One Solution Does Not Fit All

One Solution Does Not Fit All Matching Your Solution to Third Party Risk.

© 2018 LookingGlass™ Cyber Solutions. All rights reserved.

INDEX

PART 1:

ARE YOUR THIRD PARTY VENDORS A TICKING TIME BOMB?

4

PART 2:

HOW ARE YOU MANAGING YOUR THIRD PARTY RISK?

6

PART 3:

WHY THREAT ACTORS TARGET THIRD PARTIES

9

Internet Threat Actors + Third Party Attacks PART 4:

THREAT INTELLIGENCE IN YOUR VENDOR MANAGEMENT PROGRAM

11

Enterprise Uses of Threat Intelligence What Threat Intelligence Protects Fending off Cyber Threats with Threat Intelligence PART 5:

THE THIRD PARTY RISK CONTINUUM


17

PAGE 3

1

ARE YOUR THIRD PARTY VENDORS A TICKING TIME BOMB?

Outsourcing corporate data management to third party vendors is not new. We’ve all heard the saying, “it’s not if, it’s when” while discussing cyber attacks, and at some point your organization has likely been, or will be, targeted by a threat actor. Whether it’s through your own vulnerabilities or those of a third party vendor, the damages from even one attack could be catastrophic. Until recently, organizations have focused primarily on their internal security posture, and often overlooked those of their third party vendors. However, with 63% of data breaches originating in the supply chain, WITH OF DATA BREACHES organizations are seeking solutions to better 1 ORIGINATING IN THE SUPPLY anticipate threats, wherever they may occur. The sensitivity to third party breaches is CHAIN, ORGANIZATIONS ARE heightened as more organizations face media SEEKING SOLUTIONS TO BETTER exposure as a result of a breach – Target in 2009, Home Depot in 2014, and Amazon in ANTICIPATE THREATS, WHEREVER early 2017 are just a few high-profile breaches THEY MAY OCCUR that come to mind.

63%

In addition, third party risk management is driving new regulations. New York recently published cyber regulations - that go into full effect in February 2018 - for the financial industry. Companies are being asked to take a more proactive approach to cybersecurity, with third party due diligence being a key part of the regulation. While these regulations are specific to Financial 2 Services, they act as a preview of the future of cyber regulation for all industries. Similarly, the American Institute of Certified Public Accountants (AICPA) recently announced a new structure for security assessments for audited companies. It is like a SOC 2, which focuses on business non-financial disclosure, but this regulation highlights cybersecurity and is intended for a broad audience. These assessments are voluntary today but will likely be mandatory in the 3 future. As the threat landscape continues to evolve, it is more important than ever for organizations to invest in robust cyber threat intelligence and effective threat mitigation programs that emphasize real-time intelligence and comprehensive protection. This eBook focuses on third party risks that are associated with information security versus physical security, and will explain: • How third party vendors increase your cyber risk • The importance of threat intelligence in your vendor management program • Challenges to implementing a cyber threat intelligence and management program • Why you need a continuous monitoring service

1

http://go.soha.io/hubfs/Survey_Reports/Soha_Systems_Third_Party_Advisory_Group_2016_IT_Survey_Report.pdf

2

http://www.dfs.ny.gov/about/press/pr1708281.htm

3

https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cybersecurityforcpas.html


PAGE 5

2

HOW ARE YOU MANAGING YOUR THIRD PARTY RISK?

Some of the biggest breaches in the past few years (see table on page 8) have been the result of poor third party security, and worldwide spend on security solutions is expected to reach $90 billion by the end of this year.4 There is no indication that third party breaches - or risk - will decrease, and organizations are responding by re-evaluating their current third party risk management methods. Many companies approach mitigating third party risk from a legal or compliance standpoint, resulting in the purchase of scorecards to satisfy those requirements. While these do assist in the stratification of vendors by the amount of potential risk they pose to the organization, they do little to actually decrease the risk of cyber threats. Unfortunately, just using scorecards to address third party risk is a “check the box” approach that leaves many organizations vulnerable.

