TacitRed: A New Weapon In War On Software Supply Chain Attacks
Any compromised link in the software supply chain can ignite widespread security breaches
In 2013, retail giant Target was hit with a massive security breach; over 100 million Target customers had their personal and financial information stolen by hackers.
Remember how threat actors accessed Target's network? They did it through a third-party vendor, a small HVAC company to which Target had given network access. That company's lax security practices gave intruders entryway into Target's corporate network, an analysis by the U.S. Senate concluded.
Another high-profile cyber incident involved SolarWinds. Russian-government aligned hackers breached Solar Winds' software supply chain and injected malicious code that infected thousands of SolarWinds' customers.
There have been countless other examples of software supply chain attacks—the Okta security breach and the MGM casino hack are two more recent incidents.
These attacks have become more frequent, more elaborate, and can result in irreparable damage to a business' financial standing and reputation.
Businesses are more digitally interconnected than ever with their third-party vendors, partners, and suppliers. Often, off-the-shelf code and prebuilt APIs are integrated into a company's infrastructure, also creating potential attack vectors.
These components all make up a software supply chain. If any link in that chain is compromised, widespread security breaches can happen.
In fact, new research from Blackberry released this month, shows that "more than 75 percent of software supply chains have experienced cyberattacks in the last 12 months."
While 51 percent of organizations were able to recover from a supply chain attack within a week, 40 percent took a month to recover, according to the research.
'Knowing Who You Work With'
Cogility, a tech firm known for its flagship continuous intelligence platform Cogynt, announced its new service TacitRed which it describes as a "turnkey, Software-as-a-Service (SaaS) solution that automatically maps an organization's external attack surface and monitors connections and threat activity between its digital presence, cyber adversaries, and third-party entities."
"What we've done with TacitRed is we're continuously assessing 18 million companies," said Jeremy Turner, who heads cybersecurity and risk at Cogility.
With TacitRed, customers have insight into the security posture of those 18 million companies in the U.S. that the platform monitors.
Turner said to think about the way TacitRed operates is as a Venn diagram.
"We're on the left side. We have all the infrastructure and assets that we have been able to identify that belong to one of those 18 million companies. On the right side we have also all the threat actor infrastructure that we've been able to identify and where those two things overlap," he said.
Within that overlap, TacitRed can analyze traffic, botnet logs and "other different technical sources," Turner said.
That insight provides data on risk at the companies TacitRed monitors and alerts "if we see a malware infection, or a threat actor that's connecting to a remote access technology like Citrix NetScaler," he said.
Ross Warren, VP of Cyber at ATRI Insurance Services, has been using TacitRed for six months at his company for a very specific purpose. As insurance underwriters who also provide cyber insurance, TacitRed provides insight into an insurance applicant's cyber risk.
"When you look at how cyber insurance is accomplished at the macro level, I would say everyone is using some form of an attack surface management software to look at another company to understand the exposure," Warren told MES Computing.
TacitRed, he says, provides insight on a more granular level.
With similar software "you get so much overwhelming information," Warren said. "When we get a company in, we immediately put everyone through TacitRed." He said TacitRed gives them more direct information about a company's security posture, "without a lot of jargon."
"End of the day, I'm trying to figure out whether or not this company is going to get hacked," Warren added.
Warren said there is also value for businesses not in the insurance space to use TacitRed for vetting third-party vendors, potential partners or when contemplating acquisitions.
"Knowing who you are working with is inherently critical," he said.
Is TacitRed For The Midmarket?
The midmarket "is our sweet spot," Turner said. "With the larger companies, like the Fortune 500 – most of them have very large, dedicated not just security operation teams, but also threat intelligence teams and third-party risk teams."
With limitations on headcount and budgets, Turner said that TacitRed can "add value and fill in the gaps" that midmarket companies may have in their security strategy.
"Some of the data sources that we're bringing into [TacitRed] are hundreds of thousands of dollars a year," he said. "A lot of companies in the midmarket would probably never be able to justify spending money on some of those sources."
With TacitRed, "they're getting the data that relates to their third-party risk or their first-party risk without having to make the huge spend on the data source itself or on a dedicated analyst," he said.