In today’s technology-led business climate, organizations don’t just share information rampantly across company lines— they also share platforms and technology ecosystems. Due to this, multiple organizations end up boating in the same proverbial pond. And when an attacker compromises one organization within an ecosystem, it’s like a boulder hitting that pond’s surface. The effects from that initial impact cause an outward ripple that threatens to swamp everyone’s vessels—or at least get all the passengers wet.
As in the 2019 report, we refer to these ripple events interchangeably as multi-party incidents. For the sake of enumeration and statistical analysis, we define these multi-party incidents as:
Breaches where there are effects upon three or more firms (the initial victim and at least two others) and where there exists some kind of business-to-business (B2B) relationship between the firms involved.
The mentioned B2B relationship is not necessarily between the initial victim and those caught up in a ripple’s downstream loss events. However, the relationships that exist between various upstream and downstream organizations of multi-party incidents distinguish these ripple events from sweeping cybercriminal campaigns that may successfully hit numerous victims who have no other connection between them.
Multi-party impacts can be multifaceted, but there are two primary ways they push ripples across industries and organizations:
WIDESPREAD THIRD-PARTY BREACH: This is a breach impacting multiple downstream organizations that have a direct third-party relationship to the victim organization that generated the ripple event.
SUPPLY CHAIN BREACH: This refers to a breach exhibiting cascading impacts on the generator organization’s customers, such that the exposure at one or more third parties also exposes systems or data owned by Nth-party organizations with no direct relationship to the initial victim.
These two categories are not mutually exclusive, and what often happens with larger ripple events is that a breach first impacts the flow to multiple organizations with third-party relationships to the generator and then pushes downstream to affect many of those organizations’ customers and their customers’ customers. Thus, many ripple events start as a widespread third-party breach that kicks off multiple supply chain breaches all at once.
This is the kind of scenario we witnessed most recently with the 2021 Kaseya ransomware event, wherein an attacker leveraged management software commonly used by managed service providers to simultaneously attack the client base of multiple companies at once.