Are Your Third Party Vendors a Ticking Time Bomb? - Cybersecurity & Threat … · 2017-08-30 · CORRESPONDING ACTION TO MITIGATE THAT RISK. from the industry, the information does

© 2017 LookingGlass™ Cyber Solutions. All rights reserved.

Leveraging Threat Intelligence for Third Party Risk Management

Are Your Third Party Vendors a Ticking Time Bomb?


INDEX

PAGE 3© 2017 LookingGlass™ Cyber Solutions. All rights reserved.

PART 1: THIRD PARTY RISK IS EVERYBODY’S RESPONSIBILITY

PART 2: BEYOND “CHECK THE BOX” SECURITY

PART 3: TOP CYBER THREATS TO ORGANIZATIONS

PART 4: ROLE OF THREAT INTELLIGENCE IN YOUR VENDOR MANAGEMENT PROGRAM

PART 5: THE ROLE OF CONTINUOUS THIRD PARTY MONITORING IN YOUR SECURITY POSTURE

Why Threat Actors Target Third Parties

Internet Threat Actors + Third Party Actors

How Organizations are Breached

Major Third Party Data Breaches

Enterprise Uses of Threat Intelligence

What Threat Intelligence Protects

Fending off Cyber Threats with Threat Intelligence

4

6

8

14

18

PART 1THIRD PARTY RISK IS EVERYBODY’S RESPONSIBILITY


Outsourcing corporate data management to third party vendors is not new. We’ve all heard the saying, “it’s not if, it’s when” while discussing cyber attacks, and at some point your organization has likely been, or will be, targeted by a threat actor. Whether it’s through your own vulnerabilities or those of a third party vendor, the damages from even one attack could be catastrophic.

Until recently, organizations have focused primarily on their internal security posture, and often overlooked those of their third party vendors. However, with 63% of data breaches originating in the supply chain, organizations are seeking solutions to better anticipate threats, wherever they may occur.1 The sensitivity to third party breaches is heightened as more organizations face media exposure as a result of a breach – Target in 2009, Home Depot in

2014 and Amazon in early 2017 are just a few high-profile breaches that come to mind.

In addition, third party risk management is now the driver for new regulations. New York recently published cyber regulations - that go into full effect in February 2018 - for the financial industry. Companies are being asked to take a more proactive approach to cybersecurity, with third party due diligence being a key part of the regulation. While these regulations are specific to Financial Services, they act as a preview of the future of cyber regulation for all industries.

Similar to New York’s Financial Services regulations, the American Institute of Certified Public Accountants (AICPA) recently announced a new structure for security assessments for audited companies. It is like a SOC 2, which focuses on a business’s non-financial disclosures, but this regulation highlights cybersecurity and is intended for a broad audience. These assessments are voluntary today but will likely be mandatory in the future.

As the threat landscape continues to evolve, it is more important than ever for organizations to invest in robust cyber threat intelligence and effective threat mitigation programs that emphasize real-time intelligence and comprehensive protection.

This e-book focuses on third party risks that are associated with information security versus physical security, and will explain:

• How third party vendors increase your cyber risk• The importance of threat intelligence in your vendor management program• Common challenges to implementing a cyber threat intelligence and management program• Why you need a continuous monitoring service

1 http://go.soha.io/hubfs/Survey_Reports/Soha_Systems_Third_Party_Advisory_Group_2016_IT_Survey_Report.pdf

63% OF DATA BREACHES ORIGINATE IN THE SUPPLY CHAIN


PART 2BEYOND “CHECK THE BOX” SECURITY


There are two ways to look at minimizing your organization’s risk:

1. The compliance and legal side.

2. The information security piece.

Many companies have only approached the issue from the compliance and legal standpoint by investing in scorecards with their vendors’ risk “grade.” However, these scorecards only provide a point-in-time snapshot of risk, which many consider “check box security.”

The problem with “check box security” is that it only provides awareness of risk, not the corresponding action to mitigate that risk. While a risk assessment is a critical first step to managing third party relationships, a grading scale only ensures compliance, and complying with regulations does not equal security.

Unless identified exploits are given context and correlated with observable incidents

THE PROBLEM WITH “CHECK BOX SECURITY” IS THAT IT ONLY PROVIDES

AWARENESS OF RISK, NOT THE CORRESPONDING ACTION TO MITIGATE

THAT RISK.

from the industry, the information does nothing to protect your organization and mitigate the threat.

