Risk Management Software

How Mitigating Third-Party Risk Can Prevent Cyberattacks

Expert Insights speaks to Dave Stapleton of CyberGRX to discover how organizations can manage their third-party cyber risk to prevent island hopping and supply chain attacks.

Interview With Dave Stapleton Of CyberGRX - Expert Insights

This summer, as countries tentatively re-open their borders following the COVID-19-induced closures, you might be considering booking a holiday to somewhere sunny, packing a bag and hopping on a plane. But you’re not the only one who may consider island hopping as we come out of the pandemic—it’s something cybercriminals enjoy doing, too. However, in cybersecurity, the term means something a little more sinister.

Island hopping is an attack in which a cybercriminal infiltrates an organization indirectly by targeting its more vulnerable partners. Also known as a “third-party” or “supply chain” attack, island hopping exploits the relationship between two organizations, using one as a foothold to gain access to the other’s assets. One of the most infamous island-hopping attacks took place in 2013, when attackers breached US retailer Target’s gateway server using credentials stolen from a third party. A more recent example is the 2020 SolarWinds hack, in which hackers were able to gain access to SolarWinds clients.

Third-party cyberattacks are becoming increasingly common, and it’s no longer enough to protect your organization against direct threats from external actors; you need to secure your data against attacks targeting your trusted partners, too.

To find out more about how organizations can protect themselves against third-party cyberattacks, we spoke to Dave Stapleton, Chief Information Security Officer at CyberGRX. Stapleton started his career in cyber working for the Food and Drug Administration, within the Department of Health and Human Services Department, focusing on risk and privacy compliance. There, Stapleton helped build multiple national security teams and programs, including FedRAMP—the US government’s exchange of cyber-relevant information about public cloud service providers that want to offer their services to the federal government. Service providers must undergo due diligence in the form of security assessments before they can offer their services to the government, but assessments can be tedious to carry out manually. To ensure all information shared is accurate, standardized, and easy to process, providers must follow the FedRAMP assessment process.

A similar process of information standardization is what drew Stapleton to CyberGRX in 2017.

Founded in 2015, CyberGRX is the provider of the world’s first and largest global cyber risk exchange, and a third-party cyber risk management platform. With CyberGRX, rather than having to send questionnaires out to their partners and manually log their responses, organizations can leverage a standardized, vetted database of up-to-date security information to conduct portfolio-wide analysis of the risks associated with their third parties.

Third Parties Offer Value And Vulnerabilities…  

Many organizations have some sort of cybersecurity infrastructure in place—be that a single technician or a dedicated security team—to protect themselves against cyberattacks. But they’re often still vulnerable to third-party risks, and supply chain or vendor attacks. And, as the world becomes increasingly digitized, organizations globally are becoming ever more dependent on third-party services.

“Third parties offer a lot of value to us,” Stapleton says. “They have niche skill sets and capabilities that are difficult or expensive for us to develop on our own. They also offer economies of scale. So, third party use is on the rise.”

But while our relationships with third parties provide clear value, they can also make us vulnerable to indirect cyberattacks, Stapleton tells me.

“Typically, when we think about a third party, we think of them as a trusted party and we give them access to sensitive assets or data, or share this data with them. We depend on them for significant services that are critical to the mission of our organization.

“And that means that compromising a third party can provide a threat actor with privileged access that would otherwise require significant effort to gain if they were to go directly for their primary target.”

…And Security Vendors Aren’t Always Secure

Third parties are often seen as an “easy in” for cybercriminals targeting an organization with stronger security defenses: if they can tap into the third party’s systems, they can gain access to their “real” target by impersonating a trusted partner. Because of this, all third parties present some amount of risk. However, in recent months, we’ve seen an increase in attacks against one particular third party group: cybersecurity vendors.

Security vendors are third parties that we trust with a significant amount of sensitive or privileged access in order for them to provide their services, Stapleton tells me. This means that, if a threat actor were to breach a security vendor’s systems, they could potentially also gain high-tier access to the systems of any organization that vendor is providing a service to—as seen in the recent SolarWinds and Kaseya breaches.

“If a threat actor wants to spread malicious software, for example, it’s easier for them to target a security vendor that they know has deep-rooted access to the environments of their customers, particularly if that vendor has a lot of customers.

“It’s a great way to quickly promulgate the distribution of malicious payloads to any number of different targets, and sometimes it’s even indiscriminate. We’ve seen this with some of the recent attacks, which almost got out of control for the threat actors themselves because they’ve spread so wide due to the number of customers the third party has.”

Third-Party Risk Is A First Party Responsibility

There’s no doubt that leveraging third party services can make your organization more vulnerable to cyberattacks—but this doesn’t mean that you should stop using third parties. Rather, you need to accept managing third-party risk as being one part of your data security processes.

“Third-party risk is a first party responsibility,” Stapleton says. You need to perform due diligence on your third parties to ensure that their security posture and programs are at an acceptable level. Historically, he tells me, this due diligence has come in the form of spreadsheet questionnaires and emails, but this method presents a number of challenges.

