Third-Party Supply Chain Risk - Valuable Partners or Potential Threats?

Are your Vendors & Partners Acting as Vulnerabilities in your Attack Surface?

Risk can be introduced to an environment in many ways.  Eliminating cybercriminals, malicious insiders, and simple mistakes are just a few of the objectives of good security.  And while most organizations understand the need to secure their own systems, practice proper cyber hygiene, craft and enforce strong processes, and apply advanced security technologies... many only apply that level of rigor within their network perimeter. Unfortunately, that’s only part of the equation.

• 59% of data breaches today come through third-party vendors. (BusinessWire)
• Only 16% of companies mitigate supply chain risk. (BusinessWire)

With data breaches today coming through a majority of third-party vendors, (BusinessWire), CISOs need to keep these inherited risks squarely in their sights.  The traditional approach to supply chain risk assessment takes the form of a vendor security questionnaire that CISOs ask their critical vendors to complete – usually before contracting their services and then again annually.  But this approach leaves much to be unaccounted for. If security programs worldwide leverage intelligence to counter their direct adversaries, shouldn’t a similar approach be adopted to counter indirect adversaries? 

Related Reading - A Zero Trust Network Architecture (ZTNA) POV with Appgate

Treating Third-Parties as an Adversary

Every organization has third-party vendors with whom they must interact as part of day-to-day business operations.  The nature of that vendor relationship informs the overall level of risk that might arise from a third-party security issue.  Some vendor relationships require the sharing of sensitive data, while others may require persistent connectivity and privileged accounts into the environment (e.g. a Managed Service Provider).  

It is understood that these relationships are necessary for the business to operate. It must also be understood that these are risks that must be managed. 

A security incident at a critical vendor can very quickly devastate an organization; therefore, intelligence-based techniques similar to other forms of threat detection are vital to making informed risk-based decisions.

In the case of the recent Kaseya ransomware attack, REvil leveraged the fact that Managed Service providers nearly always have persistent access to their customers and highly privileged accounts within their customer environments.  Targeting these organizations allowed REvil to compromise over 1,000 organizations through a single operation, yielding a highly profitable ransomware campaign.   

That’s why it’s important to think of any third party that has a connection to your environment as a potential weakness in your attack surface that threat actors could use.

Shoring up your defenses against supply chain risk

• Assess your third party’s risk before you begin work with them by gathering intelligence on their attack surface, and consider how it affects yours.
  
  
• Define security standards your vendors must comply with, especially those with persistent connections into your environment
  
  
• Continuously monitor your vendors’ attack surfaces and work with them to help optimize their cybersecurity.
  
  
• Require multi-factor authentication log-ins.
  
  
• Have contractual rules and regulations limiting the use and knowledge of your data.
  
  

Maintaining a healthy and trusting relationship, while implementing a Zero Trust Network Architecture

• Treating partners and vendors as adversaries does not necessarily mean restricting your relationships
  
  
• Collaboration produces reciprocal best practices in your supply chain risk management and lowers the risk of attack for all your partners.

Asses and watch over your data by closing any points of entry within your supply chain

• Manage Data Sharing - Require your supply chain to perform regular vulnerability scans, annual penetration tests, security assessments, and security accreditations.
  
  
• Ensure Cloud Security - Information clouds create security issues due to mismanagement and misunderstanding due to the use of file sharing. Run full scans of these clouds and ensure there are no openings for attack.
  
  
• Securing IoT - IoT can be a security liability as well if not properly configured and secured. Hackers target these gadgets to gain visibility into an organization’s internal operations, database, or even to feed false information to the company.
  
  
• API Security - Direct communications with “trusted” parties may not be configured with security in mind. Communications may not be encrypted or may have inadequate mechanisms for authenticating the remote party.

Related Reading: Attack Surface Management Vs. Vulnerability Management

Gathering Vendor intelligence to find out if your Third-Party Partner is a Target 

Tip #1 - Gather threat intel and see your third-party vendor through the lens of a potential attacker.

