Supply Chain & CTI

Why expanding third party risks is no longer a luxury

In this blog, we’ll explore how cyber threat intelligence (CTI) must change and support a new approach to supply chain risk.  Across the globe, many new laws like DORA in the EU and CMMC in the US have been implemented, driving the need to not just reactively engage with your supply chain, but proactively collaborate and monitor third-party infrastructure for signals of compromise.  The underlying intention is that the ecosystem you are part of is more robust when working together. These regulations are likely to be adopted by many other industries, making this blog worthwhile reading for security teams of all sizes and sectors.

Reactive supply chain management typically involves sending Supplier Assurance Questionnaires (SAQs) to suppliers after a confirmed breach has occurred, often by the time it makes the news.

Many large organizations have taken the initiative to leverage threat intelligence services that support checking for brand name keywords or domains appearing on ransomware data leak sites, cybercrime forum posts, or darkweb credential markets.

An even more proactive measure that could be taken to manage supply chain risks involves using passive scanning services to check for unpatched vulnerabilities in supply chain networks, as well as using NetFlow data to detect malicious command-and-control (C2) communications originating from supplier environments.

Key Findings

  • Technology leaders are issuing warnings to their supply chain to modernise their cybersecurity practices
  • Governments are introducing more legislation to protect digital services and critical sectors from supply chain risks
  • More organizations need to incorporate proactive threat intelligence to evaluate supply chain vendors
  • Netflow data presents itself as a useful alternative method for organizations to validate supply chain ecosystems.

Supply Chain Management

Many organizations start by prioritising who their supply chain vendors are and create a criteria based on several factors, such as the impact to business operations if they were attacked, or the sensitivity of the data they process or store for them. Other factors that come into play are whether the supply chain vendors have direct network access into the organization’s environment, and which environments those are as well.

One of the challenging aspects for CTI teams doing this type of work is figuring all these things out for a large number of suppliers. Fortune 500 organizations will often have upwards of 5,000 suppliers, in many cases from around the world. Working out these factors for every supplier to rank and prioritise them is difficult on its own. This type of information is often only available in contracts possessed by the procurement or law departments and may be vague and obscure.

Getting a handle on which suppliers have direct network access to your organization’s environment is often made a priority due to the implications of a software supply chain attack or identity-based network intrusion. Without network-level visibility to know where cyber threats can arrive from, the chances of detecting an intrusion are severely diminished.

In other cases, knowing which suppliers handle the most sensitive information about your organization is also crucial to understanding your expanded attack surface that extends to third parties. Supply chain partners such as law firms will often hold highly sensitive information for their clients, making them ideal targets for persistent adversaries willing to put in the work to get in.

Defining Cyber Threat Intelligence Team Capabilities

Before we detail the sources of CTI, let’s explore the nuances that will enable you to align with your existing teams and capabilities.

First on the maturity ladder from a CTI perspective is supporting Incident Response operations, which can include Reactive Threat Hunting operations. At this stage, many CTI teams receive paid finished intelligence (FINTEL) reports from a handful of Vendor Intelligence Platforms (VIPs), and also rely on open source intelligence (OSINT) due to budgets or team maturity.  This state puts your organization behind what is currently happening in the wild, as you are waiting for one of your tools, platforms, or vendors to inform you about adversary activities and breaches after they have happened.  And that is only if they detect it.

As your team matures and the business demands on you grow, the next step for CTI teams is to support Threat Detection, through Proactive Threat Hunting.  You’re now actively searching for yet-to-be-discovered threats as well as unmitigated risks within the confines of your environments, and detecting them before an incident can turn into a breach.

The highest level that security teams aspire to reach is Threat Reconnaissance, otherwise known as External Threat Hunting.  Elite teams are now mature enough to feel confident about monitoring and managing threats and risks within their networks, so the focus now shifts outwards, beyond their borders.  Due to the volumes and variety of data that can be ingested, processed, refined, and turned into intelligence, the budgets and levels of experience and sophistication are exponentially higher compared with those on the lower rungs.  But, the investment pays off as we’ll discuss later.

Current Approaches

The current standard methodologies of using CTI to manage supply chain risks involve primarily monitoring the cybercrime underground:

  • Data Leak Sites: These are Tor-hosted websites run by extortionists, such as DragonForce or Clop, that leak victim files if they fail to pay the ransom.
  • Cybercrime Forum Posts: These are forums, such as BreachForums or Xss[.]is, with members that compromise victim databases, credentials, or network access and offer it for sale or who dump it for free.
  • Darkweb Credential Markets: These are Tor-hosted websites that offer identity packages of credentials for sale that have been collected using infostealer malware or have been brute-forced in bulk.
  • Cybercrime Underground Messaging Channels: These are channels hosted on messaging apps, such as Telegram or Discord, whereby cybercriminals share stolen databases or advertise access to accounts for sale.
  • Code Repositories and Paste Sites: These are content sharing websites, such as GitHub or Pastebin, whereby users can share text files containing sensitive content publicly.