The biggest concern when preventing third party cyber threats should be understanding where your third parties are already compromised, and how you can mitigate that threat in real-time. Although scorecards do provide useful information, what they report is only a snapshot in time of your vendors’ vulnerabilities.

If you want relevant, prioritized and specific mitigation that prevents third party, and general, risk, you need a partner with deep roots and expertise in threat intelligence.

Threat intelligence is the critical element that can go beyond just settings and knobs. It addresses more systemic risk issues of an organization, as well as an indication of how those technical knobs and settings could be exploited.

PART 3TOP CYBERTHREATS TOORGANIZATIONS


WHY THREAT ACTORS TARGET THIRD PARTIES

Every week, an average of 89 vendors access an organization’s network.2 This is 89 additional entry points that a threat actor can manipulate.

Malicious actors are constantly looking for the easiest, fastest, and most inexpensive way to get what they want – the “weakest link” attack method. Third party vendors are attractive targets because they are often small and medium-sized businesses (SMBs) that lack adequate security staff, infrastructure, and protocols to protect against a breach. They can also have access to sensitive and confidential information from multiple companies. It’s much more

2 https://www.bomgar.com/assets/documents/Bomgar-Vendor-Vulnerability-Index-2016.pdf3 http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html

cost-effective to target a small vendor than a large entity that has robust security precautions in place.

So, how can larger enterprises with hundreds of vendors prioritize their efforts? One way is to prioritize vendors based on their access to sensitive data, such as employee personally identifiable information (PII), healthcare records, and customer information, to name a few.

The below chart shows the different categorization of threat actors, and the probability of them going after specific targets.

INTERNET THREAT ACTORS + THIRD PARTY ATTACKS

Actor MotivesProbability of Attacking

Targets

Cybercriminals To profit financiallyHigh MotivationHigh Capability

Financial and personal data for identity theft, fraud, blackmail, and ransom

Cyberterrorists

To spread ideology and cause targeted or indiscriminate damage and destruction

High MotivationHigh Capability

Critical infrastructure and individuals or organizations perceived to be enemies

Public Reprisal & Shaming

To express values/ideals, draw attention, embarrass others, or be funny

Modest MotivationModest Capability

Organizations that violate values and ideals – whether expressed or not, with forewarning/ultimatum or not

Novice (Script Kiddies)

To draw attention, gain credibility in the hacker community, feed ego, or be funny

Low MotivationHigh Capability

Government/Military organizations and personnel, critical infrastructure, and media and commercial/industrial intellectual property - especially Defense, Energy, IT, and Telecommunications


1. SPEAR PHISHING Spear phishing tops the list because it’s widespread and highly effective. It relies on human error to be successful, targeting specific individuals with personalized messages to trick them into disbursing funds or sharing confidential information (e.g., account passwords, Social Security Numbers, etc.). Spear phishing is commonly used as the first step in a multi-step attack.

In a spear phishing campaign, attackers often use a technique called spoofing, which makes email messages and headers look like a legitimate note sent by someone the target trusts. From there, a target may download a malicious attachment or click a malicious link that redirects to a lookalike domain (registered by non-legitimate entities, often with fabricated DKIM and SPF records) that distributes malware. Threat actors are known to register domains with

fake DKIM and SPF records in hopes of tricking users into believing fraudulent domains and emails are from legitimate sources.

2. RANSOMWARE This type of malware infects computer systems, restricting users’ access to the infected systems and temporarily or permanently rendering them inaccessible unless a “ransom” is paid within a specific timeframe. Even if you do pay the ransom, be wary; attackers have been witnessed duplicating and decrypting the stolen data for potential resale.

Ransomware is delivered via botnets, exploit kits, and most commonly by spam and phishing emails (see: #1).

Ransomware has proven so successful – it’s estimated that at the end of 2016 revenue was at $1 billion – that many criminals now run operations that emulate legitimate software shops.3 They employ

the software development life cycle to release versions, factor customer feedback into

HOW ORGANIZATIONS ARE BREACHED

3 http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html

There are many ways for threat actors to target organizations. Below are a few of the most-used (and most effective) cyber attack tactics.

WORLDWIDE SPEND ON SECURITY SOLUTIONS IS EXPECTED TO REACH $90 BILLION BY 2018.