Unless identified exploits are given context and correlated with observable incidents from the industry, the information does nothing to protect your organization and mitigate the threat. The biggest concern when preventing third party cyber threats should be understanding where your third parties are already compromised, and how you can mitigate that threat in real-time. If you want relevant and specific mitigation that prevents third party - and general - risk, you need a partner with deep roots and expertise in threat intelligence. Threat intelligence is the critical element that can go beyond just settings and knobs. It addresses more systemic risk issues of an organization, as well as an indication of how those technical knobs and settings could be exploited.

WORLDWIDE SPEND ON SECURITY SOLUTIONS IS EXPECTED TO REACH $90 BILLION BY 2018. 4

https://www.bloomberg.com/news/articles/2017-01-19/data-breaches-hit-record-in-2016-as-dnc-wendy-s-co-hacked


PAGE 7

MAJOR THIRD PARTY DATA BREACHES

Evony Online

Entertainment Industry 33 million accounts were stolen in 167 countries impacted by breach via website vulnerability Year Disclosed* 2016

Unnamed/ Multiple Healthcare Vendors

Healthcare Industry 9.3 million individual’s PII compromised when a threat actor bundled multiple breaches

Wendy’s

Retail Industry Vendor password breach lead to installation of malware on Wendy’s POS devices at 300 franchises

Year Disclosed* 2016

Year Disclosed* 2016

Monsac Fonsecca

Banking & Financial Service Industry Panama Papers Year Disclosed* 2016

Unnamed Government Agency

Government Industry 154 million U.S. voter records leaked with PII Year Disclosed* 2016

U.S. Health and Human Services (HHS)

Government & Healthcare Industry 5 million identities compromised when a thief stole government hard drives from HHS Year Disclosed* 2016

*Year disclosed is not always the same as the year of the attack. There can be significant delays between attack and detection and detection and public disclosure. © 2018 LookingGlass™ Cyber Solutions. All rights reserved.

3

WHY THREAT ACTORS TARGET THIRD PARTIES?

Every week, an average of 89 vendors 5 access an organization’s network. This is 89 additional entry points that a threat actor can manipulate.

target a small vendor than a large entity that has robust security precautions in place.

Malicious actors are constantly looking for the easiest, fastest, and most inexpensive way to get what they want – the “weakest link” attack method. Third party vendors are attractive targets because they are often small and medium-sized businesses (SMBs) that lack adequate security staff, infrastructure, and protocols to protect against a breach. They can also have access to sensitive and confidential information from multiple companies. It’s much more cost-effective to

So, how can larger enterprises with hundreds of vendors prioritize their efforts? One way is to evaluate vendors based on their access to sensitive data, such as employee personally identifiable information (PII), healthcare records, and customer information. The below chart shows the different categorization of threat actors, and the probability of them going after specific targets.

INTERNET THREAT ACTORS + THIRD PARTY ATTACKS Motives

Probability of Attacking

Cybercriminals

To profit financially

High Motivation High Capability

Financial and personal data for identity theft, fraud, blackmail, and ransom

Cyberterrorists

To spread ideology and cause targeted or indiscriminate damage and destruction

High Motivation High Capability

Critical infrastructure and individuals or organizations perceived to be enemies

Public Reprisal & Shaming

To express values/ideals, draw attention, embarrass others, or be funny

Modest Motivation Modest Capability

Organizations that violate values and ideals – whether expressed or not, with forewarning/ultimatum or not

Low Motivation High Capability

Government/Military organizations and personnel, critical infrastructure, and media and commercial/ industrial intellectual property – especially Defense, Energy, IT, and Telecommunications

Novice (Script Kiddies)

5

To draw attention, gain credibility in the hacker community, feed ego, or be funny

https://www.bomgar.com/assets/documents/Bomgar-Vendor-Vulnerability-Index-2016.pdf


Targets

4

THREAT INTELLIGENCE IN YOUR VENDOR MANAGEMENT PROGRAM

When working with a third party vendor, there are many things out of your control. For example, do your vendors have the correct safeguards in place to protect your customers’ information? If they do, how can you efficiently and effectively evaluate or verify those security policies and programs? What about the vendors of your vendors (known as fourth party vendors)? Lack of visibility into third party security policies and capabilities is such a concern that Ponemon reports 58% of organizations do not think it is “possible to determine if vendors’ safeguards and security policies are sufficient to prevent 6 a data breach.” This is where threat intelligence can help. Threat intelligence is more than just accumulating data feeds. It provides a way for organization’s to gain visibility into their vendors’ security posture, and eliminates the need for burdensome in-person vendor visits or reviews of cybersecurity self-assessments. To truly operationalize threat intelligence, you need a comprehensive program that can identify and manage it, as well as use it to help mitigate your own risks. This will enable you to work cooperatively with your third party vendors to help them protect both of your organizations.

