How to Monitor Supply Chain Risks in the Dark Web?

In today’s interconnected world, supply chain networks have become increasingly vulnerable to various risks. From cyberattacks to counterfeit products, organizations must proactively monitor potential threats to safeguard their supply chains and their bottom line. 

Supply chain attacks are not new. The famous Target breach that took place in late 2013 was a supply chain breach. The threat actors gained access to Target by using credentials stolen from its HVAC provider, Fazio Mechanical Services. Since then, we’ve seen a flow of hundreds of supply chain attacks targeting different industries, from pharma to energy,  finance, and more.

Although incidents like SolarWinds have played a significant role in fueling this awareness, it is only in the past few years that we have all recognized the huge impact of these risks. According to SecurityWeek, supply-chain-risk in the last 3 years supply chain attacks increased by 742%.

While there are various solutions that are used to detect and mitigate these attacks, one emerging solution has gained more attention and that is dark web monitoring tools. These tools enable companies to proactively identify and address supply chain risks originating from the deep web and darknets, where illicit activities often take place. 

In this post, we will explore how dark web monitoring tools can enhance supply chain risk management and explore how easy it is to monitor such risks in the dark web, by using Lunar, Webz.io’s new dark web monitoring tool.

How to monitor supply chain risks on the dark web?

The process of monitoring supply chain risks can be done by using two models:

Model #1: TTPs monitoring

The analyst should list TTPs, Common tactics, tools, and procedures, that match the vendors of the target company vendors who have integration or shared resources with the target company. Once such a TTP vendor risk is found, like phishing, malware, or social engineering, it should be evaluated and reported with recommendations to mitigate any possible threat.

Model #2: Third-party monitoring

A Third-Party Risk Management (TPRM) uses the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers, e.g searching for Office 365 and detecting a recent exploit mentioned in the dark web can immediately be associated with Microsoft as a supply chain risk and translated into a risk opposed to the target company using it including a mitigation plan.

Example: Third-party risk monitoring on the dark web

Let’s take a look at an example to illustrate how we can perform third-party risk monitoring (model #2) on the dark web.

The need: The cyber analyst needs to protect Ford Motors. One of the company’s vendors is Fortinet, which provides IT & cyber security services. The software it provides includes FortiGate firewalls, FortiEDR endpoint security software, and FortiSandbox sandboxing software. This means that the analyst will look for Fortinet software vulnerabilities on the dark web as they could pose a risk to Ford Motors as a result.

To illustrate the flow, we’ll use our new dark web monitoring tool, Lunar.

How can a cyber analyst monitor supply chain risks with Lunar?

Step #1: Run a general query

The starting point would be to run a very general query such as: (fortinet OR fortigate) on Lunar.

As you can see below, Lunar returned many mentions (27000+), which means we’ll need to narrow it down to a management size of relevant results.

Step #2: Filter to get the most relevant vulnerabilities

In order to trim the long list down to relevant results related to Fortinet, we can use several powerful filters, including:

• A Risk Score of greater than 7 – which has a significant risk level
• According to Site Domain 

Even after using them, we get too many results, so we can narrow them down by using the timeline to select recent results, which narrows the list down to 1010 documents.

Step #3: Use the CVE filter to spot specific vulnerabilities

Since 1000+ results are still a big number to analyze, we can narrow it further down by using the CVE filter to find registered vulnerabilities.

This helps us shrink the list from 1010 results to only 15 documents where threat actors mentioned CVEs, the most mentioned one – CVE-2023-27997, appears at the top of the list.

This CVE-2023-27997 is a heap-based buffer overflow vulnerability [CWE-122] in FortiOS version, it allows unauthenticated access to Fortinet device (RCE). This means that the severity of this vulnerability is critical and it must be reported with a patch and a mitigation plan to all relevant Fortinet products that Ford Motors is using.

Clicking the CVE dynamic filter and then choosing the specific value CVE-2023-27997 will narrow down the results to 8.

Step #4: Completing the risk picture

Looking back at the results we managed to narrow down to 8 documents, 7 out of 8 are from Exploit, all from the last few days. The CVE was published on June 20, 3 weeks earlier.

We then can continue the TPRM process and refine the evaluation by:

• Assessing the site domain 
• Profiling the threat actors involved 
• Identifying additional CVEs mentioned in relation to Fortinet

After going through these different steps, you can compile actionable steps to mitigate these risks.

How do dark web monitoring tools help?

Dark web monitoring tools, like Lunar, can help monitor supply chain risks in a number of ways, including:

• Reducing the risk of data breaches – By monitoring the dark web for mentions of suppliers’ products, services, and employees, Lunar can help to identify and mitigate risks of data breaches to any company.
• Getting a full view of emerging supply chain risks – With a simple and quick interface, a company can gain a comprehensive view of new risks in their supply chain. This helps organizations make informed decisions about how to mitigate these risks.
• Bolstering compliance with regulations – Organizations will more easily comply with regulations such as the General Data Protection Regulation (GDPR) by monitoring compromised accounts in near real-time.

What’s next?

With supply chain risks continuously on the rise, dark web monitoring tools play a key role in protecting against emerging threats and mitigating ongoing risks. The job of a TPRM is hard and monitoring these hidden spaces on the web is an endless task that requires simple solutions. For that reason, we have worked with cyber analysts to develop a tool to help them monitor and investigate threats on the dark web with ease.