PAGE 11

new features, and provide live chat support to help victims through the ransom payment process. Some have even devised ransomware-as-a-service (RaaS) offerings available to other cybercriminals – for a fee, of course.

3. DISTRIBUTED DENIAL-OF-SERVICE (DDoS) A DDoS attack occurs when a threat actor directs high volumes of network traffic from disparate devices to a single server. The most common form of this attack is directed at web servers, which can temporarily take down a business’s website. Attackers carry out DDoS attacks by building botnets, which consist of compromised devices (i.e., zombies) that they can control remotely using command and control (C2) servers. Then, an attacker can direct all the zombies in its botnet to flood a single server with requests. The target server cannot handle the volume of incoming requests, causing it to crash and thereby making the resources it hosts (e.g., website) temporarily unavailable.

DDoS attacks require very little skill to execute, yet they can cause significant

damage and public embarrassment to victims. For these reasons, DDoS attacks have been a longtime favorite of script kiddies, hacktivists, and other lower-skilled hackers.

Security researchers believe some DDoS attacks are a smokescreen used to distract the victim’s technical staff from other, more nefarious acts such as data breaches or malware payload delivery. The risk herein lies with the smaller vendor’s lack of in-house or expertly trained staff to appropriately monitor all network traffic, leaving available the opportunity for pivots into sensitive network segments which may host proprietary vendor or client data.

4. DATA BREACHES Data breaches are one of the biggest cyber concerns for businesses of all sizes, worldwide. Most of the damage from a data breach occurs after the attack, and many times companies don’t know they’ve been breached until months, or even years, later. Sometimes the stolen information is made public to embarrass the victim, a practice hackers call doxing. Other times, the data are sold in


underground criminal forums. Sometimes attackers do not steal data, they simply try to destroy everything.4

In 2016, data breaches compromised more than 4.2 billion records, and worldwide spend on security solutions is expected to reach $90 billion by 2018.5

Some of the biggest breaches in 2016, and in the past few years (see the table below), have been the result of poor third party security.

There are no indications that data breaches are slowing down, so organizations need to be aware of certain indicators that can determine their data breach risk. Examples include compromised account credentials and recurring malware infections.

5. ROGUE APPLICATIONS – Mobile applications are increasingly a key element of digital business strategy. Sometimes an app is the entire business, and other times the app supplements other channels (e.g., physical stores, e-commerce sites, etc.). In September 2016, Google Play removed 400 malicious apps from its marketplace.

Criminals use rogue apps for various purposes, such as pilfering revenue from legitimate owners by creating a clone or stealing user data. Almost all rogue apps illegally use the legitimate

owner’s intellectual property, whether via copyright infringement or patent violations.

The most significant business risk from rogue apps occurs when customers blame the legitimate owner, rather than the criminals, and switch to a competitor who is perceived to be more trustworthy.

4 http://www.darkreading.com/attacks-breaches/inside-the-aftermath-of-the-saudi-aramco-breach/d/d-id/13216765 https://pages.riskbasedsecurity.com/hubfs/Reports/2016%20Year%20End%20Data%20Breach%20QuickView%20Report.pdf; https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked

PAGE 13

MAJOR THIRD PARTY DATA BREACHES

*Year disclosed is not always the same as the year of the attack. There can be significant delays between attack and detection and detection and public disclosure.

Industry CompanyYear Disclosed*

Stolen

Entertainment Evony Online 201633 million accounts in 167 countries impacted by breach via website vulnerability

HealthcareUnnamed/Multiple Healthcare Vendors

20169.3 million individual’s PII compromised when a threat actor bundled multiple breaches

Retail Wendy’s 2016Vendor password breach lead to installation of malware on Wendy’s POS devices at 300 franchises

Banking & Financial Services

Monsac Fonsecca 2016 Panama Papers

GovernmentUnnamed US Government Agency

2016154 million U.S. voter records leaked with PII

Government & Healthcare

U.S. Health and Human Services (HHS)

20165 million identities compromised when a thief stole government hard drives from HHS


PART 4ROLE OF THREAT INTELLIGENCE IN YOUR VENDOR MANAGEMENT PROGRAM


When working with a third party vendor, there are many things out of your control. For example, do your vendors have the correct safeguards in place to protect your customers’ information? If they do, how can you efficiently and effectively evaluate or verify those security policies and programs? What about the vendors of your vendors (known as fourth party vendors)? Lack of visibility into third party security policies and capabilities is such a concern that Ponemon reports 58% of organizations do not think it is “possible to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach.” 6

This is where threat intelligence can help. Threat intelligence is more than just accumulating data feeds. It provides a way for organizations to gain visibility into their vendors’ security posture, and eliminates the need for burdensome in-person vendor visits or reviews of cybersecurity self-assessments.

