In 2021, the managed service provider (MSP) Kasaye suffered a massive ransomware attack via its VSA remote monitoring and management tool, forcing New Zealand supermarkets to shut down temporarily when cash registers could no longer function and affecting more than 1500 global businesses relying on the software. Similar to the SolarWinds supply chain attack whose Orion software was used by many governmental and multinational companies, malicious actors targeted Kasaye because the MSP offered access to hundreds of customers and their data. To stay one step ahead of cybercriminals of these types of widespread and damaging supply chain attacks, it is crucial for organizations to adopt effective cyber threat intelligence (CTI) best practices.
What is Cyber Threat Intelligence?
Cyber threat intelligence (CTI) is the process of collecting, analyzing, and disseminating information about potential threats and vulnerabilities to make informed decisions regarding cybersecurity. This information includes the tactics, techniques and procedures (TTPs) and indicators of compromise (IoCs) of attackers and are gathered by threat intelligence tools that detect unusual behavior with an organization’s system and network.
Together with threat detection, cyber threat intelligence is a main line of defense organizations use to anticipate, prevent and respond to cyber threats and defend against emerging threats before they lead to attacks and breaches.
How to Leverage Cyber Threat Intelligence to Defend Against Third-Party Risk
Cyber threat intelligence (CTI) focuses on understanding the actors and their motivations that could directly attack your organization. But traditional threat intelligence isn’t sufficient for defending against third-party and supply chain attacks. For insight into third, fourth, and n-th party security, you’ll need advanced threat intelligence tools that deliver greater visibility and integrate with your current security tools, such as security information and event management (SIEM) solution, web application firewall (WAF) and next-generation firewalls (NGFWs).
Here are a few best practices for integrating cyber threat intelligence to guard against third-party risk:
1. Map and Monitor Third Party and Supply Chain Dependencies
It’s essential to gain a comprehensive understanding of your third parties and their suppliers, external contractors, partners, suppliers and service providers to gain insight into how a weakness or vulnerability in one part of your supply chain could impact your organization. A SBOM is a tool that helps organizations map software supply chain dependencies for the purpose of managing third-party risk.
2. Conduct Regular Vendor Risk Assessments
Vendor risk assessments evaluate the residual risk posed to your organization by a third party and the effectiveness of the security controls it has implemented. You’ll also need to carefully examine the attack surface of your vendor, including the IT and networks, applications and human error. At this point, you can send out security questionnaires customized according to context and level of risk the vendor poses to your organization. Due to the dynamic nature of the third-party landscape, it is critical to conduct vendor risk assessments at regular intervals to ensure a strong security posture.
3. Prioritize Risks
The challenge with large-scale threat detection is to determine which threats should be prioritized and to alert the proper security team members. Risks should be prioritized according to criteria such as the level of potential impact, whether it could impact a critical service or network, the access the third party has to sensitive data, and whether or not they must abide by the same compliance as your organization. Once you identify a third-party as presenting a high or critical risk to your organization, you’ll need to gather more information from the relevant vendor. For example, you’ll need to map CVE and KEV breaches across the entire digital supply chain so that you can see how it affects your organization and prioritize risks accordingly.
4. Implement Continuous Monitoring
Though continuous monitoring is important in cyber threat intelligence, to identify and respond to emerging cyber threats in your organization, it may not include third-party threats. Continuous monitoring of third parties is more challenging since organizations add, remove or replace suppliers, service providers, external contractors, partners and suppliers often, further complicating the digital ecosystem.
5. Customize Threat Intelligence Feeds
Although threat intelligence should include comprehensive data collection from the open, dark and deep web and internal data such as logs, network traffic and unusual user activity, it does not include data from third parties. Your organization’s threat intelligence typically lacks access to that information and does not focus on external operational, financial, compliance and legal risks posed by these third parties. Threat intelligence feeds can be customized to include information relevant to your third parties and digital supply chain, such as trends in the industry, geographic risk or IT infrastructure of that third party. Consider also joining threat intelligence communities that focus on third-party and supply chain risk.
6. Ensure Alignment with Regulations and Standards
If your organization is subject to regulations such as HIPAA or GDPR, your third party needs to be compliant as well. Organizations can integrate threat intelligence into their cybersecurity strategy to identify third-party risks that could lead to non-compliance. Your organization can then take the appropriate steps necessary to mitigate these risks.
7. Have an Incident Response Plan in Place
In the event of a security incident or data breach, your organization needs to know how to respond specifically to a third-party incident. Prepare a detailed response plan that includes the actions that must be taken and the roles that should execute these actions both in your organization and the third-party. Your incident response plan should be regularly reviewed and updated based on the dynamic third-party risks presented to your organization.
8. Regularly Update and Refine Your CTI Strategy
What are the results of your CTI at the current time? How is it helping you defend against third-party risks? Was the last incident response plan to any recent attacks effective? These are the types of questions your IT and security team should ask on a regular basis to ensure your cyber threat intelligence is effective against detecting and defending against third-party risks. With emerging threats and constant changes to your third parties and their attack surface, you’ll have to continually assess and refine your CTI strategy to a more comprehensive picture of your security posture.
How Panorays Proactively Defends Against Third-Party Risk
With attack surfaces expanding, supply chain attacks are increasing and cyber threat intelligence is now a critical component of every organization’s cybersecurity strategy. But most of these tools fail to identify and mitigate against third-party risk. Integrating with both your commercial threat intelligence and other security tools, Panorays delivers a combination of external attack surface assessments and security questionnaires to evaluate your third-party risk. In addition, it allows you to guard against 4th, and n-th party risk. By staying updated on the latest data breaches and security incidents, you’ll be able to better comply with regulations such as SEC, which require reporting of breaches up to four days after the occurrence. Options for built-in industry-standard questionnaires also exist so that organizations can quickly customize security questionnaires as necessary to send and receive quicker responses and better manage third-party risk.
Cyber threat intelligence (CTI) is the process of collecting, analyzing, and disseminating information about potential threats and vulnerabilities to make informed decisions regarding cybersecurity. The data comes from a wide range of sources and types, gathered by threat intelligence tools to detect unusual behavior with an organization’s system and network at scale.
Cyber threat intelligence is important because it is considered a main line of defense organizations use to anticipate, prevent and respond to cyber threats and defend against emerging threats. It is used to help gain a better understanding of the threat landscape, prioritize threats and is an essential requirement for compliance with many cybersecurity regulations.
The main types of cyber threat intelligence are:
1. Strategic. This type of threat communicates the risk and business impact of the cyber risk to your organization.
2. Tactical. This type of threat includes the TTPs and IOCs attackers use and how to mitigate against these types of attacks.
3. Operational. This includes information about the motivation and method of the attack, such as the type of attack vector used or the exact vulnerabilities exploited.
4. Technical. This includes information such as indicators of compromise (IoCs), IP addresses and domains and other information your SOC team needs to mitigate against an attack.