Your Third-Party Is Now Your Weakest Link. How To Guard It?

The news of the state-sponsored attacks last year on up to 18,000 customers of the SolarWinds is just worsening. The SolarWinds attacks were confirmed by the New York Times to have infiltrated, as was first thought, more than a “few dozen” government and industry networks. There were 250 organizations involved and attackers used various supply chain layers.^[1]

According to the report, 97% of the world’s top 400 cybersecurity companies had data leaks or other security incidents exposed on the dark web – and 91 companies had exploitable website security vulnerabilities.

Today, third parties are providing and supporting businesses in the financial services sector and getting more critical and essential. Many businesses are totally dependent on third parties to provide their clients and their counterparts’ basic resources.

Third-party exploitation is one of the most important risks to the security and financial well-being of your organization. The average organization has a large interface open to potential cyber-attacks due to third parties who have access to their network and process sensitive data on their behalf.

What is a third-party attack?

A supply chain attack also called a value-chain or third-party attack occurs when adversaries infiltrate your system through an outside partner or provider with access to your systems and data.

What is third-party risk management (TPRM)?

Third-Party Risk Management (TPRM) is the process of identifying, assessing, and controlling risks of outsourcing to third-party vendors or service providers.

What are the best practices for third-party risk management (TPRM)?

Enable continuous monitoring for third-parties
Make an inventory
Delineate responsibilities
Establish cybersecurity policies
Limit access
Perform regular audits
Plan for third-party incident response

**Figure 1** – Best-practice third-party risk management^[2]

What is third-party monitoring?

Third-party monitoring (TPM) describes the practice of contracting third parties to collect and verify monitoring data. In insecure contexts, aid actors primarily use TPM to monitor the activities of partner organizations in places where their own staff faces access restrictions.

What are the biggest cyber challenges for third-party risks?

Cybercriminals are still seeking the easiest, safest, and cheapest route to the weakest link. Third-party providers are attractive targets because many small and medium-sized enterprises have a shortage of proper security resources, facilities, and secure protocols. Most of the time-sensitive and personal information can also be used by SMEs (Small and medium enterprises). The target of a small vendor is much more cost-effective than a big organization with rigorous security protocols.

Spear phishing

Spear phishing is a type of phishing by sending emails to unique and well-researched targets that are meant to be the reputable sender.

Business email compromise (BEC) is an attack in which an attacker gains access to a business email account and imitates the identity of the owner in order to defraud the company, its employees, customers, and partners. In the case of email account compromise (EAC), the fraudster works to compromise the email accounts and maintain persistence. The attacker creates a fake email address based on the personal data of the user (e.g. name, address, telephone number, etc.).

Fast phishing detection is very important for organizations to prevent fraud. CTI solutions can alert organizations to newly created phishing domains or subdomains within hours allowing them to take necessary precautions.

Distributed denial-of-service (DDoS) attacks

Today’s DDoS attacks rely on trying to distort a range of services, including e-mail, internet, networks, and mobile systems.

CTI can provide preemptive protection against DDoS attacks by providing real-time monitoring of botnets and their activities.

Rogue applications

Mobile apps are now a significant component of the modern business model. Often the application is the whole organization. Hackers exploit rogue applications for multiple reasons, such as pillaging rightful owners’ profits by making a clone or stealing user information. Nearly all rogue applications unlawfully use the intellectual property of the rightful owner, whether by trademark breaches or infringements of patents.

The threat of rogue applications in the organization is worse when workers are mistaken to use them. When an employee thinks like they have not been supplied with the right IT resources to address their issue, they will often resort to unsanctioned applications or devices. CTI can help you detect fake, infected, changed, or copied applications and applications that indulge in brand abuse. You can spot rogue applications that carry your organization’s name when you upload them to a marketplace, and unlawfully release smartphone software openly without your company’s permission by using CTI provides.

Data breaches

Data breaches are one of the world’s biggest cybersecurity threats for organizations of all sizes. After the attack, much of the data breach loss happens and businesses frequently do not understand that it was breached until months or even years later.

CTI platforms constantly monitor blogs, market places, chat rooms and look for hints or mentions about data breaches and inform organizations about related breaches after CTI analysts’ investigation.

Ransomware attacks

Such malware infects computer systems, restricts access by users to infected systems, and makes them unavailable briefly or indefinitely until a compensation or “ransom” is paid within the specified time frames. It is reported that financial gain from ransomware attacks stood at $1 billion at the end of 2016.

CTI provides ransomware strategies that improve the preparation and security to reduce this proliferating vector of attack. CTI will help you maneuver and deter ransomware aggressors by proactively reviewing, answering, and remedying programs, directing device hardening, and hunting strategies for risks.

Dark web sales

The dark web is where deception and crime organizations are found. It is the latest business risk hotbed. Regular search engines such as Google or Bing do not index the dark web. Many sensitive data can be found on the dark web for a price.

In the last two to three years, over 89% of companies witnessed a troubling cyber incident with third parties, and that the average company exchanges classified and critical information with 583 third parties. The dark web gives valuable opportunities for hackers to sell sensitive information anonymously.

CTI uses advanced intelligence techniques to track the dark web proactively in order to detect lost or hacked employee, client, or third-party vendor information of any company.

What are the recent examples of cybersecurity incidents involving third-parties?

