The Solarwinds supply chain attack highlights the the danger and reality of third-party breaches. Businesses globally are now realizing that their vendors may not be as secure as they originally thought.
The concerning truth about vendor relationships is that you can never be confident of a prospective vendor's cybersecurity. In fact, onboarding new third-party vendors increase your digital risk and the likelihood of becoming victim to a third-party breach.
Thankfully, there are solutions you can implement to strengthen your vendor's data security and a series of signs that could be evidence that your vendor has been compromised.
To reduce the likelihood of vendor-related cyber attacks, we have developed a list that should help you to identify suspicious behavior from your vendors.
15 Indicators Your Vendor Has Been Breached
1. Your Vendor Has Been Breached Before.
If your vendor has been breached in the past, they are more likely to be breached again, unless they have taken ownership of their attack surface.
This vicious cycle of breaches occurs when compromised vendors leave exploited vulnerabilities unpatched, and when backdoors from previous cyber attacks remain open.
How to Check If Your Vendor Has Been Breached in the Past
The best method is to reference databases that keep records of historical data breaches.
Here are three options:
Have I Been Pwned?
The website Have I Been Pwned? lists all of the data breaches linked to a specific email. If you're querying a vendor you're currently in partnership with, search the email address you used to sign up to see if the business has suffered a breach.
If you find that your email address has been linked to a data breach, you should immediately change all passwords associated with that address, especially passwords for internal logins.
Ideally, you should be scrutinizing a vendor's breach history BEFORE onboarding them, to avoid unpleasant surprises.
Biggest Data Breaches Post by UpGuard
UpGuard regularly updates a post of the biggest data breaches. Reference this post to see if your vendor is listed.
U.S Department of Health and Human Services
The U.S Department of Health and Human Services keeps an updated record of all cyber attacks within the health sector currently under investigation.
2. The Vendor is Not Transparent About Their Security Practices
If a vendor does not provide clear and substantial responses to risk assessments, they could be concealing gaping holes in their information security program.
Challenging potentially dubious responses requires more evidence than just a hunch. Security ratings offer more tangible evidence of untruthful claims because they offer an objective security posture standard vendors cannot easily challenge.
3. You Notice Suspicious Activity on Your Credit Card Statement or Bank Account
Noting additional charges outside of your agreed payment plan should spark serious concern. Before contacting the potentially compromised vendor, contact your bank to put a temporary hold on your card.
All vendors are obligated by law to instantly notify their users when they fall victim to a cyber attack. Vendors transacting in Europe, are bound by the General Data Protection Regulations (GDPR), which allows a very limited window to investigate and report data breaches.
Your vendor may not be aware that they've been compromised before you contact them. This is why it's important to secure all linked payment pathways before investigating such clearly suspicious incidents.
4. Your Organization Receives an Email from the Vendor Asking for Sensitive Information, Such as Passwords and Social Security Numbers
A phishing attack is commonly the second phrase of a cyber attack after a perimeter is penetrated. Threat actors do this to escalate their access privileges so that they can connect to highly sensitive resources.
A phishing attack may not necessarily be evidence that a perimeter has already been penetrated, it could by cybercriminals seeking credentials that could facilitate internal access.
These schemes are becoming increasingly convincing, which is why so many third-party data breaches are linked to staff falling for phishing attacks.
To disrupt this concerning trend, organizations should implement cyber risk awareness training to educated staff on the warning signs of attack attempts.
The following links open articles about common cyber attack methods that can be used for awareness training in the workplace.
5. You Receive a Notification that Your Password Needs to be Changed Because it's Been Compromised
These notifications may be legitimate emails from compromised vendors or a phishing attack that will steal your login information when you submit your old password. Always reset passwords directly through the software in question, and never via email links.
When querying such emails, be sure to compose a new email and never reply to suspicious emails. Even if the sender address seems legitimate, it could still be sent from a cybercriminal that has forged the sender address.
6. You Notice Unusual Behavior on the Website You Use with This Vendor (e.g., login issues)
If a vendor's website or mobile app is behaving suspiciously, a cyber attack could be taking place. Continued interaction could make you fall victim to a clickjacking attack.
