Here are six steps agencies can take to mitigate third-party compromises.
In 2019, threat actors began increasingly targeting third-party service providers—including trusted partners and links in supply chains relied on by government agencies—because they serve as a force multiplier in attacking organizations at scale.
While the promise of less stringent security protocols was once the main draw toward third-party access, the 2019 CrowdStrike Services Cyber Front Lines Report found that threat actors also use this strategy to embolden the reach and tenacity of attack.
CrowdStrike found supply chain and third-party risks are frequently cited by mature organizations as among their top cybersecurity concerns due to the challenges in preventing such attacks and the damage they can inflict. As a result, in 2020 federal agency IT leaders should consider the adoption of these six steps to effectively mitigate third-party compromises.
1. Follow basic cyber hygiene.
Dig into most data breaches and you will find a large number of events like failed authentication attempts that were never spotted by the organization prior to a successful attack. There is simply no substitute for diligent preventive maintenance on your agency’s critical systems to ensure they are not vulnerable. Patching systems within 30 days and monitoring critical event logs are essential tasks, even if (perhaps especially if) the system is outsourced to a third-party provider.
2. Establish a vendor risk management program.
These programs reduce the risk of breaches and minimize impacts should one occur. Lowering risks to your agency from third parties—including supply chain members—means collecting information about partners’ security protocols via questionnaires, using security risk rating services and requiring compliance with certain standards. Reducing the impact of a third-party breach includes restricting access to your environment (for instance, keeping third parties in a separate user group subjected to extra scrutiny); requiring prompt notification of a security incident, and applying the principle of least privilege.
3. Insist on using multifactor authentication for business to business access.
CrowdStrike saw in 2019 an increase in attacks that leveraged credentials harvested from third-party provider environments, which were then used to access a client network of the third party. If MFA with a rotating token code as the second access factor had been in place, stolen credentials would not have immediate value, and getting around MFA would be significantly harder for any attacker.
4. Understand vendors’ endpoint detection and prevention capabilities.
This step answers the simple question: If one of your third-party providers was breached, how would they know? Your agency needs a thorough understanding of the endpoint protection or system security protection and prevention mechanisms that are in place in vendors’ environments, including for their third parties. Obviously, the sooner a breach is detected, the quicker mitigation can be performed, with the ultimate goal being to achieve CrowdStrike’s recommended benchmark 1-10-60 rule: 1 minute to detect, 10 minutes to investigate, and 60 minutes to remediate.
5. Require a cybersecurity maturity assessment in evaluations.
Your agency should include a compromise assessment or a cybersecurity maturity assessment in the list of requirements you make of any prospective third-party provider, whether as part of the agency’s supply chain or in a trusted partnership. Such assessments can help your security team understand whether the third party’s environment was previously compromised, and provide valuable insight into their overall security posture.
6. Consider red team assessments in the evaluation.
The most proactive step your agency could take, especially valuable when considering entering into a new trusted partner relationship, is to require a red team assessment or adversary emulation exercise. This provides real-world insights into the third party’s security controls, critical vulnerabilities, and identifies areas for improvement, ultimately improving your agency’s cyber posture and ability to mitigate risk both quickly and effectively
Thomas Etheridge is vice president of services at CrowdStrike.