Based on the Gartner report, a data breach is an average of $700,000 more expensive when a third party is involved.^[3]

Amazon data breach

As of 2020, a major data breach hit Amazon, eBay, Shopify, and PayPal. Online shopping was released on a third-party website of over eight million UK online shopping. Amazon is not notably the first time that it has experienced accidents caused by third parties. In 2017, attackers compromised several third-party suppliers with Amazon to publish their passwords.

General Electric (GE) data breach

GE confirmed a data breach of Canon Business Process Services, its service provider, in 2020. A hacked e-mail account has given GE clients and staff personal information both present and previously accessible to the public.

SolarWinds data breach

Following the SolarWinds breach, it is likely that the employees, administrators, and even the board of directors will have a greater grasp of third-party hacking. Such an update on SolarWinds should definitely cover whether or not the company is one of the 300,000 customers of SolarWinds, and whether or not you used the specific, hacked version of Orion.

Instagram data breach

Social Captain, a third-party that helps people and organizations raise Instagram followers and counts, has leaked thousands of passwords from the Instagram account. A website flaw gives access to every user profile of Social Captain without signing in. This meant, basically, that any person could only enter a specific user ID to find their login credentials for Instagram. Instagram noted that by inappropriately saving user credentials, the service violated its service requirements.

Marriott data breach

In two years, after third-party apps had been affected, Marriott suffered her second big data leak, which revealed personal data from 5,2 million visitors. After two employees received login keys, attackers were able to access this information. The leaked data included names, emails, contact numbers, airline loyalty programs, and more. The illegal access possibly lasted about six weeks.

How to monitor third-parties via dark web?

Security threats emerge from interwoven structures between vendors and suppliers as data are exchanged throughout networks. The increasing need to control the cyber supply chain has driven forward-looking companies to provide vendor due diligence with dark web monitoring.

Dark web monitoring scenarios include unindexed pages, chat rooms, and P2P networks which are mostly concealed behind an anonymizing web browser such as Tor. It is not shocking that the dark web is the hotbed of criminal activity like illegal drug purchase and trading, falsified products, and stolen data, including consumer credit card and accounts, employee details, and company ownership records, ranging from contracts to confidential boardroom documents.

Three ways the Dark Web can compromise your company via the supply chain:

Product

selling stolen or falsified products are crucial for cybercriminal operation. If your distribution base is responsible for every aspect of your inventory management – production, storage, or transport – it would be open for cybercriminals. They will know where they are, where they are going and how.

Intellectual property (IP)

The majority of IPs between an organization and its vendors is remarkably open. Sold to the highest bidder and it often poses the risk of revealing sensitive programs or commercial deals. It is highly useful. Hackers and cybercriminals will trawl networks in search of IP by breaching the infrastructure – even only using an e-mail address.

Data

Hackers will subtract passwords, build piracy policies and obtain access to classified information then they will offer to the highest bidder with only limited sections of this data. Although you cannot fully minimize risk, you can regulate it more. Dark Web monitoring will track and control material that is trafficked from your business to the uncharted Internet.

Data given from vendor systems and from conversations in chat-rooms about the supplier adds considerable insight to the constant monitoring of the customer’s dark web during the seller’s due diligence period as well as the working partnership:

It paints a fuller picture of a vendor’s system security that augments security surveys and testing.
Because there is often a considerable time lag between the occurrence of a breach and its discovery, dark web monitoring can provide an invaluable early warning mechanism for breaches of vendor networks.
It helps you develop insight into the extent to which the vendor and its systems are a subject of interest among bad actors and thus of potential future attacks.

The first is to use the collected data scripts to classify data originated from a vendor that is on the dark web by using IP addresses, e-mail addresses, keywords, and other company-specific information. Artificial intelligence algorithms then analyze these data for noise signal extraction by complexity, contextual analysis, and other instruments.

An analyst who may add additional information, possibly from exchanges in private chatrooms where data could be shared for illegal reasons, can then analyze and further refine the intellect obtained from this automatic process. Being subject to interchange adversaries online in real-time will offer additional insight into evolving threats and vectors of attack. This monitoring will provide effective intelligence that can then be used to prioritize and build effective answers.

The result will be an added factor that will lead to producing a constant, real-time image of the possible disclosure of criminal data that goes way beyond stolen email and passwords, which will catch keywords, but not all the real strategic risk involved with other exposure styles.

Because the cyber risk supply chain is focused on the size and not just the size of the vendor, dark web monitoring — which is conveniently unobtrusive from the seller viewpoint and scope — should be part of a due diligence phase of the business for all suppliers, whether big or small. Since cyber risk is based.

With the worldwide connectivity between organizations, data protection due diligence against suppliers and other stakeholders will become more relevant than ever with an entire cyber strategy of an organization. A holistic view of the data of third parties is given by the incorporation of dark web monitoring to this process—and the ability to provide early and effective knowledge about security risks that would be unacceptable otherwise.

SOCRadar help organizations against supply chain attacks by providing unified threat intelligence solutions

SOCRadar’s ThreatFusion provides actionable insights into future cybersecurity threats with a big data-powered threat investigation module to assist in searching deeper context, real-time threat investigation, and analysis.

SOCRadar’s RiskPrime builds on industry-leading instant phishing domain identification, Credit card monitoring, customers’ PII protecting, and compromised credential detection technologies by aggregating and correlating massive data points into actionable intelligence alerts.

SOCRadar’s AttackMapper provides insight and visibility into these assets to discover and monitor everything related to your organization on the Internet to bring the enormous scale of your attack surface into focus.