By monitoring these aspects of the cybercrime underground, many organizations attempt to keep on top of which suppliers the cybercriminals have already exploited or attacked in the past and are offering it for sale post-breach. 

Performing this approach using CTI to monitor the supply chain is common but requires having the resources to either perform first-party collection or pay for services that offer third-party collection services, leveraging their placement and access into the cybercriminal underground.  Despite increasingly tighter and more specific legislation to do this, CTI teams are still under-funded, leading CISOs to realign their budgets and resources.

Enhanced Supply Chain Monitoring Approach

Supply chain exposure management and monitoring involves checking if your organization’s vendors are exposed. This could mean they have significant amounts of unprotected remote service ports open, a number of edge devices with unpatched known exploited vulnerabilities (KEVs), and active network work traffic to command-and-control (C2) infrastructure.

How Network Communications can help map Malicious IP Addresses

Using NetFlow communications, it is possible to see if a supplier's CIDRs or ASNs are communicating with known malicious infrastructure. There are also multiple approaches to leveraging this information by organizations of various sizes and resources. These communications are observable daily, and some cases in near real-time as with Pure Signal,  and could be triaged and escalated to suppliers via established communications channels. This highly proactive approach, however, is resource intensive. Alternatively, this information could be used for gathering a point-in-time baseline understanding of a supplier’s network exposure and those results can be used to make decisions about that particular supplier. 

Some discoveries are going to be more significant than others. Large volumes of network communications between victim gateway IP addresses and IP addresses tagged as offensive security tools (OSTs) such as Cobalt Strike or malware families associated with ransomware precursor activities, would be considered a more serious and immediate threat to business operations than generic IoT malware targeting CCTV cameras used to build botnets.

Unprotected Remote Access Ports

Having visibility into whether a supplier has significant amounts of unprotected remote access ports open requires having the ability to discover and view their assets, as well as data about what open port banners are visible.


Specific ports to focus searches in supplier perimeters could include the following:

  • Port 22 - Secure Shell (SSH): While necessary for remote administration, an open SSH port facing the internet will rapidly become a target for brute-force attacks.
  • Port 3389 - Remote Desktop Protocol (RDP): Highly targeted for brute-force attacks. If exposed, it can lead to direct access to internal systems, potentially bypassing other security controls. Plus, vulnerabilities in RDP itself have also been exploited (e.g., BlueKeep).
  • Port 5985 and 5986 - Windows Remote Management (WinRM) HTTP/S: Regularly targeted for brute-force attacks. Access can be leveraged with publicly available hacking tools such as EvilWinRM on GitHub.
  • 5900-590x - Virtual Network Computing (VNC): Regularly left open without password authentication required on sensitive services such as human-machine interfaces (HMI) of industrial control systems (ICS).

Being able to identify what type of systems are exposed is also key to these types of investigations. The severity of an identified exposed port will vary drastically if the internet-facing open port is for a system like a Domain Controller or  a VMware ESXi hypervisor versus a test instance used by IT to check internet connectivity.

Vulnerability Intelligence

Ensuring edge devices are patched and updated to the latest version across multinational environments is a challenge for any size organization. Due to this fact, whenever a critical vulnerability is published, many organizations will submit supplier self-assessment questionnaires (SAQs), as is prescribed by the UK Government as an example of taking a proactive approach to gaining insights about suppliers before contracting with them.

The supplier SAQs are used to help establish whether their suppliers have: the impacted software, the version, if it is patched, if they do have it, whether it was already exploited, and if they did anything about it. The problem is these are reactive actions that are restricted to the supplier completing the work, making sure it is accurate, and sharing the results back in a timely manner.

Being able to use asset discovery services to check software versions of exposed systems is one method to identify potential exploitable attack vectors in supplier networks. By checking the software version, is it possible to uncover potential unpatched critical vulnerabilities or known exploited vulnerabilities (KEVs) targeted by adversaries in the wild.

Using NetFlow communications, is it then possible to check for signs of malicious and suspicious traffic leveraging ports for services on unpatched internet-facing systems, with the advantage of discovery and assessment being entirely passive, and therefore non-disruptive, to the service you and your supplier are relying on.  Another benefit is that NetFlow communications originate from internet-facing infrastructures that are public domain, so the assessments can commence without express permission, enabling security teams to get a real-time and accurate picture without delays, helping to make more informed decisions for stakeholders. 

Discoveries such as continuous conversations between exposed systems on specific ports and known malicious IP addresses or IP addresses on high-risk autonomous system numbers (ASNs) are notable indicators of compromise (IOCs) to hunt for in supplier networks.