To truly operationalize threat intelligence, you need a comprehensive program that can identify and manage it, as well as use it to help mitigate your own risks. This will enable you to work cooperatively with your third party vendors to help them protect both of your organizations.

6 https://www.ponemon.org/local/upload/file/Data%20Risk%20in%20the%20Third%20Party%20Ecosystem_BuckleySandler%20LLP%20and%20Treliant%20Risk%20Advisors%20LLC%20Ponemon%20Research%202016%20-%20FINAL2.pdf

ENTERPRISE USES OF THREAT INTELLIGENCE

• Block users from visiting malicious Internet Protocol (IP) addresses and domains

• Prevent users from visiting legitimate websites that are compromised (e.g., distributing malware)

• Block malware inside an enterprise network from communicating with and receiving instructions from remote C2 infrastructure (e.g., botnets)

• Secure domain name server (DNS) assets against abuses, such as DDoS attacks

• Identify instances of enterprise brand and intellectual property abuse online

• Detect disruptive events and physical threats to resources and assets

• Identify policy & procedure questions to address with vendors to assure higher standards are met

• Verify and validate third party vendor exceptions

• Collaborate with up-and-downstream vendors to achieve more consistent threat anticipation and possible mitigation strategies

THREAT INTELLIGENCE PROVIDES VISIBILITY INTO YOUR VENDORS’ SECURITY POSTURE.


• Utilize data trends to develop internal policy/metrics to determine if vendors are paying enough attention to the evolving threat landscape

FENDING OFF CYBER THREATS WITH THREAT INTELLIGENCE

Let’s revisit the top cyber threats to businesses that were discussed in Part 3. Below are specific ways threat intelligence can help combat those threats:

1. SPEAR PHISHING – Spear phishing attacks often redirect victims to malicious websites created by attackers or to legitimate websites that are compromised. In both instances, attackers use these sites as platforms to distribute malware. Organizations can get ahead of spear phishing by utilizing machine-readable threat intelligence. These threat

intelligence feeds provide a constantly updated list of malicious or compromised IP addresses and lookalike domain names for both your organization and that of your third party vendors. You can then block users from loading those pages, preventing end user devices from being compromised with malware.

2. RANSOMWARE – The first step in many ransomware attacks involves spear phishing. By blocking malicious and compromised websites with an automated threat mitigation appliance, attackers are denied an entry point into the enterprise network.

Many ransomware attacks depend on a C2 server infrastructure that allows attackers to remotely execute the script to decrypt files. Threat intelligence provides a list of known malicious C2 servers and

WHAT THREAT INTELLIGENCE PROTECTS

Type Examples

Employee DataSocial security numbers, personal information (street addresses, phone numbers etc.), salaries, emails, and user names/passwords

Customer DataPersonal information (address, phone number, etc.), user names/passwords, and financial data

Financial DataCredit card numbers, personal identification numbers (PINs), and account numbers

Intellectual Property Strategic plans, product roadmaps, blueprints, source code, prototypes, and market research

Brand Logo, trademark, copyrighted materials, and apps

Physical Assets Real estate, facilities, vehicles, and IT systems

PAGE 17

automatically blocks these servers from communicating with malicious payloads already inside the enterprise network.

If a client, or vendor, hosts ransomware links without their knowledge, and an employee either up or downstream traverses an infected website, it could lead to the infection and encryption of a business endpoint, server, etc. The impact of such a situation could have a strain on the business relationship or continuity of business given the costs and ramifications if the threat vector is discovered.

3. DDOS ATTACKS – Many organizations own and operate DNS infrastructure in whole or in part. DNS servers are used to resolve numerical IP addresses (e.g., 111.111.11.11) to their corresponding domain names (e.g., CNN.com). DNS infrastructure often includes what are known as open recursive servers, which must communicate with other servers outside of the organization to properly identify addresses, resolve requests, and route users to the proper destinations. These open recursive DNS servers can be used in certain types of DDoS attacks. Threat intelligence provides real-time data on such attacks and can help to prevent an organization’s DNS servers from being targeted or used in attacks against others.

