Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Patrick Sweeney, CEO & President, Area 1 Security
Patrick Sweeney, CEO & President, Area 1 Security
Sponsored Article

How to Combat the New 'Insider Threat': Compromised Partners

It's difficult to stop supply chain attacks if partner accounts are compromised. What can you do when these attacks are indistinguishable from insider threats?

The current rash of financial fraud and supply chain attacks exploit a seemingly unsolvable vulnerability in your security strategy. Attackers exploit the fact that you must communicate with outside partners and vendors to thrive as a company or an institution. As you interact with partners, the door to exploitation opens, specifically in the form of supply chain attacks. These attacks are tremendously hard to detect since malware and malicious links are not necessary for successful exfiltration, so the final "kill shot" has the most subtle of fingerprints. Yet efficacy is so high, in just the first few months of 2021, such attacks have succeeded in millions of dollars in currency theft and incalculable troves of stolen data.   

Compromised credentials are the key to the attacker's success. But here is what's disturbing. It is not your credentials that are the linchpin in stealing from you. The bad actor lurks while legitimate trust is built between you and a partner. No malware is delivered. No network penetration is involved. Yet the theft succeeds.

Often, the supply chain attack involves a business email compromise (BEC) exploiting invoice fraud. Detecting the final diversion of funds that comes from an established trusted vendor, involving a long legitimate email thread, and using a perfectly altered invoice is difficult to detect. What are the strategies to stop these attacks?

Strong security solutions extend the concept of "zero trust" beyond its original premise of micro-segmentation and incorporate that idea of reducing trust for your most trusted communications. While seemingly ironic, the point is, the more you trust a person, entity, or a communication, the more successful an attack that exploits it can be.

So, how do you apply the concept of zero trust to partner interactions and prevent supply chain-based attacks? Effective zero-trust application must start at the point where your own infrastructure and control begins: email.

To extend zero trust to email, consider the notion of a social graph:

Your graph extends to everyone you interact with, not just employees in your own organization. This means your risk surface area is much larger than it initially appears when interactions are considered across multiple parties and systems.

Think of each interaction as a microsegment in the zero-trust world that must be "authenticated." There should be no implied trust between parties, regardless of how often you have communicated, since you do not know if a partner's account has been compromised.

To apply the concepts of zero trust to detect supply chain phishing and compromised partners in email, consider the following three factors.

Campaign Source
An email-based attack can leave subtle clues about the attack or attacker. Beyond looking at the sender information for spoofed names or domains, inspecting the sending infrastructure and source of an email can help identify whether it's malicious.

For example, if there are links or nested links within the email, where are they being hosted? Is the sender domain a legitimate organization's domain or does it use a newly created webmail domain from Microsoft 365 or Gmail? In our Office 365 missed threats report, nearly half (48.9%) of missed threats were from recently created domains.

Attackers tend to reuse hosting infrastructure and spin up new domains. By tracking attacker infrastructure, phish can be linked to an attacker even if accounts and domains have no known reputation. Preemptive, in-the-wild crawling and indexing also allow you to discover new malicious infrastructure quicker.

Message Sentiment and Conversational Context
Some attacks like BEC don't contain malicious links or documents. Instead, they rely on social engineering to trick unsuspecting users into sending funds or disclosing sensitive information, often by spoofing a trusted party like an internal employee or executive. Specific types of BEC based on supply chain compromises are the most difficult to detect since the target victim organization typically doesn't know a supplier's account has been compromised.

Detecting these types of malware-less attacks requires detailed analysis of message sentiment and conversational context. You need to understand what is actually being expressed within a message, or its intent. Detecting variations within message threads is also important to surface attempted fraud. Since supply chain BEC attacks can take place over weeks and months, it is important to be able to consider variations in behavior and requests over extended periods of time.

Partner Social Graph
Just as each organization has a social graph of interactions, each supplier also has theirs. Evidence of vendor account takeovers can be surfaced by properly assessing each supply chain partner's reputation and their partners' reputation. This, along with taking into account message sentiment and conversation context mentioned before, can signal whether a known contact's account has been compromised.

Supply chain attacks complicate detections by making everyone an insider. By applying zero-trust principles to email, the source of most phishing and account takeover attempts, organizations stand a better chance of early detection and minimized damages.

To learn more, check out the following resources, and get an assessment of your current risk from partner-originated email attacks:

About the Author

Before joining Area 1 Security as CEO and president in 2020, Patrick Sweeney served as CEO of Talari Networks, where he reinvigorated the company's market leadership and completed the successful sale of the company to Oracle, Inc. Before Talari/Oracle, from 2001-2017, Patrick played key executive management roles in taking SonicWall private under Thoma Bravo; the acquisition of SonicWall by Dell Inc., and the divestiture of SonicWall to Francisco Partners. While at Dell Inc., Patrick served as vice president for the Dell Security Group and Dell Software Group. 

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.