This is the third in a three-part series on third party risk management.
Whenever you purchase insurance against a natural disaster, the provider has likely performed a very careful actuarial analysis to assess the risk of that event occurring in your area to include the likelihood and the expected damages. From this analysis, they derive the insurance premium, deductible, etc. Insurance companies have successfully used these techniques to assess risk for decades. But what if a comic-book villain came to your town and changed the weather on a whim? Clearly (in the absence of your favorite super-hero), this would ruin the assessment of the insurance model — as there is now an unpredictable human causing events to occur. Cyber-attacks are caused by people who are driven by objectives that seek to achieve with available resources (including skill as well as technical equipment) in a certain amount of time. This causes us to model the threats in a different manner — one more closely tied to the use of intelligence.
This is the third part in a series on third-party risk management. Earlier, we introduced some initial concepts and briefly discussed how those are implemented in a preventative program. Now, we will consider a key component: the threat. As risk is the realized intersection of weakness and exploitative resources. Understanding which risks which third-parties are exposed to becomes crucial especially because you have limited or no direct influence on the status of cybersecurity of third-party vendors. Therefore continuous monitoring is an important component to managing third-party risk. Just as with the above example, we are not dealing with weather patterns that are so far more-or-less predictable. Rather, we are dealing with an adaptive group of threats that differs over time and among your unique constellation of associated third parties.
Why Threat Intelligence? Most current paradigms for third-party risk are focused on the vendors themselves. This includes checklist items like surveys, contractual obligations, and audits. However, it does not take into account any of the following questions:
- Do employees of your third-parties get exposed on the darkweb?
- Would a DDoS-attack on a third party disrupt your business?
- Do hacktivists target your third parties?
- Can a breach at a third-party vendor lead to a breach at your company?
- Do third parties pose product-security risks?
- Has a third party exposed customer or other sensitive data in the past?
The reality is that third-party risk focused solely on the vendor cannot fully answer any of these questions. In many cases the third-party may not even be aware of an existing threat or exposure. A complete program for third-party risk management should not only include assessment of the vendor, but also an understanding of their unique risk profile and how the threat evolves over time. In the below chart we show how vendor-focused and threat-focused third-party risk can complement each other.
Example. Let’s consider a short example of threat-focused third-party risk management. As new vendor is on-boarded, we can gain a quick feel for the threat by the volume of threat actor discussions over the past year and understand when it exceeded the norm. Below, we show an example of volume analysis of darkweb/deepweb discussions for a given third-party.
Notice in quarter 2, the number of discussions was 9 standard deviations above the 1-year moving average — so clearly something was occurring at this point. Volume analysis like this done prior to on-boarding the third party can give an idea of when significant activity may have occurred. But it only tells part of the story — we must also examine what was being discussed. The key here is to sift rapidly through the information — keeping in mind, that not only hundreds of darkweb discussions may occur at any time, but that dozens of vendors need to be considered — so the use of techniques such as machine learning and big data analytics can be successfully and fruitfully leveraged.
One way to drill-down further is to visualize the topics discussed. The figure below is a “word cloud” that provides an intuition as to what is being discussed. This particular word-cloud covers hacker discussions concerning an IT-service provider. At a glance, we can see that there is a keen interest in virtualization in this example.
From CYR3ON analysis
Digging deeper, a suitable follow-on analysis concentrates on some of the key topics noted in the distribution and “read” the hacker discussion. Here, a high-performance big-data system that leverages tools such as Elastic Search can greatly enable rapid keyword and threat research. Alternatively, a service that enables such searches on the go via an API or provides scheduled regular queries can have the same effect (CYR3CON provides both these services). Having gained insight of the specific threat, then the company should choose from a variety of possible protective actions. Here are some examples:
- Implement controls for an at-risk third-party such as segmentation of or limited access to sensitive data (e.g. customer data),
- Create redundancy (if the third party’s IT systems are critical for business continuity),
- Inquire if the third-party has taken steps to mitigate a specific threat,
- If the third-party is providing threatened components, take actions to mitigate the risk and impact posed by those components in a worst-case scenario,
- If the third party has direct access to the corporate network, conduct threat-hunting operations, and
- Monitor darkweb, deepweb, social media, and filesharing sites for leaks of company information for an extended period of time.
Note that these are just the basics of threat research for third-party risk. There are many ways to tackle this problem and several complementary tools available on the market today that allow insights into risks third-party vendors are exposed to and the threats they face. However, generally threat-based third-party risk should focus on the following characteristics:
- Ability to handle any number of third-parties,
- Provide the functionality to identify the most at-risk third-parties,
- Ability to rapidly triage multiple pieces of threat-intelligence for each third-party,
- Ability to continuously and rapidly re-assess threats to third parties
As a final thought, we should keep in mind that intelligence is not always evidence. Contractual relationships should not be affected by observations of threat actors as the third party cannot be held responsible for the actions of malicious actors. The threat landscape is changing continuously and in an adaptive way, so that it is unlikely that cutting ties with a third-party vendor will sufficiently eliminate the risk. Much more realistic is the use of such information to monitor and mitigate the known variable that risk now has become.
Paulo Shakarian is CEO of CYR3CON, a cybersecurity company that specializes in identifying cyber-threats in their earliest stages, leveraging both human analysts and advanced machine learning capabilities. In 2017, CYR3CON was named finalist in PwC’s Cybersecurity Day, the Arizona Technology Council’s “Startup of the year”, and MD5 Starts Austin in addition to winning a Defense Innovation Challenge award.