58%

ENTERPRISE USES OF THREAT INTELLIGENCE • Block users from visiting malicious Internet Protocol (IP) addresses and domains • Prevent users from visiting legitimate websites that are compromised (e.g., distributing malware) • Block malware inside an enterprise network from communicating with and receiving instructions from remote C2 infrastructure (e.g., botnets) • Secure Domain Name Server (DNS) assets against abuses, such as DDoS attacks • Identify instances of enterprise brand and intellectual property abuse online • Detect disruptive events and physical threats to resources and assets • Identify policy & procedure questions to address with vendors to assure higher standards are met • Verify and validate third party vendor exceptions • Collaborate with up-and-downstream vendors to achieve more consistent threat anticipation and possible mitigation strategies • Utilize data trends to develop internal

OF ORGANIZATIONS DO policy/metrics to determine if vendors are paying enough attention to the evolving NOT THINK IT IS “POSSIBLE threat landscape TO DETERMINE IF VENDORS’ SAFEGUARDS AND SECURITY POLICIES ARE SUFFICIENT TO PREVENT A DATA BREACH.” 6

https://www.ponemon.org/local/upload/file/Data%20Risk%20in%20the%20Third%20Party%20Ecosystem_BuckleySandler%20LLP%20and%20Treliant%20 Risk%20Advisors%20LLC%20Ponemon%20Research%202016%20-%20FINAL2.pdf © 2018 LookingGlass™ Cyber Solutions. All rights reserved.

WHAT THREAT INTELLIGENCE PROTECTS

Employee Data

Ex. Social Security Numbers, personal information (street addresses, phone numbers etc.), salaries, emails, and user names/passwords

Customer Data

Ex. Personal information (address, phone number, etc.), user names/passwords, and financial data

Financial Data

Ex. Credit card numbers, Personal Identification Numbers (PINs), and account numbers

Intellectual Property

Ex. Strategic plans, product roadmaps, blueprints, source code, prototypes, and market research

Brand

Ex. Logo, trademark, copyrighted materials, and apps

Physical Assets

Ex. Real estate, facilities, vehicles, and IT systems

PAGE 13

FENDING OFF CYBER THREATS WITH THREAT INTELLIGENCE There are many ways for threat actors to target organizations. Below are a few of the mostused (and most effective) cyber attack tactics, and how threat intelligence can help combat them. 1. SPEAR PHISHING Spear phishing tops the list because it’s widespread and highly effective. It is commonly used as the first step in a multi-step attack. In a spear phishing campaign, attackers often use a technique called spoofing, which makes email messages and headers look like a legitimate note sent by someone the target trusts. From there, a target may download a malicious attachment or click a malicious link that redirects to a lookalike domain (registered by non-legitimate entities, often with fabricated DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) records) that distributes malware. Threat actors are known to register domains with fake DKIM and SPF records in hopes of tricking users into believing fraudulent domains and emails are from legitimate sources. Solution: Get ahead of spear phishing by utilizing machine-readable data feeds that provide a constantly updated list of malicious or compromised IP addresses and lookalike domain names for both your organization and that of your third party vendors. You can then block users from loading those pages, preventing end user devices from being compromised with malware.

2. RANSOMWARE This type of malware infects computer systems, restricting users’ access to the infected systems and temporarily or permanently rendering them inaccessible unless a “ransom” is paid within a specific time-frame. Even if you do pay the ransom, be wary; attackers have been witnessed duplicating and decrypting the stolen data for potential resale. Ransomware is delivered via botnets, exploit kits, and most commonly by spam and phishing emails (see: #1). Ransomware has proven so successful – it’s estimated that at the end of 2016 revenue was at $1 billion – that many criminals now run operations that emulate legitimate software shops. They employ the software development life cycle to release versions, factor customer feedback into new features, and provide live chat support to help victims through the ransom payment process. Some have even devised Ransomware-as-a-Service (RaaS) offerings available to other cybercriminals – for a fee, of course.