4. DATA BREACHES – Threat intelligence identifies where stolen information is posted online, whether on widely available websites (e.g., Pastebin.com, a common repository for stolen data) or obscure underground criminal forums, such as the deep web and Darknet. Threat intelligence helps immediately identify when stolen data shows up on any part of the Internet, so organizations can minimize damage to employees, customers, brand, and reputation.

5. ROGUE APPS – Threat intelligence identifies rogue apps, whether in popular online marketplaces (e.g., Apple Store or Google Play) or on independent websites. As with breached data, the quicker the detection and takedown of a rogue app, the less damage to the business’s brand and reputation.


PART 5THE ROLE OFCONTINUOUS THIRD PARTY MONITORING IN YOUR SECURITY POSTURE


To stay one step ahead of threat actors and proactively reduce and manage risk, organizations need continuous visibility into their key vendors’ attack surface. While an automated scorecard or self-service tool may work for organizations just looking to “check the box,” it won’t help organizations truly understand their vulnerabilities and operationalize threat intelligence to protect against threat actors, spear phishing, and data breaches.

When evaluating threat intelligence services, organizations should consider the following key questions:

• Do they provide information that extends beyond vulnerabilities and network issues? If not, they probably don’t provide actionable intelligence, such as blocking lookalike domains at web and mail gateways to prevent spear phishing.

• Do they provide true continuous monitoring (24x7x365) and incident notification at time of discovery?

• Do they augment purchased data feeds with their own proprietary threat data?

• Is their data fully vetted and reviewed by human

analysts? This ensures that false positives and “noise” common to most automated scorecards are eliminated.

• What is the scope of their coverage? If they only monitor the deep web and Darknet, for instance, then they really only cover 5-10% of the entire Internet topology.

With LookingGlass’ solution, organizations receive a 360-degree view into their vendors’ risk profile, which includes a baseline analysis of their vendors’ vulnerabilities, vendor breach notifications, and ongoing monitoring across four critical areas of cyber risk:


ORGANIZATIONS CAN LEVERAGE THE INVESTMENT LOOKINGGLASS HAS MADE IN ITS INFRASTRUCTURE, PEOPLE, & SYSTEMS AS WELL

AS 20+ YEARS OF INDUSTRY EXPERIENCE.

1. EVIDENCE OF SYSTEM COMPROMISE OR INFECTION: Identifies evidence of live or recent infection on your suppliers’ network from botnets, viruses, and malware. This includes any new indications of exposure, compromise, infection, or illicit use in:

• Malware Hosting/Distribution

• Virus/Botnet Infection

• Command and Control Activity

• Malicious/Scanning Behavior

• Spam, Darknet/Tor Traffic

• Phishing Activity

• Ransomware

2. COMPROMISED USER ACCOUNTS: Identifies account credentials stolen from your vendors among billions of breached records.

3. DOMAIN PORTFOLIO AND SPEAR PHISHING RISK: Analyzes registered domain names for fakes and lookalikes to identify likely vectors for spear phishing.

4. ONLINE INDICATIONS AND WARNINGS: Examines feeds, posts and online chatter from more than 6,000 known threat actors and groups, as well as hacker channels and the dark web.

Managing vendor risk is only one piece of the puzzle. Protecting your employees, customers, and brand is an ongoing process that requires organizations to adopt a holistic approach that identifies and manages intelligence, and uses that intelligence to mitigate risks, whether it is from internal or third party vulnerabilities.

PAGE 21

ABOUT LOOKINGGLASS CYBER SOLUTIONS

LookingGlass Cyber Solutions delivers unified threat protection against sophisticated cyber attacks to global enterprises and government agencies by operationalizing threat intelligence across its end-to-end portfolio. Scalable threat intelligence platforms and network-based threat response products consume our machine-readable data feeds to provide comprehensive threat-driven security.

Augmenting the solutions portfolio is a worldwide team of security analysts who continuously enrich our data feeds and provide customers unprecedented understanding and response capability into cyber, physical and 3rd party risks. Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle. Learn more at https://www.lookingglasscyber.com/.

Know More. Risk Less.

Documents

Are Your Third Party Vendors a Ticking Time Bomb? - Cybersecurity & Threat … · 2017-08-30 · CORRESPONDING ACTION TO MITIGATE THAT RISK. from the industry, the information does