Sometimes, seemingly small, isolated events can trigger widespread consequences. Such is the case when the effects of one organization’s security incident spill over to impact third parties and the broader supply chain. We refer to these spillover effects from multi-party incidents as “ripple events,” and they’ve been a focus of our research for several years now.
In our most recent analysis, we delved into the depths of almost 900 ripple events from the past to uncover the dominant MITRE ATT&CK techniques employed. Our primary objective is to gain a deep understanding of how these ripples emerge and spread, ensuring that your organization remains unscathed by their aftermath.
This study leverages Zywave Cyber Loss Data, containing over 130,000 cyber events collected from publicly verifiable sources.
From this, we identified 830 incidents that rippled outward, impacting an additional 5,820 downstream organizations. These multi-party events form the corpus of our current analysis.
There are three features that make this dataset uniquely suitable for this research:
-
It has comprehensive coverage across a wide array of incidents
-
It links organizations involved in or impacted by a common incident
-
It tracks losses publicly disclosed in the wake of those events.
Once again, we partnered with Cyentia Institute, who conducts additional processing of Advisen’s cyber loss data to enrich it with information, including incident patterns and ATT&CK techniques, using a combination of methods. Where possible, our team use standard fields in the Zywave dataset to assign patterns and map them to their equivalents in ATT&CK. Beyond that, we use natural language processing on incident descriptions and malware behavioral analysis to support classification. Larger or high-profile loss events often trigger manual assignment of techniques by one of our analysts. In short, we do whatever we can to reasonably infer incident types and the techniques involved.
During our analysis we found many datapoints that can help us understand how multi-party cyber events are initiated and propagated, along with several key takeaways including:
- Multi-party security incidents typically cost 7 times more than single party events
- Exploiting public-facing applications results in the largest proportion of financial losses from multi-party security incidents
- Targeting valid user accounts and exploiting trusted third-party relationships are the most common initial access techniques leading to ripple events.
- Malicious code injection and obfuscation were associated with 100% of reported financial losses and 87% of third parties impacted by multi-party security incidents.
- System intrusions are the riskiest type of ripple events, surpassing all others in frequency, total financial losses, and the number of third parties impacted.
We invite you to download our new report to read our full study and we hope it helps you understand why it is critical for your organization to understand the risks associated with your digital supply chain.
