Why threat intelligence is the key to defending against Third party risks

By Karen Levy, Senior Director of Product and Client Marketing at Recorded Future

As the march of digitalization continues at an increasingly rapid pace, the business world has become steadily more complex and interconnected. Organizations now routinely rely on a widening web of suppliers and partners, often trusting them with sensitive data and mission-critical systems.

The advent of cloud-based services, in particular, has had a powerful effect on the way businesses operate, with an endless array of cloud-based service providers now available to meet practically any requirement. The adoption of IoT devices and mobile-centric working practices have likewise simultaneously created both more opportunity and more complexity.

While this new interconnected world has unlocked powerful new strategies and business models, it can also drastically increase an organization’s exposure to security risks. Cybercriminals often use third-party service providers as a stepping stone to attack larger companies, exploiting their connections to evade the ultimate target’s security measures.

The growing third-party risk

Marking the scale of the problem, leading analyst group Forrester reports that third parties were the cause of 21 percent of confirmed breaches in 2018, up from 17 percent the year before. This figure is only likely to increase as organizations continue their digital transformation journey and incorporate yet more third-party elements into their operations.

Some of the most notable security incidents of the last year were the result of third-party connections. The data breach reported by Ticketmaster in June, for example, was made possible by exploiting a flaw in JavaScript supplied by a third-party developer. Credit card details belonging to more than 40,000 customers were exposed as a result.

Organizations will also frequently inherit third-party risks through M&A activity, as seen with the data breach reported by Marriott International in November 2018. The incident is one of the largest in history, with the information of more than 500m customers being stolen. However, the breach originated with Starwood Hotels in 2014 and went unnoticed when the firm was acquired by Marriott in 2016.

Balancing risk and opportunity

While the increased reliance on digital third-party providers can quickly elevate a company’s exposure to risk, firms cannot afford to shun digitalization.  The flexibility and efficiency created by digital strategies are essential for retaining a competitive advantage and is all but impossible to achieve without the use of third-party providers for the cloud, IoT and mobile technology.

This means organizations must be able to balance the opportunities presented by third parties against the potential threats they may introduce. While companies are well-used to performing a similar analysis for calculating ROI and assessing financial risks, evaluating cyber risks is still a relatively new and unfamiliar school of thought.

Companies need to ensure that a thorough cyber risk assessment is completed for any new partner or service provider they take on as a matter of course. More than this, however, they also need to have real-time intelligence on the companies already in their ecosystem. The world of cyber threats moves so quickly that a previously secure partner could become a potential risk at any moment. Organizations need to spot potential threats against their connections before they can come to fruition and lead to an attack.

By analyzing real-time threat activity targeting third parties alongside third-party infrastructure and vulnerability data, organizations can achieve a more accurate and complete view of risk, enabling them to understand current weaknesses and evaluate potential impact against the organization.

Searching for risk indicators

To be truly accurate and reliable, threat intelligence must gather data from a number of different sources, both open and hidden.

One of the most obvious open risks is the use of vulnerable technology. Third parties that rely on web technology that is often exploited by attackers present an increased risk of compromise for their partners, particularly if they are failing to keep them patched and updated. Threat intelligence can also determine if real threat actors are actively targeting vulnerabilities present in a partner’s technology.

Another clear indicator of risk is the presence of IT infrastructure misuse or abuse. The use of an IP address hosting a command and control server would present a very clear threat to the firm and any of its connections.

Domain abuse presents an additional and powerful example that a company is being actively targeted by cybercriminals and is a potential threat. The existence of lookalike “typosquat” domains registered to impersonate an organization indicate that it is being involved in a phishing campaign or targeted attack.

Alongside more openly available sources of information, threat intelligence should also account for a third party’s hidden dark web footprint. By monitoring for the presence of corporate emails, credentials, and company mentions on dark web forums, it is possible to determine if a company is being actively targeted by criminal groups. The more frequently a firm is mentioned, the more likely it is to be the victim of an attack in the future. If stolen data is available on underground markets, the firm will present a greater risk of being exploited by attacks like credential stuffing, phishing, and account impersonation, which will, in turn, present a threat to any connections.

The elevated cyber risk presented by third parties is an inherent part of today’s interconnected,

Digitally-driven business world. Organizations which are able to identify potential dangers in their suppliers and partners in real time will be much better equipped to mitigate any risks and confidently pursue the full benefits of their digitalization journey.

About the Author

Karen Levy, Senior Director of Product and Client Marketing at Recorded Future.