Supply Chain Breach, or a Lack of Due Diligence?

We often hear cybersecurity media personalities talk about "shifting left, powered by AI" as the solution to ransomware and destructive attacks. Journalists often portray AI as driving these threats and facilitating every aspect of attacks. Similarly, cybersecurity incident disclosures frequently mention "sophisticated attackers." While these points have some merit, recent security incidents have highlighted a more fundamental issue: suppliers can become single points of failure. This underscores the need for cybersecurity professionals to be involved in IT solution purchasing decisions. The traditional "checkbox" and compliance-focused approach has proven insufficient – and even detrimental – to effective risk management. In this post, we discuss steps CTI professionals can take to quickly assess a vendor's cybersecurity readiness.

The first step is to ensure the CTI team participates in the vendor selection process from the beginning. Early involvement allows the team ample time to conduct a thorough assessment. While the analysis itself shouldn't take more than a day, adequate lead time is crucial to accommodate existing workloads. Work with your CISO, CTO, and CIO to integrate a CTI vendor risk analysis into the existing assessment process.

Conducting a Vendor Risk Analysis

Document every step, including the tools and queries you’ll use in this repeatable process. The following tools can be helpful (though many others exist):

• VirusTotal: For malware, IP, and domain associations.‍
• Shodan: To identify exposed services and ports.‍
• Google: Utilizing Google dorks for targeted searches.‍
• Anomali ThreatStream: For CTI reporting and associations related to IPs and domains in threat reports or feeds.‍
• LinkedIn: To examine job postings and current employee profiles for technical details and security staffing levels.‍
• SEC Edgar Database: For searching filings (10-K, 10-Q, and 8-K) from large, public companies.

Using these tools, perform some basic investigative steps:

• Collect all domain and network details for the vendor or through CTI research.
• Use VirusTotal or Anomali enrichments to pivot off indicators and identify related domains and networks.
• Search Shodan using queries like net:1.2.3.0/24 and by company name and domain. Not all systems will be hosted on the organization’s networks. See this Medium post about Shodan usage.
• Perform Google dork searches, such as site:company.com and "company name" + filetype:pptx (and other filetypes like .ppt, .pdf, .docx, .doc, .xls, .xlsx). See Imperva's guide to Google Dorking for more examples.
• Use Anomali to find historical CTI reporting about the company, their networks, and their domains.
• Leverage LinkedIn to identify underlying technology and assess the size of the information security team.
• Review the vendor’s website for information about the leadership team and, for larger vendors, the Board composition to understand the level of cybersecurity expertise.
• Search the SEC Edgar filings database for cybersecurity-related statements within company documents.

After the CTI team has completed this research (and incorporated any additional analysis and enrichment), consider the following:

• Does the vendor expose unnecessary ports to the internet?
• Does the vendor expose legacy protocols?
• Does the vendor expose vulnerable services and systems?
• Does the vendor utilize legacy technologies and vendors, or more modern and maintained solutions?
• Does the vendor employ modern authentication methods, such as strong app-based MFA?
• Does the vendor support Single Sign-On (SSO)?
• Does the vendor properly leverage HTTPS with a non-expired certificate and a reasonable lifetime?
• Does the vendor have a historical pattern of software compromises?
• Does the vendor expose development, QA, or UAT environments to the internet?
• Has the vendor ever been breached, as reported publicly?

Assessing the Findings

Several factors identified in the steps above can contribute to risk assessment. Key warning signs include:

• A lack of cybersecurity expertise at the Board and Leadership level. Organizations with a dedicated CISO (rather than a Director of X, CIO, or CTO) generally pose a lower risk.¹
• The absence of a CTI team and/or an Incident Response team indicates a higher risk or potential for significant impact.²
• Insufficient IT and IT Security staff can severely hinder the ability to respond effectively to incidents.³
• Exposing unnecessary services, vulnerable systems, legacy protocols, and outdated technologies are significant warning signs, suggesting either a lack of expertise or a lack of awareness regarding security flaws. Any vendor response that doesn't prioritize remediation should prompt consideration of alternative solutions. Data-driven signals should be trusted more than assurances about safety and security. You wouldn’t board an aircraft or a boat with holes – why would you entrust your clients’ data to a vendor that won’t patch or secure their systems?⁴

Final Thoughts

Implementing a process based on this methodology can help identify risky vendors and those requiring closer attention. Always prioritize the business risks and potential loss of client data when selecting a vendor or conducting an acquisition.

Sources

¹Koen Machilsen, Edwin Haedens. 2024. Why cybersecurity should be a board priority. June 24. https://www.ey.com/en_be/insights/cybersecurity/why-cybersecurity-should-be-a-board-priority.

²SANS Institute. 2024. The Importance of CyberThreat Intelligence: Insights from Recent Nobelium Attacks. June 28. https://www.sans.org/blog/the-importance-of-cyber-threat-intelligence-insights-from-recent-nobelium-attacks.

³National Institute of Standards and Technology. Section 2.4.3. 2025. ComputerSecurity Incident Handling Guide. April 3. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf.

⁴Bronson Consulting Group. 2025. The Hidden Costs ofIgnoring Legacy Data Systems in Government. August 12. https://bronson.ca/the-hidden-costs-of-legacy-systems/.

‍