Embedding Third-Party Intelligence in your Cybersecurity Strategy

In my recent blog on the Top Four Threat Intelligence Tools Your Security Team Needs, I highlighted that Third-Party Intelligence was a top tool. Let’s drill down on this and explore the different forms of Third-Party Intelligence and how each can complement your threat intelligence strategy and help you mitigate and manage third-party risk. 

The past years’ notable breaches originating from supply-chain compromises have become unintended household names - SolarWinds, Colonial Pipeline, JBS….. the list goes on. The REvil ransomware attack against Kaseya’s remote monitoring solution impacted an estimated 800 to 1500 downstream businesses alone. According to ZeroFox’s Quarterly Threat Landscape Review Q2 2021, ransomware has risen 50% in the last quarter and even more throughout the pandemic. Ransomware attackers often target supply chain ecosystems to maximize attack surface and opportunity for payout. The SolarWinds Orion breach demonstrated how a carefully planned attack could compromise over 18,000 organizations both in the US and worldwide, providing all the proof we need. More recently, news of Russian hackers targeting Iowa grain coop created even further concern for supply chain large-scale attacks.

What is Third-Party Intelligence? How Does it Aid a Third-Party Risk Management (TPRM) Practice?

Third-party intelligence can consist of any or all of the following intelligence types:

• Periodic risk assessment of the digital exposures of providers in your supply chain ecosystem. A third-party risk assessment may turn up vulnerability intelligence within your vendor ecosystem that neither party (you or your supplier) was aware of. While not an exhaustive TPRM practice alone, an annual or semi-annual risk assessment can establish the baseline exposures and risks an organization must address within its cybersecurity program.
• Regular monitoring of emerging attack plans in criminal underground forums targeting you or your partners. Targeted phish kit development or advertisement is of particular interest here, as this intelligence affords an opportunity early on to intervene in the kill chain (possibly by acquiring exploit kits and taking them off the market) and preventing the execution of a phishing campaign that can lead to compromise. Having visibility into the dark web is crucial to discover threats early.
• Detection and continuous monitoring of supply chain digital footprint consisting of brands and supporting elements. In the past 12 months, ZeroFox has observed a 300% increase in ransomware attacks, which are often incurred by spoofed domains or phishing scams impersonating brands. Security teams that monitor their holistic attack surface for fraudulent domains that mimic trusted brand names and images are more equipped to tackle and neutralize threats that can lead to a major ransomware attack. The Forrester Wave: External Threat Intelligence Services, Q1 2021 advocates Brand Threat Intelligence as the tool that everyone needs because - ‘regardless of enterprise size, every organization has a brand and customers to protect.’   
• Breach evidence or data leakage indicating a security exposure. Again, Dark Web Intelligence is key to detect stolen credentials/PII, data leakage or credit card theft. This provides the ability to resolve exposures before the data can be weaponized or sold and harm your organization and its stakeholders. Having the ability to engage attackers directly (or access to an intermediary who can) provides better awareness, speeds negotiation and settlement to reacquire stolen assets, and helps maintain the confidentiality of any transactions.
• Disruption of attacker infrastructure, which requires a special kind of disruption intelligence and trusted relationships with hosting partners. In addition to providing evidence of terms of service (ToS) violations, many hosting and network providers require any applicable trademark agreements/registrations, evidence of offending content, authentication ID, description of security risk and malicious links, files or email addresses. Gathering this information is a time-consuming but prerequisite step to a successful takedown. ZeroFox has built a Global Disruption Network of infrastructure partners with whom we share such contextual intelligence to stop attacks, speed resolution times, and improve security for our customer communities. Removing offending content is good, but disabling attacker infrastructure is even more impactful and dissuasive. 
  

Collectively, these measures can significantly enhance your third-party risk management practice. Your approach will be more comprehensive and more likely to find threats earlier, ideally within upstream supply chains, while there is still time to take action and avoid damage. You also can have a more lasting impact on improving your risk posture as well as that of your ecosystem partners. Many organizations are now requiring that their suppliers (or supply chain participants) agree to periodic assessments and regular brand/social exposure monitoring with the intent of raising the security standard within their entire business community.

Mitigation Steps

We advocate that before partnering, and periodically thereafter, you conduct an assessment of the supplier’s posture focused on cyber, reputational and regulatory vulnerabilities and threats. Gather intelligence on any evidence of system compromise and dark web chatter, disclosures of sensitive data and social media and brand hygiene, along with pursuing continuous vulnerability assessment of externally exposed systems. This latter area, which is often referred to as Attack Surface Management (ASM), has become a discipline in its own right. (We will explore this in more depth in a future blog). Essentially, an effective ASM approach consists of these three elements:

ZeroFox can help you in these endeavors. The ZeroFox Platform provides a way to consolidate all elements of your TPRM program into one comprehensive system — unifying asset discovery, digital risk protection, threat intelligence sources, security policy and analysis, alert notification/workflow, adversary disruption and reporting. Learn about our full spectrum threat intelligence solution today.