For those looking to monitor risks from third parties, it’s been a stressful few months. Back in December, FireEye released research on the role of UNC2452 in the SolarWinds compromise. The most recent assessment estimated the SolarWinds breach impacted more than 100 organizations. More recently, on March 2nd, Microsoft released an advisory to discuss the detection of multiple zero-day exploits used to compromise on-premises versions of Microsoft Exchange Server. Brian Krebs estimates that this vulnerability has impacted 30,000 organizations. (You can view our Mitre ATT&CK mapping in our recent blog Mapping MITRE ATT&CK To The Microsoft Exchange Zero-Day Exploits)
The challenge for security professionals is ensuring that suppliers aren’t exposing their systems or data. This is even more challenging if the organization uses lots of suppliers. Suppliers can range from tens to thousands, in some cases hundreds of thousands.Unsurprisingly, we’ve had a few questions about how we help our clients with such high-profile compromises. Here are the top four ways Digital Shadows helps monitor for risks coming from suppliers.
Keep Track of Incidents Affecting Suppliers
When any of these significant events occur, such as the SolarWinds compromise or the Microsoft Exchange Server vulnerability, we will declare a Major Incident.
Clients then receive a report from the Photon team, our inhouse global team of security researchers, and additional monitoring to keep them in the loop. All of these Intelligence Updates are tied together by an “Event” profile. You can see an example of the SolarWinds event profile Updates in the timeline below.
Of course, suppliers being impacted by breaches and vulnerabilities happens all the time.. SearchLight users can track these a multitude of incidents as they are announced and develop within the SearchLight portal. This includes organizations named on ransomware dump sites, where datasets referencing other organizations often become exposed.
Detecting Third-Party Data Exposure
Monitoring for data exposure is critical. On top of detecting data exposure by ransomware targets, our data leakage detection capability allows organizations to detect inadvertent documents exposed by third parties across many data sources. In a recent report from Photon Research, Too Much Information: The Sequel, it was identified that a small IT consulting company in the United Kingdom has over 212,000 files exposed by a third party. In this case, passwords were exposed in plain text and two instances in which the password lists included the passcode to an individual’s cell phone.
This is just one of many real-lifes examples. There have been many other instances of contractors and third parties exposing sensitive data via misconfigured devices and file-sharing services. Our research report findings shared that there were 700,000 instances of payroll information, 65,000 tax return documents, 700 penetration tests, and 5,800 documents on security audits.
Monitor Credentials Associated with Third-Party Applications
Photon Research Team’s former research highlighted that criminals are constantly on the hunt for your business emails (Business Email Compromise: When You Don’t Need to Phish). If credentials are obtained, say from a breach, this could result in an account takeover. Using SearchLight, organizations can continuously monitor for credentials in breaches to prevent compromise even further. We’ve currently collected more than 20 billion credentials – a number that continues to grow.
Tailor your monitoring via Shadow Search
Using the ‘Saved search’ function in Shadow Search, you can easily monitor for mentions of third parties across our public intelligence library (as described above), but also any mentions across blog posts, dark web sources, and more.
The specific type of search varies by the kind of supplier. For software vendors, users often search for new vulnerabilities announced, such as the below.
Supplier 1 AND (“vulnerability” OR “exploit” OR “zero day” OR “0Day” OR “malware” OR “ransomware” OR “breach”)
Alternatively, for non-software suppliers, users are interested in tracking ransomware attacks, breaches, or other types of attack:
Supplier 2 AND (malware OR ransomware OR breach* OR hack OR “Dump”)
See for Yourself in SearchLight
This combines with SearchLight’s data leakage monitoring capability to give you unprecedented visibility into the data exposed by third parties.