7. Your Vendor is Not Responding to Your Requests
Vendors are obligated by law to report all data breaches to their customers. The natural extension of this requirement is the liberal provision of detail about possible data breach events.
If a vendor is unresponsive, you should assume a cyber attack is taking place and immediately follow your Incident Response Plan.
Silence is a defending response to security posture inquiries
8. You Notice a Spike in the Number of Failed Logins
If despite your certainly of submitting the correct credential, you still cannot log into a vendor's software, immediately change all passwords linked to that email address, and do not follow the password reset sequence on your vendor's website.
9. The Vendor's Website Has Been Defaced
This is a rare occurrence but it does happen. Not all cybercriminals compromise websites to steal sensitive information, some do it to cultivate their hacking acuity.
Here's an example of a website defacement attack.
10. The Vendor is Sending You Emails with Attachments
Unless it's linked to a specific conversation, it's very rare for vendors to send you emails with attachments. These attachments should not be opened as they may be infected with Malware.
11. You Receive a Call About Unusual Activity on Your Account
Such calls are rare and should be treated with the greatest suspicion. Scrutinize the caller by asking for specific details, If they provide little information, or deny any further details for 'security reasons, hang up immediately and change all passwords linked to the email used for the vendor's software.
12. Your Vendor's Website is Down
If your vendor's website loads unusually slowly, or you see a 503 server unavailable error, it could be evidence of a DDoS attack taking place.
13. Unusual Login Hours
If your tracking can monitor network activity between your internal resources and your vendors, establish a baseline for normal interaction and keep an eye out for login attempts outside of normal hours.
14. When You Load Your Vendor's Website, You're Redirected to a Malicious Website
This type of attack is known as DNS spoofing, where DNS queries return an incorrect response, redirecting users to a malicious website.
DNS spooring is very difficult to detect when you're a website visitor. The best way to predict the likelihood of a DNS hijacking attack is through a vendor risk management solution capable of detecting such vulnerabilities in your vendor network.
15. Unusually Large File Transfers
Vendors require access to internal resources for successful integration. This is why so many businesses fall victim to a data breach when a vendor is compromised in a supply chain attack.
To detect unauthorized access, honeytokens should be strategically deployed around all sensitive resources.
How to Respond When a Vendor is Hacked
After confirming that a vendor has been breached, there are steps you can take to minimize the impact on your organization and future occurrence. Speed is imperative as it can be the difference between securing an exposure and a devastating data breach.
Follow this process to accelerate your third-party breach response efforts.
1. Stop Additional Data loss
If the breach has progressed to the exfiltration of your sensitive data, you must disconnect all affected equipment immediately. Forensic experts will need to review all malicious activity to track down the malicious sources, so don't turn off any targeted machines until forensic experts arrive.
If you have the redundant-infected machines, replace your comprised machines with them, just make sure threat actors no longer have network access and all passwords are reset.
If your internal credentials have been comprised, your ecosystem will remain in danger of further attacks until they are changed.
2. Mobilize Incident Response Plan
To prevent further data loss and isolate any compromised systems, your breach response team needs to be mobilized immediately.
3. Remediate all Security Vulnerabilities
To prevent further compromise and future third-party breaches, you should remediate the vulnerabilities associated with the compromised service provider These security gaps can only be detected with a third-party risk management solution capable of high-dimensional attack surface scanning.
4. Detect and Remediate Data Leaks
Data leaks are involuntary exposures of sensitive and personal data. If they're discovered by cybercriminals, they could develop into a data breach. To prevent being impacted by third-party breaches, a date leak detection engine should be integrated into your security program.
However, most data leak detection solutions are only capable of addressing internal data leaks. UpGuard possesses one of the only data leak management solutions capable of resolving both internal and third-party data leaks.
Protect Your Business from Third-Party Breaches with UpGuard
UpGuard combines a proprietary vendor data leak detection engine, with the world's leading third-party attack surface monitoring solution to offer the most comprehensive protection against third-party breaches.