Solution: The first step in many ransomware attacks involves spear phishing (see #1). If a client, or vendor, hosts ransomware links without their knowledge, and an employee either up-or-downstream traverses an infected website, it could lead to the infection and encryption of a business endpoint, server, etc. The impact of such a situation could have a strain on the business relationship or continuity of business given the costs and ramifications if the threat vector is discovered. Use threat intelligence to block malicious and compromised websites to deny attackers an entry point into your network, or for a real-time list of known malicious Commandand-Control (C2) servers so you can automatically block them from communicating with malicious payloads already inside the enterprise network.

3. DDOS ATTACKS A Distributed-Denial-of-Service (DDoS) attack occurs when a threat actor directs high volumes of network traffic from disparate devices to a single server. The most common form of this attack is directed at web servers, which can temporarily take down a business’s website. Attackers carry out DDoS attacks by building botnets, which consist of compromised devices (i.e., zombies) that they can control remotely using C2 servers. Then, an attacker can direct all the zombies in its botnet to flood a single server with requests. The target server cannot handle the volume of incoming requests, causing it to crash and thereby making the resources it hosts (e.g., website) temporarily unavailable. DDoS attacks require very little skill to execute, yet they can cause significant damage and public embarrassment to victims. For these reasons, DDoS attacks have been a longtime favorite of script kiddies, hacktivists, and other lower-skilled hackers.

Security researchers believe some DDoS attacks are a smokescreen used to distract the victim’s technical staff from other, more nefarious acts such as data breaches or malware payload delivery. The risk herein lies with the smaller vendor’s lack of in-house or expertly trained staff to appropriately monitor all network traffic, leaving available the opportunity for pivots into sensitive network segments which may host proprietary vendor or client data.

PAGE 15

Solution: Many organizations own and operate DNS infrastructure in whole or in part. DNS servers are used to resolve numerical IP addresses (e.g., 111.111.11.11) to their corresponding domain names (e.g., LookingGlassCyber.com). DNS infrastructure often includes what are known as open recursive servers, which must communicate with other servers outside of the organization to properly identify addresses, resolve requests, and route users to the proper destinations. These open recursive DNS servers can be used in certain types of DDoS attacks. Threat intelligence provides real-time data on such attacks and can help to prevent an organization’s DNS servers from being targeted or used in attacks against others.

4. DATA BREACHES Most of the damage from a data breach occurs after the attack, and many times companies don’t know they’ve been breached until months, or even years, later. Sometimes the stolen information is made public to embarrass the victim, a practice hackers call doxing. Other times, the data are sold in underground criminal forums. Some attackers do not steal data, they simply try to destroy everything. Solution: Threat intelligence identifies where stolen information is posted online, whether on widely available websites (e.g., Pastebin.com, a common repository for stolen data or obscure underground criminal forums, such as the Deep and Dark Web. Threat intelligence immediately identifies when stolen data shows up on any part of the Internet, so organizations can minimize damage to employees, customers, brand, and reputation.

5. ROGUE APPLICATIONS Mobile applications are increasingly a key element of digital business strategy. Sometimes an app is the entire business, and other times the app supplements other channels (e.g., physical stores, e-commerce sites, etc.). Criminals use rogue apps for various purposes, such as pilfering revenue from legitimate owners by creating a clone or stealing user data. In September 2016, Google Play removed 400 malicious apps from its marketplace.7 Almost all rogue apps illegally use the legitimate owner’s intellectual property, whether via copyright infringement or patent violations. The most significant business risk from rogue apps occurs when customers blame the legitimate owner, rather than the criminals, and switch to a competitor who is perceived to be more trustworthy. Solution: Threat intelligence identifies rogue apps, whether in popular online marketplaces (e.g., Apple Store or Google Play) or on independent websites. As with breached data, the quicker the detection and mitigation of a rogue app, the less damage to the business’s brand and reputation. 7

https://arstechnica.com/information-technology/2016/09/more-than-400-malicious-apps-infiltrate-google-play/


5

THE THIRD PARTY RISK CONTINUUM

Not all vendors are created equal when it comes to the threats they pose to an organization. Vendor risk exists across a continuum, and organizations need solutions to efficiently and effectively match that risk. Some questions to ask yourself when determining the potential risk of a third party include:

• WHAT SERVICE DOES YOUR VENDOR PROVIDE YOU?

