Blog

Supply Chain Breach, or a Lack of Due Diligence?

Recent incidents have highlighted a fundamental cybersecurity issue: suppliers can often become single points of failure.

Pierre Lamy
September 30, 2025
Table of contents

We often hear cybersecurity media personalities talk about "shifting left, powered by AI" as the solution to ransomware and destructive attacks. Journalists often portray AI as driving these threats and facilitating every aspect of attacks. Similarly, cybersecurity incident disclosures frequently mention "sophisticated attackers." While these points have some merit, recent security incidents have highlighted a more fundamental issue: suppliers can become single points of failure. This underscores the need for cybersecurity professionals to be involved in IT solution purchasing decisions. The traditional "checkbox" and compliance-focused approach has proven insufficient – and even detrimental – to effective risk management. In this post, we discuss steps CTI professionals can take to quickly assess a vendor's cybersecurity readiness.

The first step is to ensure the CTI team participates in the vendor selection process from the beginning. Early involvement allows the team ample time to conduct a thorough assessment. While the analysis itself shouldn't take more than a day, adequate lead time is crucial to accommodate existing workloads. Work with your CISO, CTO, and CIO to integrate a CTI vendor risk analysis into the existing assessment process.

Conducting a Vendor Risk Analysis

Document every step, including the tools and queries you’ll use in this repeatable process. The following tools can be helpful (though many others exist):

  • VirusTotal: For malware, IP, and domain associations.
  • Shodan: To identify exposed services and ports.
  • Google: Utilizing Google dorks for targeted searches.
  • Anomali ThreatStream: For CTI reporting and associations related to IPs and domains in threat reports or feeds.
  • LinkedIn: To examine job postings and current employee profiles for technical details and security staffing levels.
  • SEC Edgar Database: For searching filings (10-K, 10-Q, and 8-K) from large, public companies.

Using these tools, perform some basic investigative steps:

  • Collect all domain and network details for the vendor or through CTI research.
  • Use VirusTotal or Anomali enrichments to pivot off indicators and identify related domains and networks.
  • Search Shodan using queries like net:1.2.3.0/24 and by company name and domain. Not all systems will be hosted on the organization’s networks. See this Medium post about Shodan usage.
  • Perform Google dork searches, such as site:company.com and "company name" + filetype:pptx (and other filetypes like .ppt, .pdf, .docx, .doc, .xls, .xlsx). See Imperva's guide to Google Dorking for more examples.
  • Use Anomali to find historical CTI reporting about the company, their networks, and their domains.
  • Leverage LinkedIn to identify underlying technology and assess the size of the information security team.
  • Review the vendor’s website for information about the leadership team and, for larger vendors, the Board composition to understand the level of cybersecurity expertise.
  • Search the SEC Edgar filings database for cybersecurity-related statements within company documents.

After the CTI team has completed this research (and incorporated any additional analysis and enrichment), consider the following:

  • Does the vendor expose unnecessary ports to the internet?
  • Does the vendor expose legacy protocols?
  • Does the vendor expose vulnerable services and systems?
  • Does the vendor utilize legacy technologies and vendors, or more modern and maintained solutions?
  • Does the vendor employ modern authentication methods, such as strong app-based MFA?
  • Does the vendor support Single Sign-On (SSO)?
  • Does the vendor properly leverage HTTPS with a non-expired certificate and a reasonable lifetime?
  • Does the vendor have a historical pattern of software compromises?
  • Does the vendor expose development, QA, or UAT environments to the internet?
  • Has the vendor ever been breached, as reported publicly?

Assessing the Findings

Several factors identified in the steps above can contribute to risk assessment. Key warning signs include:

  • A lack of cybersecurity expertise at the Board and Leadership level. Organizations with a dedicated CISO (rather than a Director of X, CIO, or CTO) generally pose a lower risk.1
  • The absence of a CTI team and/or an Incident Response team indicates a higher risk or potential for significant impact.2
  • Insufficient IT and IT Security staff can severely hinder the ability to respond effectively to incidents.3
  • Exposing unnecessary services, vulnerable systems, legacy protocols, and outdated technologies are significant warning signs, suggesting either a lack of expertise or a lack of awareness regarding security flaws. Any vendor response that doesn't prioritize remediation should prompt consideration of alternative solutions. Data-driven signals should be trusted more than assurances about safety and security. You wouldn’t board an aircraft or a boat with holes – why would you entrust your clients’ data to a vendor that won’t patch or secure their systems?4

Final Thoughts

Implementing a process based on this methodology can help identify risky vendors and those requiring closer attention. Always prioritize the business risks and potential loss of client data when selecting a vendor or conducting an acquisition.

Sources

1Koen Machilsen, Edwin Haedens. 2024. Why cybersecurity should be a board priority. June 24. https://www.ey.com/en_be/insights/cybersecurity/why-cybersecurity-should-be-a-board-priority.

2SANS Institute. 2024. The Importance of CyberThreat Intelligence: Insights from Recent Nobelium Attacks. June 28. https://www.sans.org/blog/the-importance-of-cyber-threat-intelligence-insights-from-recent-nobelium-attacks.

3National Institute of Standards and Technology. Section 2.4.3. 2025. ComputerSecurity Incident Handling Guide. April 3. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf.

4Bronson Consulting Group. 2025. The Hidden Costs ofIgnoring Legacy Data Systems in Government. August 12. https://bronson.ca/the-hidden-costs-of-legacy-systems/.

Pierre Lamy

With more than 20 years of experience, Pierre has built and led cyber threat intelligence, incident response, and security operations programs across financial services, global enterprises, and industry trust groups. Previously, he served as Global Head of Threat Intelligence at S&P Global, where he built and scaled an enterprise intelligence program and incident response capability. His earlier roles include leadership positions at Flashpoint and FS-ISAC, as well as securing global enterprises through his work at Check Point and Nokia. He has also contributed to industry standards, co-authoring ISAO’s framework on cybersecurity analysis.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.