Content, Content

50 Multi-Party Cyber Incidents: Key Security Research Findings

You've heard about supply chain cyberattacks. But what are ripple events -- and what's the fallout from such cyberattacks?

Some answers and analysis surfaced in a new RiskRecon research report entitled IRIS Tsunami (Information Risk Insights Study). Before diving into the report, keep in mind the difference between supply chain cyberattacks and ripple events.

RiskRecon calls multi-party incidents “ripple events,” for how the aftereffects swell outward from the central victim to envelop others in their wake. Ripples may show up as hackers migrating from the first victim to other organizations. Or partners and customers may suffer operational or financial losses.

According to the report's authors:

"All supply chain attacks are ripple events, but not all ripple events are supply chain attacks. It is not necessary to compromise hardware or software components to generate downstream loss events. For example, if a data aggregator is breached, the owners/providers of that data may suffer losses even though their systems remain uncompromised."

In short, a multi-party incident can spark a cyber tidal wave that damages downstream organizations both close to and distant from those that engage with the targeted victim.

“If you take the time to decompose even the simplest of business transactions, you’ll find in the mix a surprising number of parties from technical components supporting the transaction to the completed delivery of products to the customer,” RiskRecon said. “But what happens to all these parties when something goes wrong?

In its report, RiskRecon identified 50 of the largest multi-party cyber incidents over the past several years to understand who was behind the incident, what happened, and how the event spread throughout the supply chain and caused financial losses for all parties involved.

Here are some of the findings:

  • The median cost of these 50 extreme multi-party events is $90 million. A typical incident costs roughly $200,000.
  • The median number of organizations impacted in these cyber tsunami events is 31, but there are some episodes that swelled to 800 secondary victims.
  • System intrusions were by far the most common type of incident, and they also impacted the largest number (57%) of downstream organizations.
  • Ransomware is a distant second in terms of frequency but ran up 44% of the recorded financial losses across the 50 tsunami events.
  • Cracked and stolen credentials were the most common (50% of incidents) and costly (68% of losses) initial access technique.
  • Of those incidents in the study, hacking credential attacks had total losses of $11.9 billion, malware backdoor $11.6 billion, abuse of legitimate admin tools $10.2 billion, hacking known vulnerabilities $9.2 billion and ransomware $7.8 billion.
  • Exploitation of public-facing applications led to more collateral victim organizations (63%) compared to any other initial access vector.
  • Aggregated data and shared systems were the most common ways in which cyber loss events propagated from primary to secondary victim organizations.
  • Supply chain compromises led to the biggest share of recorded financial losses ($7.4 billion) and the largest number of secondary victim firms.
  • Organized cyber criminal groups were ultimately responsible for 80% of all collateral damage to downstream firms.
  • State-affiliated actors were behind one out of five incidents and caused the majority of financial losses, with over $10 billion recorded on their tab!
  • Insiders and third parties contributed to 34 of the 50 extreme events, combined causing $17.3 billion or 99% of all recorded losses.
  • In a downstream, multi-party event, 25% of firms are involved within 32 days after the initial incident, 50% by 151 days and 75% by 379 days.

RiskRecon has some recommendations and suggestions for companies to avoid downstream losses:

  • By thinking beyond perimeter defenses and re-framing third parties as extended insiders, organizations can become more resilient against the vast range of ways ripples propagate.
  • Visibility is essential to foster collective security across your supply chain network and can help promote vital information sharing and collaboration to raise the security posture of everyone in the network.
  • Supply chain relationships require continuous monitoring and assessment as both the threat landscape and business relationships can evolve and change quickly. Staying on top of these changes is essential to stopping these ripple events and can inform a range of data strategies such as access controls, minimization, and storage.
  • Look for automated solutions that allow you to easily surface and navigate your extended supply chain.

“The scale of losses from tsunamis shouldn’t be minimized, but companies should be encouraged by the similarities among these and more run-of-the-mill incidents,” RiskRecon said. “An otherwise sound data protection strategy combined with a plan to uncover your company’s extended supply chain could be all it takes to keep from being swept away.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.