Ad Image

Mitigate Zero-Day Threats with Modern Third-Party Incident Response

Third-Party Incident Response

Third-Party Incident Response

Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Bob Maley of Black Kite walks us through what it takes to mitigate threats with third-party incident response.

There was a time when phishing and business email compromise dominated headlines, but today there is a much more significant threat to companies: zero-day vulnerabilities. Because supply chains have become inextricably linked through software, a single vendor being compromised can have a ripple effect impacting hundreds of companies throughout the supply chain. Similarly, companies cannot only concern themselves with the security of their systems alone. They must monitor and mitigate vendor risk from hundreds — even thousands — third, fourth, and Nth parties.

We don’t have to look far to understand how third-party breaches have catastrophic impacts. The industry is still grappling with the fallout from the Change Healthcare incident. Just recently, American Express notified customers after a third-party merchant processor allowed unauthorized access to AMEX systems, resulting in the compromise of customer data. In early December, two zero-day vulnerabilities in Qlik Sense were discovered and notably exploited in a ransomware campaign by the Cactus Group. The incident impacted 65 companies across the U.S. and Europe, with a significant focus on manufacturing and professional services. Also, Microsoft, which is still reeling from a 2023 attack that leaked source code, just disclosed 60 unique CVEs in its March 2024 update.

According to the Identity Theft Resource Center, zero-day attacks jumped significantly in 2023, fueling a 78 percent year-over-year increase in data compromises. The impact to the supply chain was staggering, with the number of organizations impacted soaring more than 2,600 since 2018. Meanwhile, phishing-related attacks were down slightly. Why? The answer is likely ROI. Phishing can be resource-intensive to eventually compromise a single company, especially when organizations have invested so heavily in training their employees to be cyber-aware. But a single zero-day can compromise tens, hundreds, or even thousands of victims. To put it simply: In the business of cyber exploits, there is more to gain.

Mitigate Zero-Day Threats with Modern Third-Party Incident Response

Third-party Incident Response Challenges

When a new CVE is announced, there is a clear general incident response playbook: Determine severity and prioritize the vulnerability, identify and patch any instances of the software in use, and monitor for indicators of compromise. However, when it comes to determining the impact of these vulnerabilities within vendor organizations, the process is less concrete.

Historically, organizations do not have visibility into vendor systems, so the only way to determine if they have been impacted by a vulnerability is by asking via manual outreach. And in today’s digitally connected cyber ecosystem, we’ve learned that response doesn’t stop there. A comprehensive approach must extend beyond direct vendors to include their sub-vendors and partners. It’s a slow process that absolutely cannot scale for large enterprises, which often have hundreds, if not thousands, of third- and fourth-party service providers to consider. This is a massive problem because the speed at which companies can identify vendors impacted by high-profile security events and then implement their response plan often determines the level of damage — financial, technical, reputation, etc. — incurred.

Another problem with traditional incident response strategies is that they rely on assessments and questionnaires to determine whether or not a serious security incident has impacted a vendor. Analyzing these responses can take weeks and by that point, the information may be outdated, causing organizations to respond late or not in time to mitigate threats in their vendor ecosystem. As an alternative, companies may enact a blanket response for all of their vendors, which can cause unnecessary business disruption or fail to properly contain or remove the threat.

Tips to Modernize and Streamline Third-Party Incident Response

Companies must modernize and streamline their security strategies to combat zero-day threats in their supply chains. There are several approaches companies can implement to improve third-party incident response.

  • Adopt vendor risk intelligence. Implementing vendor risk intelligence is the most effective addition companies can make to bolster third-party incident response efforts. This involves gathering information on threats and threat actors from open-source intelligence (OSINT) and other data sources and combining it with contextual information and data — location, industry, data it accesses, etc. — to measure the potential impact a zero-day may have on an organization through its vendor network.  When applying vendor risk intelligence, organizations can dramatically reduce the amount of manual effort associated with third-party incident response. This insight will quickly determine the vendors likely to be impacted by an incident, informing a company’s response. For example, an organization with 500 vendors may require weeks, or even months, to collect and analyze responses from their vendors. However, vendor risk intelligence may show that only 15 vendors are likely to be impacted, so the primary organization can dramatically reduce its manual effort by only reaching out to those high-risk vendors.
  • Create a dedicated third-party incident response team. Having a dedicated third-party incident response team is essential in capitalizing on vendor risk intelligence and responding effectively to supply chain incidents. Companies should identify and assign the roles in the response process, and clearly define the actions this team will take to quickly evaluate a vendor’s security status in the event of an incident and the incident’s level of severity. This team is responsible for collecting and analyzing OSINT data on vendors and the threat landscape. And because time is of the essence, this team should have a system in place that allows them to access this information quickly to determine which vendors may be affected in the event of an incident. This team should also build and execute playbooks on how to best contact vendors to assess the severity of the impact. Incidents may begin as times of crisis, but effective third-party incident response can actually be a significant relationship-building opportunity with vendors if both parties work in tandem to mitigate the issue.
  • Invest in continuous monitoring and automation. Traditional approaches rely on point-in-time data to assess a vendor’s security posture. This is problematic because it doesn’t reflect real-time changes to systems and software, and it is notably difficult to gain visibility into vendors’ activities in general. Continuous threat monitoring can ensure companies identify high-profile events quickly. Automation can expedite the collection and analysis of OSINT data, ensuring fast access to vendor risk intelligence third-party incident response teams need most. It can be used to vet vendors based on location or access to sensitive data. This information can be combined with threat monitoring information to provide critical visibility into vendor security postures and real-time information about the impact of a zero-day vulnerability.
  • Ensure robust vendor evaluations. Companies should thoroughly evaluate their vendors for any signs of compromise and ensure that they have implemented robust security measures. It is crucial that analysis encompasses a broad spectrum of risk factors, including ransomware susceptibility, vendor size, industry, and geographical location. This comprehensive approach is essential for mitigating risks and safeguarding against the multifaceted nature of cyber threats in today’s interconnected digital landscape.

Solving Third-Party Incident Response

Zero days are a clear and present danger to the supply chain. Incidents like Qlik Sense, Microsoft and many others underscore the importance of robust third-party risk management strategies in identifying and mitigating cyber threats. As digital ecosystems expand, it is imperative for companies to modernize and streamline their approaches to third-party incident response to eliminate uninformed, manual processes. They need dedicated teams armed with data on vendor risk, a holistic view of the threat landscape, and automation to transform complex cyber threat information into actionable intelligence. These modern strategies will foster stronger vendor relationships, enable faster response, and ensure companies remain secure and protected in the event of high-profile attacks.

Share This

Related Posts