Third-party breaches have become a common phenomenon in the modern cyber threat landscape. In 2021, the Ponemon Insitute estimated that 51% of organizations were impacted by third-party breaches. The 2022 report found that data breach damage costs associated with third-party vulnerabilities rose from US$ 4.33 million in 2021 to US$ 4.55 million in 2022.
While third-party breach attempts are inevitable, you can reduce their projected financial impacts with some strategic security controls and third-party risk management initiatives.
Why Third-Party Breaches Require a Unique Cybersecurity Strategy
Conventional data breach mitigation strategies aren’t optimized for third-party breaches. This is because the cyberattack pathways for each incident are different.
The attack lifecycle for first-party data breaches is relatively linear. Cybercriminals penetrate a private network, escalate privileges to increase their access to sensitive data, then move laterally to discover and exfiltrate as much confidential information and customer data as possible.
The third-party breach attack pathway isn’t as simple to draw. Cybercriminals commence their attack further away from the victim’s IT boundary, targeting their service providers first.
Once a service provider’s network is compromised, cybercriminals can gain backend access to a target’s ecosystem through vendor software vulnerabilities or discover sensitive information that could compress a first-party breach lifecycle, such as privileged credentials used to sign up for the vendor’s services.
By adding a few more links to this attack chain, a fourth-party vendor (your vendor’s vendor) could be used as an initial attack vector. In such a scenario, a fourth-party software vulnerability could facilitate a pathway into a third-party vendor’s ecosystem. It could also have a software vulnerability leading hackers to their final destination.
Given that both data breach pathways achieve the same outcome, the third-party breach pathway seems like an unnecessarily circuitous route. So why would cybercriminals prefer this attack pathway?
When deciding which attack vector to exploit, cyberattackers will also choose the option offering the least amount of resistance. Service providers tend not to have a very good cybersecurity reputation, a characteristic highlighted in the 2022 Cost of a Data Breach Report by IBM and the Ponemon Institute. According to this report, vulnerabilities in third-party software are one the most exploited initial attack vectors in a data breach.
In addition to making their work easier, third-party breaches also help cyber criminals maximize their impact. Because service providers tend to backend integrations with each of their clients, a single breach could potentially give hackers access to a treasure trove of personal data across multiple high-profile businesses.
This is why so many businesses were impacted by the data breach of third-party file sharing solution Accellion. If the cybercriminal group responsible for this attack were to target each victim through conventional first-party breaching methods, they would need to contend with the security controls at each victim’s IT boundary. By, instead, targeting a service provider shared by all of these victims, only one IT boundary needed to be breached.
Data breaches occurring through compromised third parties are also known as supply chain attacks, and given the impressive ROI of these events, it’s no wonder they’re exploding in popularity.
Given the unique context of third-party breaches, these events cannot be effectively mitigated with traditional first-party breach control. A Vendor Risk Management program designed explicitly for the third-party attack surface is required.
8 Strategies for Reducing the Impact of Third-Party Breaches
An effective vendor risk management program can be summarised in three primary objectives - to detect, address, and monitor the cybersecurity risks leading to third-party breaches.
The following eight strategies will help you evolve your information security efforts to map to each of these objectives.
1. Secure the Vendor Onboarding Process
When you onboard a vendor, you combine your attack surface with theirs, making their security risks your security risks.
Unfortunately, most businesses lack the tools required to identify each potential vendor’s security risks, instead relying on the assumption that a vendor’s impressive reputation must reflect their exemplary security posture.
But this is a false assumption. Many high-profile businesses are included in the list of biggest data beaches, with many of these events triggered by unsophisticated phishing campaigns.
The vendor onboarding process is best secured through a combination of security ratings and risk assessments (security questionnaires), broken down into two stages:
Security ratings offer a preliminary evaluation of a vendor’s security posture based on an attack surface scan of commonly exploited attack vectors. This tool can help you instantly shortlist vendors that seemingly exercise proper cybersecurity due diligence.
Shortlisted vendors can then progress to the risk assessment stage of the onboarding process.
Vendor risk assessments, especially customizable ones, offer a more detailed evaluation of a vendor’s internal data security practices. The results of these assessments will help you determine how each potential vendor’s risk profile sits within your defined risk appetite. An informed decision can then be made about which vendors are worth onboarding and which residual risks are worth absorbing for the sake of a desired vendor relationship.
2. Segment Your Network
Network segmentation is the practice of partitioning a private network into smaller isolated ecosystems to obfuscate pathways to sensitive resources in the event of unauthorized access.