Threat intelligence is a must-have in any modern threat detection and response organization.  By leveraging intelligence gathering techniques, we can capture perspectives on actual risk within our vendor ecosystems and apply those perspectives to the goal of managing supply chain risks.

Open Source Intelligence (OSINT) is intelligence gathered from publicly available sources.  It can be viewed as the set of intelligence that anyone in the world – including threat actors – can learn about a subject, should they care to do so. The subject of OSINT could be a threat actor, an IP address, a person, an organization, and more.  OSINT can reveal to us the vendor’s attack surface, including potential weaknesses that a threat actor may leverage.  

Sophisticated cybercriminals, ransomware operators, and nation-state actors all leverage OSINT to profile their targets.  By applying OSINT, we begin seeing our vendor ecosystem through the eyes of an attacker.  OSINT can’t typically see beyond a firewall into an organization’s internal structure, but it does allow us to extrapolate the analysis of what we can see to establish hypotheses on what we cannot.  

So, what should you be searching for when using a tool like OSINT? For example, observing a Microsoft Remote Desktop port open to the Internet, or an outdated VPN server on a vendor’s network edge (these are two of access brokers’ and ransomware operators’ favorite weaknesses), tells us that a particular area of the network is not adequately protected.  Using that insight, we can extrapolate that this particular organization likely also suffers from similar – or worse - internal hygiene weaknesses in areas that tools like  OSINT can’t see.

Tip # 2 - Go beyond OSINT & public intelligence.

Continuous monitoring enables you to influence the cybersecurity hygiene taken on by your vendors, driving them to comply with your security standards and ultimately, helping your vendors protect themselves and your organization.

Taken one step further, blending Signals Intelligence (SIGINT) into our vendor intelligence program can produce highly actionable information that can help avert a disastrous incident.  SIGINT is intelligence gathered from electronic signals and can take various forms including intercepted communications, traffic analysis, and more.  

While commonly used by military organizations worldwide, this form of intelligence gathering may be more difficult for the typical commercial organization lacking the required tools and expertise or a partner like Avertium who can enable this for them.  

In this application of SIGINT, we utilize threat actor communications intercepted from botnets, underground forums, dark web sources, and others. The script running in PowerShell 2.x (native tools) is showing a status of the “foobar” codified signal sent saying the firewall service is up and running. It’s also set to send “woot” codified signal when the firewall service stops running. 

Blending OSINT and SIGINT allows you to take the information derived from OSINT (e.g. your vendor’s IP space) and mash it against threat actor communications.  Any overlap between the two datasets should be viewed as a high-fidelity alert that must be actioned, typically by providing the vendor information on the observation and a recommendation on mitigating what could be an impending critical risk.  If the risk is serious enough, action should be taken to restrict that vendor from the environment until the situation is resolved. 

Use Case: Third-Party Risk within Healthcare Vendor Supply Chain

Cyber attacks on healthcare are at an all-time high. Hospitals and other healthcare organizations carry the information for not only each of their patients but also the data that they have accumulated from their expansive supply chains. In addition, many of these healthcare facilities have not taken an emphasis on cyber security making them prime targets for threat actors. For these reasons, it has never been more important to ensure healthcare organizations are aware of their attack surface and how to manage it.

Thousands of facilities could be attacked by one compromised Group Purchasing Organization (GPO). Assisting hospitals with goods procurement across the board, GPO’s require unparalleled access to systems of hundreds if not thousands of their partner facilities. The supply chain risks might be extremely varied due to this. For daily operations, hospitals hire multitudes of contractors and vendors to further complicate/ expand the attack surface and third-party risk.

Healthcare leaders and their respective supply chain vendors must collaborate to strengthen defenses and prevent future breaches within the healthcare supply chain.

If your organization doesn't know where to start for supply chain risk management, then check our latest blog: Avertium and BlackKite Announce Strategic Partnership in New Approach to Attack Surface Monitoring