Once you’ve identified each vendor’s risk, the next step is finding a robust threat intelligence service that can meet all of your third party risk needs. When evaluating providers, you should consider the following: • Do they provide information that extends beyond vulnerabilities and network issues? • Do they provide true continuous monitoring (24x7x365) and incident notification at time of discovery? • Do they augment purchased data feeds with their own proprietary threat data?

• WHAT LEVEL OF ACCESS DOES YOUR VENDOR HAVE?

• Are their incidents fully-vetted and reviewed by human analysts? This ensures that false positives and “noise” common to most automated scorecards are eliminated.

• HOW SENSITIVE IS THE INFORMATION THEY CAN ACCESS?

• What is the scope of their coverage? If they only monitor the Deep and Dark Web, for instance, then they really only cover 5–10% of the entire Internet topology.

• WHAT KIND OF DAMAGE IS DONE IF THE INFORMATION OR SYSTEM IS EXPOSED?

With LookingGlass’ Third Party Risk Management solution, organizations receive a 360-degree view into their vendors’ risk profile, which includes a baseline report, indepth Cyber Attack Surface Analysis, and continuous third party risk monitoring.

NETWORK ACCESS

DATA ACCESS

RECOMMENDED ACTION

Vendor 1

Questionnaire

Vendor 2

Snapshot Analysis

Vendor 3

Continuous Monitoring


1. THIRD PARTY RISK MONITORING SERVICE: For vendors with troublesome security postures, keep a watchful eye on their networks 24x7x365. Using the industry’s most comprehensive intelligence, this service provides visibility into the risk exposure and attack surface of your organization’s key vendors. Leveraging our 20+ years of experience, our analysts vet every finding to ensure that false positives are eliminated. This service provides real-time notifications as well as monthly vendor reports which include: • System compromise • Configuration and vulnerabilities • Online indications and warnings

2. CYBER ATTACK SURFACE ANALYSIS: If a third party vendor’s security posture is raising alarms or if you are evaluating a firm prior to an M&A audit, it’s time to dive in and take a closer look. Each report is reviewed and analyzed by LookingGlass expert security analysts who provide actionable intelligence on critical areas of cyber risk: • Where your vendors’ networks are already compromised by malware, viruses, etc. • Likelihood of spear phishing, social engineering, and business email compromise from compromised domain names • Indications of exposure to ransomware, phishing, spam, and C2 activity • Stolen account credentials • Coverage of more than 6,000 known threat actor groups

3. BASELINE ATTACK SURFACE REPORT: Baseline reports are an effective way to gain awareness of the potential risk any of your vendors might represent. These reports can also be useful in meeting compliance and/or regulatory requirements. They are a cost-effective first step to determining which of your vendors are most at-risk. From there, you can find additional tools to identify the efficacy of the risk and how to mitigate it. Managing vendor risk is only one piece of the puzzle. Protecting your employees, customers, and brand is an ongoing process that requires organizations to adopt a holistic approach that identifies and manages threat intelligence, and uses that intelligence to mitigate risks, whether it is from internal or third party vulnerabilities.

THE POWER OF LOOKINGGLASS BEHIND YOU PAGE 19

ABOUT LOOKINGGLASS CYBER SOLUTIONS LookingGlass Cyber Solutions delivers unified threat protection against sophisticated cyber attacks to global enterprises and government agencies by operationalizing threat intelligence across its end-to-end portfolio. Scalable threat intelligence platforms and network-based threat response products consume our machine-readable data feeds to provide comprehensive threat-driven security.

Augmenting the solutions portfolio is a worldwide team of security analysts who continuously enrich our data feeds and provide customers unprecedented understanding and response capability into cyber, physical and 3rd party risks. Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle. Learn more at https://www.lookingglasscyber.com/.

Know More. Risk Less.

PAGE 20