Breaches resulting from a third party were up 68% last year, primarily due to software vulnerabilities exploited in ransomware and extortion attacks.

Supply chain breaches have been on the rise for some time now. According to Verizon’s latest Data Breach Investigations Report (DBIR), that rise has been extra steep in recent months. Some 15% of all breaches in 2023 involved a third party, a marked increase from 9% in 2022. Those figures have as much to do with accounting as attacking, though.

In this year’s DBIR, Verizon Business expanded its definition of “supply chain breach” to include not just compromises through vendors (e.g., Target in 2013), data custodians (MOVEit), and software updates (SolarWinds), but also vulnerabilities in third-party software.

Exploited vulnerabilities were, in fact, the most common Vocabulary for Event Recording and Incident Sharing (VERIS) action tracked as part of DBIR’s supply chain metric, followed by backdoors/command-and-control (C2) and extortions. “Last year in the ransomware space, we saw — whether they’re researching them themselves, or buying them — [threat actors] got their hands on so many zero-day vulnerabilities,” says Alex Pinto, associate director of threat intelligence at Verizon Business and co-author of the DBIR.

But should attacks like these be considered a supply chain issue? Could organizations benefit from conflating all of these different vectors of attack together?

Treating CVEs as a Supply Chain Issue

Of third-party bugs, Pinto recalls, “As we looked into it, we thought this looked like it might be not just a vulnerability management problem, but a vendor management problem in some ways. That’s when we decided: ‘How about we try to look at this holistically?'”

To the DBIR team, addressing bugs is bigger than just patching whenever they might arise. It’s about how organizations choose and engage with their vendors. No organization can prevent every potential vulnerability in the software they use, but vendors do “leak” certain kinds of signals that might indicate their worthiness.

For example, Pinto says, “We’ve been getting more external signals recently when you think about the work that the SEC is doing. Now, when something really bad happens, [vendors] have to tell the SEC. So that gives us more signals about: Are they doing a good job or not?”

In its report, Verizon Business recommended that organizations start looking at ways of making better choices “so as to not reward the weakest links in the chain.” The consequences of making the wrong choices will inevitably be more vulnerabilities to deal with down the line.

“There are things we can control and things we cannot control in the vendor management process. So we have to take into account those kinds of external signals, and how we can use that to improve our posture and encourage our vendors to have better posture,” Pinto says.

Source: www.darkreading.com