Do you automatically trust your external vendors? You might want to make them earn your trust. Adversaries are constantly seeking entry points into victim environments, and third-party providers can potentially provide access to more attractive targets. For example, organizations such as law firms, accountants, public relations advisors and others can hold sensitive information belonging to multiple clients, and these service providers often require network access from their customers.
In 2019, the CrowdStrike® Services team observed an uptick in attackers targeting popular remote administration software platforms — such as those leveraged by third-party providers to manage their customer needs — in order to gain initial entry. The team also saw a rise in attacks against third-party providers that support specific vertical market segments. Similar to traditional watering hole attacks, the compromising of one vendor’s legitimate network access can spawn access to multiple victims in an attacker’s target vertical. In short, adversaries can use third-party access as a force multiplier.
Targeted vs. Opportunistic Attacks
Targeted intrusions that originate with third-party providers typically follow one of two patterns: The adversary is either targeting a specific organization, or multiple organizations in a single sector or with a common interest. In either case, data theft is often the objective. While data theft via a third-party compromise can have severe business or operational consequences, it does not usually result in deliberate disruption or destruction, as is the case with opportunistic attacks. And because this type of attack yields continuing returns the longer the attacker persists, attackers are finding more creative and surreptitious ways to remain undetected in victim environments.
On the other hand, opportunistic attacks via third-party access can cause significant damage to the victim’s organization because the focus is mostly on ransomware delivery. Cybercriminals are looking to extract a hefty ransom by encrypting critical business resources, often on systems the victims are not aware have been exposed publicly.
What Can You Do?
You should take action to prevent or minimize threats that maliciously leverage third-party provider access. Before engaging in a contract with the third-party provider, you should understand what security controls are in place in the provider’s environment and how those controls may factor into your organization’s overall security posture. If a provider’s security posture is not strong and its ability to detect malicious or suspicious activity is ineffective, it can ultimately put your organization at risk.
Do the basics. Many breaches include a large number of suspicious events that were not reviewed by the victim, such as failed authentication attempts. It is vital to conduct preventive maintenance on your business’s critical technology systems to ensure they are not vulnerable to attacks. Patching systems in 30 days and monitoring critical event logs are practices that all organizations should be performing — and if the system is critical to your business, it needs to be on a preventive maintenance program.
Develop a vendor risk management program. These programs reduce the likelihood of a third-party compromise and also help minimize the impact if one does occur. Reducing risk requires collecting information about third-party partners and possibly requiring them to comply with certain standards or conduct more thorough assessments. Reducing the impact of a third-party breach may also mean restricting which third parties can access your environment and how that access occurs.
Multi-factor authentication (MFA) is a must for any business-to-business network access. In 2019, CrowdStrike observed an increase in attackers leveraging credentials harvested from a third-party provider and then using those credentials to access the networks of the third party’s other clients. If MFA with a rotating token code as the second access factor had been in place, simply reusing stolen credentials from a third-party provider would not have been effective, and circumventing MFA would have been much more difficult.
Understand the third-party provider’s endpoint detection and prevention capabilities. Organizations should take steps to understand what endpoint protection or system security detection and prevention mechanisms are in place in each third-party providers’ environment. In many cases, if the provider could detect an initial breach sooner — by following the 1-10-60 rule, for example — the scope and impact of the attack on the provider and the client would be significantly reduced.
Find out if the third-party provider has recently performed a proactive assessment of their environment. Prospective clients of third-party providers can ask if they have performed any recent proactive services, such as a compromise assessment or cybersecurity maturity assessment. Security teams can then use this data to make informed decisions on whether to engage with the third-party provider.
Download the complete report for more observations gained from the cyber front lines in 2019 and insights that matter for 2020: CrowdStrike Services Cyber Front Lines Report.
- Watch an on-demand webcast that takes a deep dive into the findings, key trends and themes from the report: CrowdStrike Cyber Front Lines Report CrowdCast.
- Read a report overview by CrowdStrike CSO and Services President Shawn Henry or download the full report.
- Learn more about the CrowdStrike Services team and how it can help your organization improve your cybersecurity readiness by visiting the webpage.
- Learn more about the powerful CrowdStrike Falcon platform by visiting the webpage.
- Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.