While third-party products and services are crucial to everyday business operations for almost any company, they also present significant security concerns, as high-profile attacks including SolarWinds and MOVEit laid bare. Trustwave research shows the attacks vary by industry but also makes clear the best defense is the stringent application of the latest security measures, including penetration tests, vulnerability scans, and managed detection and response (MDR) services.
A series of recent reports by Trustwave’s SpiderLabs team examined the threat landscape in vertical industries, including financial services, hospitality, manufacturing, retail, and education. Trustwave SpiderLabs has hundreds of security professionals with deep experience in various security realms, including original threat research working worldwide. Simply put, they are on top of the latest global threats.
A quick look at the third-party threats Trustwave SpiderLabs has observed in various vertical industries is enough to get a sense of the problem's scope.
Financial services: The report noted a sharp rise in successful attacks from third-party software and services, including high-profile, supplier-based attack vectors like SolarWinds, 3CX, and MOVEit.
“These attacks can be considered a flanking maneuver because they target the ‘weak side’ of an organization,” the report said. “Through this approach, attackers can access the targeted company’s data and infrastructure even though the company itself may have a relatively high-security maturity.”
The ransomware group Clop has been "heavily associated" with the MOVEit file transfer software vulnerability, the report says: “We have seen hundreds of organizations impacted by this vulnerability, leading to successful breaches. Notable financial services organizations have already publicly reported being affected, including large, well-funded institutions like Deutsche Bank, ING Bank, Charles Schwab and TD Ameritrade, among others.”
Manufacturing: Supply chains, a fundamental component of the manufacturing industry, rely on interdependence. That means a disruption within any part of the chain can trigger substantial downtime across the entire production spectrum. For example, a 2022 ransomware attack against a major supplier led a large Japanese automaker to partially take down its manufacturing processes.
Calling it "one of the most significant supply chain attacks worldwide,” the Trustwave manufacturing report said the downtime caused the company a five percent drop in production.
Retail: The retail industry similarly relies on third-party vendors for services, including point-of-sale systems (POS), payment processing, supply chain management, and customer relationship management. As the Trustwave Retail Sector Threat Landscape report states: “Point of Sale (POS) systems are a prime target for cybercriminals, as they contain sensitive customer data such as credit card numbers. If a POS system is compromised, criminals could steal and use this data to commit fraud.”
Payment processors are also a target. If compromised, “criminals could steal money from retail businesses or their customers,” the report said.
How to mitigate against vertical cyber threats
Most of these threats are not unique to a given vertical. The hospitality industry, for example, faces many of the same threats as retail because both rely on POS systems, payment processing, CRM, and more. The MOVEit vulnerability was a factor in numerous industries, including not just financial services but retail, hospitality, and education.
The SpiderLabs team offered specific measures to mitigate third-party risks for each vertical. Some that can apply to almost any vertical include:
- Recognize that the security of the ecosystem is dependent on the strength of its weakest link.
- Ensure systems are secure and protected by the latest security measures by conducting regular penetration tests and vulnerability scans.
- Maintain an inventory management system for all software, including vendor-developed software components, operating systems, versions, and model numbers.
- Implement a routine vulnerability scan before installing new applications, devices, or technology in the IT environment.
- Know your supply chain. Inventory all critical suppliers and perform security due diligence regularly.
- Regularly update software and firmware patches to address known vulnerabilities and reduce the risk of exploitation, including for operational technology software where applicable.
- Ensure third-party vendor contracts have strict cybersecurity clauses. Such clauses could include mandating regular security audits, immediate breach notification, and compliance with pertinent data protection regulations.
How MDR helps address cyber threats
Whilst this is all sound advice let’s add one more bullet point. That “latest security measures” implies: implementing security operations with 24/7 threat monitoring, event correlation, incident investigation, and response capabilities; or, if resources are limited, enlisting a managed detection and response (MDR) service. Adopting the latest security measures also includes deploying endpoint detection and response (EDR), security information and event management (SIEM), and other tools. These solutions generate alerts when they detect anomalies that indicate a potential breach.
Such alerts are helpful, but only if you have the security expertise in-house to accurately assess them in a timely manner. That can be a tall order, given these systems tend to produce a deluge of alerts, the vast majority of which are false positives.
An MDR provider takes on the task of receiving and assessing those alerts. A mature MDR provider will also determine the root cause of the alerts and help with the response. In that regard, it's helpful if your MDR provider also offers related services, such as:
All this should be underpinned by a dedicated team of threat researchers that study the latest tactics, techniques, and procedures of international cyber threat groups, as Trustwave SpiderLabs does.
Third-party threats are all too real, as the Trustwave vertical industry threat report series makes clear. The reports offer sound advice on the issues CISOs and other security professionals need to be aware of to protect their organizations and the mitigation measures to consider. MDR certainly needs to be in that mix. To learn more, visit Trustwave’s MDR page.
