Okay, so you’ve locked down every single one of your business’ devices. Nothing is exposed to the Internet that shouldn’t be, all traffic in and out is inspected, analysed and logged and absolutely everything is kept as up-to-date as can be. Not only that, but you’ve invested in the best training money can buy for every single one of your employees, who are all primed to independently manage their own cyber security hygiene and to intelligently respond to any and all threats and attacks that come in. Nothing’s getting through—your company data, your clients’ data and your customers’ data are all safe.
Then, one day, you arrive at the office to find it in chaos. Somehow, despite all of your best efforts, you’ve been breached. You were so careful, so thorough—how could this have happened?
You are only as secure as the company you keep, and in the modern technological ecosystem the company a company keeps is increasingly becoming a crowd. Particularly in the retail industry, but by no means exclusive to them, companies ‘rely on armies of third-party services to boost engagement and optimize the customer experience on their websites’. Complex, international supply chains require the assistance of many smaller, local companies, operating under differing regulatory regimes and under differing levels of scrutiny.
What all this means is that an attacker interested in breaching your company will not necessarily attack your company. Why deal with evading all the security and intrusion detection that a well-prepared business might have in place when you could just find an upstream company who provides them with some service or tool—a company that might appear to their CISO as little more than a footnote—and perhaps operates less securely? Get into them, and you’ve not only got a route into your actual target, but your activity comes pre-disguised as expected, legitimate activity.
In many cases, targetting these upstream companies may even be the goal, but with the side-effect of compromising you as well. With some services being used simultaneously by thousands or millions of different companies, they quickly become incredibly enticing targets for cybercriminals.
An example of this is the Magecart constellation of distinct cybercriminal groups, united in their criminal methodology, as detailed by Trend Micro and a joint report by RiskIQ and Flashpoint. At least two of these groups (the Group 5 identified in the joint report and the Group 12 identified in the Trend Micro article) operate by compromising popular third-party e-commerce services and inserting credit card skimming code into the original service, which is then automatically pushed to all e-commerce systems that employ the third-party service, as in the case of the Adverline online advertisement service.
In addition, and as has been mentioned previously on this blog, the compromise of a third-party provider of accounting software is believed to have been the means by which the 2017 NotPetya malware attack was pulled off.
So that’s the threat. In the next post, we’ll provide some suggestions for how to mitigate it.