top of page
tcblogposts

Threat Intelligence: A CISO ROI Guide - Elite Threat Hunters Prevent Supply Chain Breaches

Updated: Jul 20, 2023

Up the Ante Against Supply Chain Attacks and Still Have Time to Save the World


Introduction


In our first post we talked about how external threat hunting with Pure Signal Recon can have a direct financial savings in terms of reducing the cost of a data breach and minimizing risk. In our second blog post we talked about how most organizations need fewer cyber threat intelligence sources than they subscribe to, it’s a good place to realize some tactical yet meaningful budget savings. Based on feedback from our Fortune 10 client, we also explored how too many CTI sources can detract from your external threat hunting program if the curated data isn’t relevant or timely.


Let’s discuss the impact Pure Signal Recon had on this Fortune 10 security organization to help them better identify security gaps and confirmed threats originating from their supply chain. Additional visibility and leveraging the right CTI data reduced the cost of compromise, with use cases such as:


  • Early identification of compromised third parties

  • Shut down of threat actor Command & Control (C2) communications in real-time

  • Blocking 24 of 30 significant events with third parties.*

  • Notifying an additional 300 compromised organizations and provided enough information to prevent or minimize damage

  • Raising the cost to attack - Continually forced bad actors to retool their infrastructure

“In the beginning of 2020, we saw a major increase in ransomware hitting our third parties. If they are compromised in any way, shape, or form, then our IR and legal teams become actively involved. They make sure that no data related to us is leaked, that [the third party’s] network is secure, and that [the third party] won’t be used as a pivot to get into our networks. There’s a time-consuming process that comes with a compromise of our third parties.” Lead security analyst

In addition, their supply chain threat hunting and monitoring efforts earned a projected cost reduction of $1,3M of net present value savings over three years.


A Mile Long Supply Chain Requires Significant Expertise to Secure


This Fortune 10 multinational national retailer has a supply chain that is expansive as it varied. While there is no doubt their supply chain serves as a strategic advantage; it can also be used as another attack vector to compromise vulnerable core applications and security gaps in infrastructure.


This is no surprise considering 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years.1


Every compromised supply chain partner incident has a significant cost in terms of cybersecurity, legal and potentially PR expertise to respond to an event, depending how far reaching the breach, and how well recognized your brand. Time is crucial to ensuring a third-party breach can’t be used to pivot into core systems. The legal & PR teams get involved to minimize the possibility of negative press and customer notification mandates.

“With Recon, we map the infrastructure being used by some ransomware groups. We block them from entering our network, monitor their infrastructures as they evolve, and

monitor potential victims such as third-party entities. When [a third party is] compromised, we identify it with Recon, then tell [the third party] how [the threat actor] got in ... and what they need to do to stop them immediately.” Lead security analyst

The case study organization typically requires at least 15 FTE security analysts or legal professionals working three days each when a partner is compromised. Using Pure Signal Recon, they were able to block 24 of 30 significant events with a third party.


Using a simple formula of $75 per hour for each FTE multiplied by 3 days each, it is easy to see how the cost of responding to supply chain compromises adds up.


High-risk third-party threat events where threat hunting team prevented compromise 24


Time that security team and lawyers are involved per third-party

compromise (hours) 15 employees x 3 days each x 8 hours per day = 360


Average hourly cost of security and legal team members Assumption $75


Cost per event $27,000 x 24 events prevented = $648,000 x 3 years = $1.4M Risk Adjusted Net Present Value


Even by downward adjusting the figures by 15% to yield a three-year risk-adjusted total point value, it still equals a cost savings of $1,3M in terms of expert resources and time.


Threat Hunting for the Greater Good: Third Party Notification and Community Collaboration Reduces ROI for Attackers


A good payoff for proactive supply chain monitoring efforts is avoiding 3rd party compromises from happening in the first place. But when your external threat hunting capabilities can benefit the broader good while making it harder for attackers to succeed; it is a great payoff.


If your organization promotes Corporate Social Responsibility (CSR) in the public domain, then the following stats are incredibly valuable to your senior stakeholders in addition to your Marketing and PR Teams, and perhaps as CISO will work wonders for your personal profile in the public domain.


This security team fought back against attacker advancements and upped the ante by notifying more than 350 other victims of similar C2 communications. With Pure Signal Recon the security team were able to map infrastructure being used by ransomware gangs, watch it evolve in real-time and notify potential victims and provide advice to stop a compromise from happening. Real-time visibility into attacker infrastructure increases the cost for attackers as C2 communications are quickly identified and blocked with Pure Signal Recon forcing attackers to retool.


The other victims of this ransomware group included non-profits, school districts, universities and even some Government agencies.


This speaks to Team Cymru’s own mission: To Save and Improve Human Lives, and we’re proud to see how this influences our customers to join us in our mission.


This type of recognition of adding value to those who need it goes a long way toward bolstering the role of a CISO and how they, along with an elite group of threat hunters, can benefit the broader community.


.

CISO Tools:


Learn more about how you can get started on the path towards reducing data breaches and utilizing real-time threat intelligence, request a free copy of the full financial analysis of Threat Reconnaissance here.


Engage your analysts directly with our Security Architects and expert practitioners via our Sales Team, starting here.


bottom of page