Following a recent meeting with a procurement team of a FTSE 100 company where we explored the significance of digital risk, I received a call immediately afterwards and was invited to meet the CPO the following day to demo our solution.
The Darkbeam platform is designed to be straightforward and user-friendly. When a user enters a company’s domain name, Darkbeam retrieves information in real-time about the company from the open web (Surface and the Dark web) that is otherwise difficult if not impossible for the everyday business user to harvest, and then organises it in a logical manner, whilst calculating a digital risk score of the company’s cyber vulnerability.
As I started demoing the solution, the CPO stopped me and started to ask me to review one supplier after the other. He realised why his team had come to him and requested that he see the platform in action as it became clear that once this functionality was integrated into his Spend Analytics and SIM systems, his team would be able to quickly reveal the most significant threats in his supply chain.
He requested a profile of a strategic supplier which is below - redacted. This report was fairly average in a number of areas but there was one result that caught his eye - the number of subdomains, 423.
What is a Subdomain?
A subdomain is a variation or forwarder address derived from your root domain name, such as help.yourdomainname.com. A supplier’s IT department usually set subdomains (or in the case of small suppliers, their webmaster) for use with 3rd party services such as helpdesk applications, payment portals, calendar or mail apps, or website hosting.
When subdomains are setup, the DNS settings are configured and forwarded to the 3rd party service or server. The issues start when you stop using such services or they are named in such a way that give too much information away. In most cases, website owners or web masters fail to remove the DNS entries from the domain name settings or use weak naming conventions. This can lead to a simple yet serious subdomain takeover attack.
The Danger of Subdomain Attacks
So how does this work in a real-life scenario? Your supplier decides to start using a third-party service such as an external customer support ticketing service. Their IT department or web master allocates a subdomain, let's say support.domainname.com, to the support ticketing service. Then, as business requirements change, your supplier decides to stop utilising this service, cancels it but fails to remove the subdomain redirection pointing to the ticketing service.
Hackers identify that the supplier’s subdomain is offline but still offers active redirects to the ticketing service. From there it is easy to sign up for the same service and claims the subdomain as their own! As this subdomain is already setup and previously verified, no additional verification will be required for the new account created by the hacker.
The attacker then clones the supplier’s website, creates login pages, redirects users to login to the subdomain (directly emailing the suppliers user-base in some cases) and in turn steals their password credentials. This method can create a large-scale data breach quite quickly and in turn causes significant reputational damage for the supplier’s company data handling and security practices.
What We Found Next
On drilling into the 423 subdomains of this supplier, the first page of the report featured 4 subdomains that included the CPO’s company’s name and the application hosted on it. Having so many subdomains is not necessarily bad but it needs to reflect the risk appetite of the organisation. Therefore, it is worthwhile requesting the supplier assess each subdomain and establish and confirm its function.
If subdomains are no longer required, it is best practice to remove them promptly. Subdomains advertising a client’s names, server roles or installed software should also be renamed using internal terminology that leaves their purpose less obvious to an external attacker. Otherwise, it’s often straightforward for hackers to ‘take over’ subdomains and quickly gain access to a firm’s corporate networks and sensitive data.
The client then requested their own digital risk assessment and found 2 SSL (Secure Sockets Layer) certificates were invalid. SSL is essential for proper authentication of a website and enables an encrypted connection. These certificates are important as they create trust with users by verifying that websites used to make online purchases or steal sensitive details are secure and legitimate. Unfortunately, certificates can frequently lapse accidentally as under-resourced IT teams focus on other security tasks.
Protecting Your Supply Chain From Digital Risk
As cyberattacks and data breaches continue to top the list of challenges for procurement professionals, digital risk protection is an increasingly part of any enterprise’s supply chain resilience strategy.
At Darkbeam, we make it simple for procurement and supply chain teams to instantly assess and compare the cyber threats and risk that suppliers present to the wider business.
To help you stay one step ahead of cyberattackers, we’re currently offering a free trial for procurement professionals. If you’d like to instantly quantify and visualise the digital risk in your supply chain, contact us at firstname.lastname@example.org to find out more.