Ripples Across the ATT&CK Surface

A modern organization’s security posture is no longer defined solely by its own perimeter; it is inextricably linked to the practices of its third-party partners and the broader supply chain. This third edition of the “Ripples” series analyzes multi-party security incidents—which we call “ripple events”—where a single breach propagates to impact dozens or hundreds of downstream firms. By investigating nearly 900 historical ripples, this study identifies the specific adversary techniques that drive these systemic cascades.

The data confirms that multi-party incidents are exponentially more damaging than isolated ones, typically costing seven times more than a single-party event. System intrusions stand out as the most precarious threat pattern, associated with 90% of all financial losses in the ripple corpus. This report rewards the click by unmasking the “Symmetric Imbalance” of human risk: while insider malice gets the headlines, accidental disclosures are twice as common and 800 times more expensive.

The research utilizes the MITRE ATT&CK framework to map exactly how these ripples occur, from initial access to data exfiltration. It highlights the dominance of “Valid Accounts” as an entry vector, proving that once an attacker gains trusted credentials, they are on the fast track to spreading across the supply chain. This study provides the actuarial baseline needed for risk managers to build a truly resilient ecosystem.

Key Findings

• The 7X Cost Multiplier: Multi-party security incidents are typically seven times more costly than standard single-party events.
• 90% Loss Concentration: System intrusions are the dominant threat pattern, accounting for 90% of all recorded financial losses in multi-party events.
• Valid Account Dominance: Targeting valid user accounts is the most common initial access technique, appearing in 38% of all analyzed ripple events.
• The 800X Mistake Tax: Ripple events resulting from unintentional insider mistakes are 800 times costlier than those involving deliberate insider malice.
• Obfuscation and Loss Link: The use of malicious code injection and obfuscation was associated with 100% of reported financial losses in this study.
• The 7-to-1 Receiver Ratio: For every organization that generates a ripple event, an average of seven downstream firms suffer repercussions.