“There are issues with this on both sides. Third-party organizations spend enormous amounts of time trying to respond to requests from different customers, and the response is always a bit different because every customer has their bespoke way of asking particular questions, or security domains that they care about the most.

“Conversely, the customers have to deal with the challenge of creating these questionnaires; knowing what to ask, identifying a point of contact for each third party, and following up with their third parties over the next months until they acquiesce and complete the questionnaire. Then they have to read the results and try to perform some kind of analysis of these freeform answers.”

To help solve these challenges, CyberGRX standardizes the information submitted by all third parties, making it much easier to analyze and compare their security postures.

“Say I want to understand how my third parties respond to ransomware attacks,” Stapleton explains, “and there is a certain set of controls that are likely indicators of whether or not a third party is able to effectively protect themselves against ransomware. I can identify those controls, then look across my whole portfolio at once to see where those hotspots are.”

From a risk management perspective, this standardized database enables businesses to compare third parties and choose to invest in those that meet their security standards, as well as encourage any existing partners who don’t to improve their processes.

But CyberGRX’s information exchange isn’t just useful for end customers; it also makes the process of sharing information with customers much more efficient for the third parties themselves.

“Once they’ve created a risk profile on our exchange, they can share that information with as many customers as they like,” Stapleton says. “There’s significant time-saving potential because they don’t have to respond to all these questionnaires, but they can also deliver a consistent message to their entire customer base.”

Mitigating Third-Party Risk With Zero Trust Principles

In order to tackle increasing numbers of sophisticated cyberattacks, organizations are increasingly adopting a “zero trust” or “assume breach” philosophy. The zero trust philosophy is founded on the principle that you should never automatically trust any identities with access to your data—whether internal or external, machine or human. One of the best ways of implementing this is by consistently verifying the identity of anyone or anything that wants to access your corporate data.

“One of the key things with zero trust is to never assume that an identity is authentic, until it’s been verified. And we want to verify it often,” says Stapleton. This is because an account or machine could be breached after the user has logged in initially—if, after one verification, an authenticated user is granted access to all assets and network segments, a threat actor could use that authenticated account to access critical data.

“So, we should re-authenticate identities as they access different assets,” Stapleton says, “using strong authentication mechanisms. We need to have multi-factor authentication everywhere possible, and even consider risk-based authentication.”

Multi-factor authentication (MFA) is a digital identity verification process that requires users to prove their identities in two or more ways before they’re allowed access to corporate assets, applications or systems. Risk-based MFA takes this a step further by analyzing the context of each login for suspicious behaviors, such as signing in from an unknown device. If a login is considered risky, further verification is required; if not, the user is granted access as normal, ensuring security without impacting on user experience.

Additionally, organizations should abide by the principle of least privilege, which means granting the minimum level of access permissions for the exact amount of time the user needs to do their job, and no longer. Implementing a privileged access management (PAM) solution is one way to do this without having to manually audit each user account.

Implementing these security processes for all identities can greatly reduce the risk of a third-party cyberattack, because it means that bad actors won’t be able to access your systems without verifying their identity, even if they’ve managed to disguise themselves as one of your partners.

Hybrid Work May Create A False Sense Of Security

As organizations around the world begin welcoming their employees back to the office, often in a hybrid-remote work format, we can expect the threat landscape to continue to evolve, says Stapleton.

“Organizations are still going to have employees accessing assets in their corporate environment from external sources. So, we can expect to continue to see attacks on user endpoints, because they can sometimes be a weaker target—again, a third-party way of getting into the main organization—and, if not properly protected, they can be fairly attractive targets.

“Users themselves will continue to be the target of attacks too,” he adds,” because they don’t have the benefit of any additional corporate or enterprise-level protections. I could potentially do everything right from a security perspective, but still have a user respond to a phishing email.”

Because of this, it’s important that organizations and security teams remain vigilant of the threats they’re facing, and continuously train their users on the risk of attack from a “trusted” source.

“I’m worried that some people will go back to that old school way of thinking, almost out of excitement of having their office back. But just because you have a firewall in place doesn’t mean that everybody, everything or every action inside your network is safe.”

Achieving Cybersecurity Requires Active Engagement

Finally, we asked Stapleton for his top tips on how organizations can mitigate third-party risks, such as extortionware.

“First off—and this won’t be a surprise to anyone—you’ve got to make it a priority to understand and respond to third-party risk,” he tells me. “That requires a holistic approach using as much data as you can get.

“As you can tell, I’m a big fan of the standardization of that data. It’s impossible to have enough people in your program to run this process manually, so you’ve got to find ways to leverage efficiencies and automation.” One way to do this, of course, is by partnering with a third-party risk management provider.

“The best time to start was 10 years ago, but the second-best time to start is now,” Stapleton says. “As I said before, recognizing third-party risk is a first party responsibility. We can’t assume that someone else is doing it; we have to actively engage, get that actionable intel, collaborate on the risk treatment and incorporate all of that data into our overall cybersecurity programs.”

Thank you to Dave Stapleton for taking part in this interview. You can find out more about CyberGRX and their third-party risk management platform at their website and via their LinkedIn profile.