Risk can be introduced to an environment in many ways. Eliminating cybercriminals, malicious insiders, and simple mistakes are just a few of the objectives of good security. And while most organizations understand the need to secure their own systems, practice proper cyber hygiene, craft and enforce strong processes, and apply advanced security technologies... many only apply that level of rigor within their network perimeter. Unfortunately, that’s only part of the equation.
Your attack surface ventures far beyond your own facilities, and while these areas may not be directly in your sight, they require the same amount of attention in regard to cybersecurity. Ransomware users can infiltrate your cybersphere through open channels that your vendors provide:With data breaches today coming through a majority of third-party vendors, (BusinessWire), CISOs need to keep these inherited risks squarely in their sights. The traditional approach to supply chain risk assessment takes the form of a vendor security questionnaire that CISOs ask their critical vendors to complete – usually before contracting their services and then again annually. But this approach leaves much to be unaccounted for. If security programs worldwide leverage intelligence to counter their direct adversaries, shouldn’t a similar approach be adopted to counter indirect adversaries?
Related Reading - A Zero Trust Network Architecture (ZTNA) POV with Appgate
Every organization has third-party vendors with whom they must interact as part of day-to-day business operations. The nature of that vendor relationship informs the overall level of risk that might arise from a third-party security issue. Some vendor relationships require the sharing of sensitive data, while others may require persistent connectivity and privileged accounts into the environment (e.g. a Managed Service Provider).
It is understood that these relationships are necessary for the business to operate. It must also be understood that these are risks that must be managed.
A security incident at a critical vendor can very quickly devastate an organization; therefore, intelligence-based techniques similar to other forms of threat detection are vital to making informed risk-based decisions.
In the case of the recent Kaseya ransomware attack, REvil leveraged the fact that Managed Service providers nearly always have persistent access to their customers and highly privileged accounts within their customer environments. Targeting these organizations allowed REvil to compromise over 1,000 organizations through a single operation, yielding a highly profitable ransomware campaign.
That’s why it’s important to think of any third party that has a connection to your environment as a potential weakness in your attack surface that threat actors could use.
Related Reading: Attack Surface Management Vs. Vulnerability Management
Tip #1 - Gather threat intel and see your third-party vendor through the lens of a potential attacker.
Threat intelligence is a must-have in any modern threat detection and response organization. By leveraging intelligence gathering techniques, we can capture perspectives on actual risk within our vendor ecosystems and apply those perspectives to the goal of managing supply chain risks.
Open Source Intelligence (OSINT) is intelligence gathered from publicly available sources. It can be viewed as the set of intelligence that anyone in the world – including threat actors – can learn about a subject, should they care to do so. The subject of OSINT could be a threat actor, an IP address, a person, an organization, and more. OSINT can reveal to us the vendor’s attack surface, including potential weaknesses that a threat actor may leverage.
Sophisticated cybercriminals, ransomware operators, and nation-state actors all leverage OSINT to profile their targets. By applying OSINT, we begin seeing our vendor ecosystem through the eyes of an attacker. OSINT can’t typically see beyond a firewall into an organization’s internal structure, but it does allow us to extrapolate the analysis of what we can see to establish hypotheses on what we cannot.
So, what should you be searching for when using a tool like OSINT? For example, observing a Microsoft Remote Desktop port open to the Internet, or an outdated VPN server on a vendor’s network edge (these are two of access brokers’ and ransomware operators’ favorite weaknesses), tells us that a particular area of the network is not adequately protected. Using that insight, we can extrapolate that this particular organization likely also suffers from similar – or worse - internal hygiene weaknesses in areas that tools like OSINT can’t see.
Tip # 2 - Go beyond OSINT & public intelligence.
Continuous monitoring enables you to influence the cybersecurity hygiene taken on by your vendors, driving them to comply with your security standards and ultimately, helping your vendors protect themselves and your organization.
Taken one step further, blending Signals Intelligence (SIGINT) into our vendor intelligence program can produce highly actionable information that can help avert a disastrous incident. SIGINT is intelligence gathered from electronic signals and can take various forms including intercepted communications, traffic analysis, and more.
While commonly used by military organizations worldwide, this form of intelligence gathering may be more difficult for the typical commercial organization lacking the required tools and expertise or a partner like Avertium who can enable this for them.
In this application of SIGINT, we utilize threat actor communications intercepted from botnets, underground forums, dark web sources, and others. The script running in PowerShell 2.x (native tools) is showing a status of the “foobar” codified signal sent saying the firewall service is up and running. It’s also set to send “woot” codified signal when the firewall service stops running.
Blending OSINT and SIGINT allows you to take the information derived from OSINT (e.g. your vendor’s IP space) and mash it against threat actor communications. Any overlap between the two datasets should be viewed as a high-fidelity alert that must be actioned, typically by providing the vendor information on the observation and a recommendation on mitigating what could be an impending critical risk. If the risk is serious enough, action should be taken to restrict that vendor from the environment until the situation is resolved.
Cyber attacks on healthcare are at an all-time high. Hospitals and other healthcare organizations carry the information for not only each of their patients but also the data that they have accumulated from their expansive supply chains. In addition, many of these healthcare facilities have not taken an emphasis on cyber security making them prime targets for threat actors. For these reasons, it has never been more important to ensure healthcare organizations are aware of their attack surface and how to manage it.
Thousands of facilities could be attacked by one compromised Group Purchasing Organization (GPO). Assisting hospitals with goods procurement across the board, GPO’s require unparalleled access to systems of hundreds if not thousands of their partner facilities. The supply chain risks might be extremely varied due to this. For daily operations, hospitals hire multitudes of contractors and vendors to further complicate/ expand the attack surface and third-party risk.
Healthcare leaders and their respective supply chain vendors must collaborate to strengthen defenses and prevent future breaches within the healthcare supply chain.
If your organization doesn't know where to start for supply chain risk management, then check our latest blog: Avertium and BlackKite Announce Strategic Partnership in New Approach to Attack Surface Monitoring