and InfoSec. With so many stakeholders, it’s essential to have processes that allow for input while providing a roadmap to a codified set of agreements with a limited number of hoops to jump through.

6. Employ a least-privilege model for data access 

Many cloud workflows lack access controls, giving users more access than needed for them to perform their jobs. This can be a boon to hackers, who can use one set of credentials to move laterally through data and increase their footprints. A least-privileged access model, one that restricts what users can access from their environment, could protect against this situation. 

7. Advocate for regulation 

This might seem like odd advice (who wants more regulations?), but in truth, the standards, benchmarks, and enforcement of regulation could help improve compliance, and more importantly, transparency around third-party vendor relationships. A model for regulation could be the EU’s Digital Operational Resilience Act (DORA), which strengthens and standardizes IT security and compliance for financial entities such as banks, insurance companies, and investment firms. 

8. Encourage development teams to “shift left, secure right”

In the spirit of accountability and ownership, focus on implementing “shift left” security testing earlier, and continuously, in the development lifecycle. In shift left security, security testing is integrated earlier into the beginning stages of development, compared to shift right security,

which focuses on testing in the production environment with monitoring. Shift left encourages teams to find vulnerabilities earlier and fix defects. Learn how to build an enterprise-grade secure platform in this DevSecOps technical blog series. 

Hear how CISOs are facing this and other challenges head-on with our exclusive CISO report.

Moving Forward

The recent attacks on industry leaders serve as a clear reminder of how advanced today’s cybercriminals have become—and how destructive ransomware attacks can be. While completely eliminating the risk of ransomware may not be possible, proactively putting into place the right mix of best practices and modern technologies can make all the difference. This includes having a data storage platform that enhances risk mitigation, ensures safe and secure data, and enables always-on protection.