Without a segmentation strategy, a network architecture is flat, so when an adversary gains unauthorized access, they just need to keep moving laterally until they locate your sensitive resources.
With a segmented network, sensitive resources cannot be directly accessed. So even if your network is penetrated through a compromised third-party, business impact will be minimized.
A network segmentation strategy alone isn't enough to mitigate the impact of third-party breaches. Sophisticated hackers could still bypass this control by escalating privileges. To increase security, network segmentation should be coupled with access management security controls.
Because phishing attack success rates are so high, an adversary is likely to eventually gain access to your network. As such, network segmentation should be a standard cybersecurity protocol for all businesses, including small businesses.
As evidence of the effectiveness of network segmentation in mitigating all forms of data breaches, an advisory by the FBI, CISA, and DOE strongly recommends critical infrastructure organizations implement network segmentation as a defense against Russian state-sponsored cyberattacks.
3. Deploy Honeytokens
Honeytokens add an additional layer of obfuscation to a network segmentation strategy. Honeytokens are fake sensitive resources that distract cybercriminals from your real sensitive resources.
When strategically combined with network segmentation, a well-placed honeypot will guide cybercriminals away from your real sensitive resources and into a region that can be readily isolated, allowing security teams to deploy phase 3 of a cybersecurity incident response plan.
When a honeytoken is accessed, an alarm is triggered, notifying the cybersecurity team of the urgent need to activate the organization's incident response plan.
4. Confirm the Effectiveness of Obfuscation Efforts with Penetration Testing
You won’t really know the effectiveness of your network segmentation and honeytoken efforts until an adversary enters your ecosystem.
Luckily, you don’t need to wait for an actual ransomware attack to learn of any overlooked loopholes in your network obfuscation strategy. Penetration testers are trained to think like professional hackers. If there are any loopholes in your network security plan, penetration testers will likely find them. And instead of injecting malware, they’ll give you a document explaining all discovered vulnerabilities and any recommended remediation efforts.
5. Enforce MFA
Multi-Factor Authentication (MFA) is one of the simplest and most effective security control for protecting user accounts. Microsoft estimates that MFA could prevent 99.99% of common attacks against user accounts.
If a threat actor gains access to your IT ecosystem through a compromised party, they will have great difficulty progressing to the privileged escalation stage of the cyberattack with MFA in place.
6. Continuously Monitor the Third-Party Attack Surface
Service providers should not be trusted to implement best cybersecurity practices. To significantly reduce the impact of third-party breaches, you need to assume control over your entire third-party attack surface.
A third-party attack surface monitoring solution will track emerging security risks in your vendor network in real time, helping you address them before they’re discovered by cybercriminals.
An attack surface monitoring solution that includes a data leak detection feature offers an additional layer of third-party breach protection. Data leaks are overlooked software exposures granting cybercriminals uninhibited access to sensitive credentials. When data leaks are discovered, they significantly increase the success potential of third-party breaches.
7. Minimize Vendor Access to Sensitive Data
If a vendor is compromised, the potential damage to your business will be minimized if that vendor doesn’t have direct access to sensitive customer data, such as phone numbers, credit card numbers, and social security numbers.
A Privileged Access Management (PAM) policy will ensure each vendor’s access to sensitive resources is the minimum level required to fulfill their contractual obligation.
Privileged Access Management is especially important for highly-regulated industries, such as healthcare.
8. Implement a Vendor Risk Management Program
A vendor risk management program is the most comprehensive strategy for reducing the risk of third-party breaches. It addresses every stage of the third-party risk lifecycle, from initial detection to remediation and continuous monitoring.
There are three primary components of an effective Vendor Risk Management solution:
- Risk Detection - Emerging third-party security risks and data leaks are detected with an attack surface scanning engine, mapping to multiple critical attack vectors. Each detected risk is further scrutinized with customizable risk assessments.
- Remediation Planning - Efficient remediation efforts are planned based on the identification of critical third-party risks with the greatest potential negative impact on security postures.
- Ongoing Monitoring - The efficacy of remediation efforts is confirmed by measuring their impact on each vendor’s security posture.
Refer to the list below for related posts about Vendor Risk Management:
- What is Vendor Risk Management?
- Why is Vendor Risk Management particularly important for Indian Businesses?
- How to Implement TPRM into your Existing Security Framework
Reduce the Impact of Third-Party Breaches with UpGuard
UpGuard's suite of features addresses the complete scope of Vendor Risk Management, from due diligence to continuous attack surface monitoring and even third-party data leak detection.
Watch the video below to learn how UpGuard addresses common Vendor Risk Management frustrations.