What’s Missing in Third-Party Risk Assessments

Image of word writing text Risk Assessment. Business photo showcasing estimation of the levels of risks involved in a situation
23 June 2020

Assessments are important. You’d be hard pressed to find any cybersecurity professional who would argue they aren’t needed, but the problem with third-party risk assessments is that they are far from comprehensive. Understanding the hygiene and potential vulnerabilities of an organization is incredibly important. But it doesn’t reveal the full picture. 

Point-in-time assessment of an organization is not enough because it doesn’t offer an exhaustive understanding of the risks. There are dynamic–and often undetected–problems specific to malware delivered by extremely sophisticated and versatile threat actors. These actors have the ability to gain access into an organization, but they also lurk undetected for extended periods of time. That’s the problem, and that’s the blind spot of a point-in-time risk assessment. 

The Flaws of Third-Party Assessment

In order to figure out what malicious actors are doing once they get in, you need pattern analysis. Simply trying to identify the potential for exploitability doesn’t go far enough, which is why third-party risk can’t be treated like a pen-testing problem. What is needed is real-time visibility into the threats that are lurking in third-party ecosystems.  That visibility isn’t possible with assessments and penetration testing. Why? There are a couple of reasons. 

First, you have to point and train your crosshairs to look at a specific organization, but you may not even understand exactly what surface you are looking at. To really be effective, you need to know whether what you are seeing is only the tip of the iceberg versus the whole picture. It’s possible what you’re looking at isn’t even the right organization. That sounds somewhat outlandish, but it actually happens a lot. 

Let’s consider an alternative scenario: You know what you are looking at and you are able to give an all clear. You might think, “they’ve done a great job with patching! The survey came back great. The CISO says they do everything for patch management to the T. They are in compliance. They are in good shape!” 

Results of major contract manufacturer.

What you don’t see is the activity from six-months ago when there was an infestation and a beaconing of malware coming from an IP range that belongs to the organization. Given the strong possibility that the malware got there through a phishing expedition, a risk assessment won’t reveal any exploitation of a vulnerability. But something is still there–it’s just been dormant for months. 

How to Determine a Supplier Risk Score

Using only a vulnerability assessment and gauging the potential for exploitability misses an entire dimension of risk. If you are looking for the possibility of a web server being exploited because it’s running an old version of IIS or Apache, that’s bad. What’s worse, though, is that some threat actors have been able to infiltrate and lurk in ways that very stealthy–quiet and outside the pattern of things that can be recognized by the organization’s security tools. All the while, it’s successfully communicating with an adversary.

The current third-party risk assessments are founded on two main things. The first is asking the organization how they are doing. In this case, you have to take them at their word. The second founding principal is to say, I can only take you at your word to a certain degree, so I’m going to do my own level of testing to assess the level of vulnerability here

Historically, third-party risk assessments have ended there. In order to assess the risk and be able to authentically apply an acceptable ‘score’ to your suppliers, vendors and partners, you need to have visibility into their Stages of Compromise

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.