Types of Suppliers to Monitor

Organizations in the Fortune 500 are likely to have thousands or tens of thousands of suppliers that their cybersecurity teams are tasked with monitoring for breaches. To prioritise which suppliers cybersecurity teams should be focusing on requires making an assessment of what level of impact to the main organization it would have if a certain supplier were breached.

Over the years, there have been several notable examples of software firms becoming victimised by advanced persistent threat (APT) groups and ransomware operators. These organizations are often targeted due to the one-to-many level of access they provide to downstream customers of a valuable nature to adversaries. By compromising the vendor, these nation-state adversaries can gain remote access via trusted software servers, making them difficult to detect.

These types of campaigns have been exemplified recently with APT groups specifically targeting the software firms that develop remote monitoring and management (RMM) tools. Between mid-2024 and mid-2025, multiple RMM vendors have been breached, including TeamViewer, AnyDesk, ConnectWise, and BeyondTrust.In the RMM tool vendor’s public announcements, TeamViewer and ConnectWise assessed that they were compromised by a “sophisticated nation state threat actor.” TeamViewer attributed its breach specifically to “APT29/MidnightBlizzard” which is a threat group belonging to the Russian Foreign Intelligence Service (SVR). Further, during the BeyondTrust incident, the US Treasury stated the related breach on its systems was consistent with the Chinese espionage group tactics.

Other notable instances of technology providers being targeted and downstream customers being victimised include

  • Network monitoring solution (NMS) vendors, such as SolarWinds who was also breached by the Russian SVR
  • Accounting software, such as M.E.Doc, which was breached by Sandworm to launch the NotPetya wiper
  • Software utilities, such as CCleaner, which was breached by the Chinese government
  • Single Sign-On (SSO) providers, such as Okta, which was breached during the HAR files incident
  • Authentication vendors, such as Twilio, which was breached during the SMS 2FA code theft incident

These targeted intrusion campaigns against software vendors highlight the importance of monitoring such suppliers.

For years, the concept of a "single pane of glass" has been lauded as the holy grail of IT management, promising streamlined operations and enhanced visibility. However, this centralized approach, while convenient, has inadvertently created a new and critical vulnerability that cybersecurity experts are increasingly concerned about.

Cyber Insurance

Cyber Insurers are already using the above mentioned current approaches to perform analysis of customers while deciding on policies and premiums.

Organizations should be thinking about their own networks and what exposure they have in NetFlow data as other organizations can see the ingress and egress traffic as well.

Communication with C2 infrastructure from company CIDRs and ASNs will likely raise red flags as a potential sign of already being compromised.

Conclusion

Organizations can no longer wait for supply chain breaches to appear in the news before acting. Regulations such as DORA and CMMC demand proactive threat intelligence and real-time oversight of third-party infrastructure. Transitioning from reactive compliance checks to continuous external threat reconnaissance, including passive vulnerability scanning and NetFlow analysis, significantly enhances early threat detection capabilities.

The single pane of glass is quickly becoming a single pane of risk. Threat intelligence is often used by organizations to flag potential supply chain risks for follow-up once an incident at a supplier has been detected. More organizations, however, are shifting towards proactive management of supply chains, where real-time data is shaping which suppliers are permitted to access business critical systems and data..”
Ian Thornton-Trump, CISO at Inversion 6

By embedding proactive cyber threat intelligence into supply chain risk management practices, security leaders can protect sensitive information, limit business disruptions, and maintain critical trust across their interconnected networks. The shift to predictive rather than defensive measures is now essential—not optional—for managing third-party risks effectively and complying with increasingly rigorous regulatory demands.  One Team Cymru customer, who has the world’s largest supply chain, invested in building a team focused on Threat Reconnaissance, and reaped the benefits of over $9M in cost avoidance across three years.  Beyond just the raw financial savings, they were able to help their supply chain partners become more robust, recover faster when an incident happened, and work smarter together as a team.

To succeed in today’s regulatory and threat environment, security and CTI professionals must adopt a strategic, proactive stance, ensuring organizational resilience and business continuity.

Pure Signal Recommendations

Product: RADAR (Coming Soon)

Recommendation:

  • Perform passive asset discovery to identify supplier networks
  • Identify CVEs and KEVs in supplier IP addresses without impact
  • Immediately pivot into Scout for more details

Product: SCOUT

Recommendation:

  • Identify network traffic related to supplier networks
  • Identify internet-facing remote access ports in supplier systems being exploited or brute forced
  • Identify communications to C2 infrastructure emanating from supplier systems 

Further Reading


For security teams in Financial Services, and not just located in the EU, read our blog about DORA and understand the challenges CTI teams face and how to start overcoming them.

Specifically for US based Government CTI Teams, there are many forms of legislation that will affect your daily operations, familiarize yourself with our blog primer on the compliance landscape.

No items found.