According to Verizon's newly released Data Breach Investigation Report, 62% of breach investigations involved using business partners as a vector. Last year that number was only 1%. Verizon pins the growth on a single event. And while the report does not mention the event by name, it does give two hints: (1) It came early on in data collection for the report, which began in late 2020 and (2) it "rhymes with PolarShins."
Supply chain threats are a growing part of the landscape. In a year that included Kaseya, Outlook and SolarWinds, that has never been more clear. But the extraordinarily rapid growth makes predicting future events a little more difficult. Is the spike a one-off based on a single massive event or a new normal?
The fact that SolarWinds was a historic event rather than a quiet breach may have skewed data a little, said Gabriel Bassett, senior information security data scientist on the Verizon Security Research Team.
"This one is partially high because so many of the victims are known publicly, but the fact that future supply chain breach victims may not be as widely known should cause even more concern," he said via email.
Bassett expects the huge spike in business partners as a potential vector to decline by next year's report. Supply chain hacking, he said, is largely manual and inefficient compared to phishing or credential stuffing. In the long run, however, that will likely change.
"I don't think it's the new normal yet, but I think it will be," he said.
The 'partner' designation in the DBIR covers only one aspect of the supply chain. Vulnerabilities in open source software, a la Log4j, are counted in the report elsewhere. But even so, a big jump in partner-based attacks over last year was no surprise to people within the security community.
Dray Agha, ThreatOps analyst for Huntress Labs, is more bullish on partner-based attacks even in the short term. "While we’re hearing less about these types of stories in the news, those of us who are in the weeds of cybersecurity on a daily basis are certainly seeing this type of activity as a growing trend."
Huntress was extremely active during the Kaseya supply chain breach, providing many security professionals first notices of the issue in running posts to Reddit.
said Agha: "These types of vendors are prime targets. Why spend the time and effort breaking into the infrastructures of multiple businesses when just one successful attack on one business can help you gain access to hundreds or even thousands of them?"