What is a Double Supply Chain Attack and how to minimize the associated risks with TPRM?

by | Nov 8, 2023 | Blog


A Double Supply Chain Attack is an attack when an attacker targets two supply chain organizations in a sequence by intruding on only one vulnerable source. For example, if a software provider is compromised by the attackers and your organization uses that software, attackers could also infect and attack your organization to target your clients. In this scenario, the company who developed the software fell victim to the attack but by then all their clients who used this software were also breached.

A classic example of such an attack was seen in early 2023, when a VOIP provider 3CX fell victim to a software breach affecting both Windows and macOS. The application was compromised and attackers could infiltrate the network and exfiltrate data. Later, this was followed by another attack targeting all clients of 3CX. It is reported that Mandiant performed the investigation and discovered the chronology of events.

Although such an incident is rare, but is definitely possible. A robust Third-Party Risk Management (TPRM) is crucial and plays a major role in detecting and addressing such risks. Key points to consider when managing Third-Parties:

  • Up-to-date inventory (licensed and open-source tools) – that enables an organization to understand the risk exposure and pro-active engagement with Third-Parties. Asking for a Software Bill of Materials (SBOM) gives an organization visibility on all Third-Party components (Plug-ins and APIs) used in the software.
  • Due Diligence – Performing a thorough security assessment from all angles covering all possible scenarios is super important to ensure more than adequate security controls are implemented by Third-Parties.
  • Seamless communication – establish redundant communication channels and engage Incident Response to liaise with Third-Parties for information to take immediate response to reduce the impact.
  • Water Tight Contracts – Enforce Incident notification and Cyber insurance via contracts that will allow Third-Parties to take the liability and reduce the risk ensuring business continuity especially if such Third-Parties provide critical services. The right to audit more than once annually should be enforced giving the liberty to conduct periodic audits.
  • Continuous Monitoring – The Big Eye that oversees and monitors such risks, enables TPRM teams to jump into action pro-actively to take viable steps in reducing the impact and possibility of an incident or breach.
  • Legacy Third-Parties – Risks arising from such Third-Parties are sometimes paramount. Outdated/less secure modes of providing services, lacking a strong security posture and stagnated growth of the many could be a few reasons to worry. Such engagements should be revived and risk assessment should be performed.

    Often reviving conversations with very tenured Third-Parties especially in the absence of a TPRM program back then is complicated. Employees have moved out of the organization and old contacts do not exist anymore. Procurement should keep a watch on such Third-Parties and engage with them often to ensure the right point of contact are available when needed.

Related Blogs

TPRM Awareness, upskill and cross skill

TPRM Awareness, upskill and cross skill

The security world is very diversified, with the majority of the organizations practicing defensive security while a few have adopted offensive...