Transforming Third-Party Risk Management with Threat Intelligence
Traditionally the primary mechanism for managing down cyber supply chain risk has been through preventative measures. Due diligence review of a new vendor or supplier requires the completion of a lengthy questionnaire, validation of security controls declared within the questionnaire, evaluation of third-party attestations, and extensive back and forth communication with key stakeholders. These efforts often take a blanket approach to evaluating all vendors in the same way regardless of the context of the business services being provided. The process is cumbersome, lacks scalability, and is difficult to align and enforce across the entire vendor acquisition process.
The primary goal of this evaluation is to prevent engagement with any vendor or service provider that is likely to experience a cyber event of some kind, usually meaning a breach. Of course, the goal of avoidance is good and admirable. Cyber breaches, particularly for those vendors who are operationally critical or who process data, have the potential to create massive financial losses, legal implications, impacts to brand reputation, and, ultimately, losses in competitive advantage. Organizations can and should continue to attempt to avoid breach events as much as possible.
While prevention is good, the ultimate reality is that prevention has proven to be virtually impossible. By almost every cyber attack metric available, the frequency of third-party based cyber attacks have continued to rise at a meteoric rate. Recorded Future’s Insikt Group reported that the ransomware gang Cl0p likely made between $75 and $100 million as part of the MoveIT attack, indicating that these types of supply chain attacks will continue into 2024 and beyond. Many of the victims are those that represent best-in-breed cyber security programs and would have sailed through any evaluation as part of vendor onboarding. The incentives for threat actors to continue in their efforts, financial or otherwise, continue to ensure threat actors find ways to be successful in compromising their targets.
Third-party and supply chain based cyber attacks become increasingly attractive as the compromise of one third-party is a likely entry point for multiple end victims, MoveIT being a prime example of this dynamic. Additionally, as larger, more mature organizations have continued to harden their own defenses, third-party organizations and providers with less developed defenses and built-in organizational trust become increasingly viable as the starting point of a major compromise or attack.
A threat intelligence approach to third-party risk management increases scalability and overall resilience. This kind of approach accomplishes a few key outcomes.
Threat Intelligence informs more specific risks
A well informed cyber risk identification and quantification framework requires threats, vulnerabilities, and business contexts be identified in the risk assessment process. While it’s tempting to flag leaked or exposed credentials as a risk, it’s more properly identified as a vulnerability. “A threat intelligence-led approach escalates the threat of a leaked credential when the following criteria are met: the credential is from stealerware logs, the compromise date falls within the password reset policy and the credential has access to privileged systems or that the vendor processes confidential information.” In this framework, the risk is rightly identified as a potential compromise of data confidentiality. The insight into the specific password stealer ensures that remediation efforts and conversations with the vendor go immediately to action rather than quibbling over the validity of the finding.
In another scenario, a current approach might be to provide a vendor with a list of publicly exposed CVEs and the assets affected. While this can be helpful from a compliance perspective a threat intelligence led approach does not report on every vulnerability but rather those that are known to have been exploited or are highly likely to be exploited in the future; and, indeed, this type of insight extends beyond looking CVSS alone. For this example, the remediation and action of these findings can be coupled with a vendor’s path management and network segmentation policies with remediation focusing on the exploitability of the vulnerabilities and the criticality of the affected assets.
Threat Intelligence detects early signs of compromise
This kind of approach understands the nature of the cyber crime ecosystem, the various motivations and tactics of threat actors, and creates alerting and notification schemes that can be aligned with an organization’s risk appetite. In this case, a threat intelligence led approach is able to capture not only reported cyber attacks and breaches, but also instances where initial access is likely to be obtained or sold. Visibility into these findings requires a significant level of network intelligence and coverage of command and control infrastructure, as well as linkages to the threat actors likely to take advantage of these compromises. Additionally, detection of database or access brokerage on underground forums or criminal marketplaces ensures that organizations are not dependent upon their vendors being aware that a compromise has occurred or on their reporting it immediately if it is known.
Threat Intelligence scales the ability of companies to respond
The average company or organization has well into the thousands of third-party vendors and suppliers. These third parties include technology providers, business services and staff augmentation, manufacturing, logistics, and, in many circumstances, joint venture partners and customers. The third-party attack surface is extensive and expanding; threat intelligence ensures actions impacting all of these third-parties are identified and alerted on with detailed context, even if that vendor did not receive a full review prior to onboarding. Because threat intelligence works in the context of the business relationship, key events that actually represent risk can be defined, monitored, and alerted at scale, ensuring organizational resources are able to be deployed efficiently and effectively.
Combined, these three outcomes have the potential to create an increased level of resilience across the supply chain. Organizations are then equipped to continue to realize the business benefit of enabling key vendors and partners without suffering an undue risk to operational or financial loss. To learn more about how organizations are enhancing their supply chain resilience through an intelligence-driven approach to cyber risk management, request a demo of Recorded Future’s Supply Chain solution today.