July 2024

null

The ability to identify common vulnerabilities within widely used software can help build a proactive defense against supply chain attacks, while also reducing their systemic potential, explains Johnty Mongan, Gallagher's global head of Cyber Risk Management.

Last year, a supply chain attack took place on 620 organizations through a vulnerability in the software known as the MOVEit Transfer Tool. The attack, which was linked to ransomware group Clop, saw thousands of people's private data stolen.

Such attacks are both common and on the rise. In 2020, the SolarWinds Orion Platform — which more than 30,000 public and private organizations use to monitor and manage IT infrastructure — suffered a similar attack. There, a group known as Nobelium used the Sunburst backdoor to gain access to the networks, systems and data of thousands of the firm's customers, including private companies and governmental bodies.

The costs of supply chain attacks are rising. By 2025, damages incurred by cybercrime are expected to total $10.5 trillion, with the average data breach costing organizations $1.3 million1.

Intrusions like the MOVEit attack have a wide footprint because they target commonly used software that thousands of firms rely upon.

More complex supply chains

If there's an issue within a particular piece of software, the same vulnerability may be present across thousands — or even millions — of machines, particularly where these issues are left unpatched. Moreover, information on where to find common vulnerabilities so they can be exploited is readily available to malicious actors operating on the dark web, as part of an ecosystem of cybercrime2.

And many firms now outsource their IT management, which has resulted in a loss of in-house expertise.

When an attack occurs, companies are often dependent on external companies for assistance. When a supply chain attack takes out multiple organizations, third-party breach response firms may themselves be overstretched and unable to respond as quickly.

Despite the growing threat, many companies are losing sight of their supply chains.

While 55% of large organizations review supply chain risks, reviews are relatively rare across the board, according to the UK National Cyber Security Centre (NCSC)3. It found that just one in 10 firms overall were assessing the risks posed by their immediate suppliers.

Identifying common vulnerabilities

There are things that organizations can do to build IT resilience. The first is to build good cyber hygiene so firms can avoid becoming the low-hanging fruit. This hygiene involves identifying and regularly updating software to ensure points of weakness are proactively addressed.

Luckily, cyber experts can find the vulnerable spots within widely used software and use them to anticipate big attacks through what are known as common vulnerabilities and exposures (CVE). A CVE is a standardized list of known weaknesses or flaws in software, hardware, networks or systems that attackers can exploit.

Companies can use CVE information to identify vulnerabilities, prioritize threats, mitigate impacts, improve threat detection, share information and improve spend visibility.

Information on where to find common vulnerabilities, so they can be exploited, is readily available to malicious actors operating on the dark web.
Johnty Mongan, global head of Cyber Risk Management, Gallagher Cyber Defence Centre

 

The number of CVEs reported is on the rise. Recent research from tech firm Qualys found a surge in the number of disclosed CVEs between 2022 and 2023, with the number increasing by 6% in that time to reach 26,447. Of those, 206 stood out, meaning that researchers thought they posed a significant threat due to their high likelihood of successful exploitation.

What would you do with an early warning system?

The Gallagher Cyber Defence Centre works with clients to aggregate CVE codes as a proactive approach to assess risk and recommend mitigation strategies. We typically find that six in 10 face common vulnerabilities as a result of purchasing or licensing the same technology.

This creates a situation where attackers have a higher chance of success if they target CVEs within popular off-the-shelf solutions.

We use our system to monitor vulnerabilities, conduct client-specific risk assessments, and communicate identified vulnerabilities to clients. The system also emphasizes the importance of industry-wide vulnerability patterns and the need for continuous monitoring and improvement. All this helps our clients mitigate cybersecurity risks by providing guidance on remediation strategies.

Building a robust defense

The growing complexity and interconnectivity of digital supply chains offers cybercriminals an ever-expanding attack surface to target. For criminal actors it is simply good business sense to exploit a supplier and gain multiple opportunities to that vendor's downstream customers.

The Cyber Defence Centre CVE monitoring system allows us to identify trends across a large client base, which helps us to spot patterns. Just as a weather forecast can help to track the path of a hurricane so that people can move out of harm's way, we are able to build a picture of which CVEs are ripe for exploitation to offer an early warning.

Taking such an approach is an essential way of building cyber resilience. It allows companies to pre-empt threats before they arise. Ultimately, proactively responding to the most widespread CVEs is one way of ensuring that supply chain attacks do not become systemic in nature.


Sources

1Morgan, Steve."Cybercrime to Cost the World $10.5 Trillion Annually by 2025," Cybercrime Magazine. 13 Nov 2020.

2Hill, Lindsay. "The Cybercriminal Ecosystem: Evolution and Extortion," ICAS, 2 Feb 2023.

3"Cyber Security Breaches Survey 2023," GOV.UK, 19 Apr 2023.