May 21, 2020//Tony Howlett
The average IT or security administrator has enough on their hands worrying about their company’s own users, much less their third-party vendors and business partner users of their resources. However, if you don’t spend time securing this commonly used attack vector, you may be in for a surprise. While many companies are getting on the bandwagon of third-party risk management and monitoring their vendors closely, over half of all breaches are still reported by someone outside the company such as a law enforcement agency or white hat security researcher.
Hackers are getting better at hiding their tracks and upping their game at staying invisible on your networks and in your systems while they do their dirty work. Still, there are some telltale signs that you can look for to get a heads up on a vendor who may have been compromised.
The best indicator of a future breach might be a past breach. Companies who have had a breach before are more likely to experience a breach again, either from backdoors left by past hacks or new intruders who come in through unpatched holes from the last breach. Prime examples are Yahoo who got hacked twice and lost over one billion of their users’ passwords and The Hard Rock Hotel and Casino who had their credit card payment system hacked three times.
It is easy to research your key vendors to see if they have a history of breaches. It doesn’t necessarily mean they will get hacked again, but it definitely will allow you to up the controls and reviews of their access just in case. Pro tip: do this BEFORE they become a vendor. Use Google and industry-specific sites such as the Health and Human Services, Office of Civil Rights (HHS/OCR) who maintain a database of reported breaches in the US healthcare industry.
As far as detecting an active breach, your best friend here is monitoring and auditing logs of the vendor activity. Ideally, you keep granular logs of their activity as simple logs will only show username, login time and source, and destination IPs. Granular logs will show more context about the activity (approver, ticket number, etc.) to indicate any problematic vendor behavior. Cutting-edge vendor management systems will even record keystrokes and video screen capture of each external user.
If you review these records on a regular basis, you can look for anomalous activity that might indicate a hacker at work. These could be things like:
If you think a vendor is doing unusual things, the first thing you should do is talk to the application owner as the activity may be entirely normal and authorized. Get the full story first, unless the flagged activity indicates an imminent threat. Even if the activity does not indicate a hack, perhaps it is a policy violation or dangerous activity, you will want to discuss it with the vendor and possibly put additional controls on that vendor going forward so that they don’t cause a future hack.
Multi-factor authentication, access on approval only, or the aforementioned PAM and VPAM systems are examples of protections you can use to put a vendor in a box so they can’t hurt you. Finally, if you have concerns about a vendor but can’t quite prove it, you might consider hiring a firm to do “threat hunting” focused on your vendors. This is an engagement where an outside company comes in and looks for indications that a system or network has been breached. They are usually more experienced in finding breach clues than your in-house staff and also look at things from an outside perspective so they avoid insider bias. They aren’t cheap but they are definitely less expensive than a breach caused by a vendor. In the age of outsourcing, it is very likely that you have dozens, or hundreds, of vendor reps inside your network on a regular basis, but it’s risky business assuming these companies are doing the right things and are as secure as your own company. Do your due diligence and keep a close eye out for these and other suspicious behaviors so you can stop a vendor breach before it happens.