Cybersecurity and Third-Party Risk. Gregory C. Rasner
happened in late 2020, as prime examples of how the threat actors have evolved both in their identity and tactics. Examples are also provided in a long list of companies who have lost their data due to a vendor that did not take due care with their data. Chapter 2 provides some basics on cybersecurity. This book does not require the reader to be a cybersecurity or third‐party risk expert, but it does require that a few concepts are defined and frameworks are covered for both topics to ensure all readers are at a set level. Chapter 3 delves into how the COVID‐19 pandemic affected the security landscape and how quickly the attackers adapted to new opportunities. What happens when the pandemic is over and how it will change behaviors and business in ways that will become the new normal will mean a continued increase in cybercriminal activity.
Chapter 4 is an in‐depth look at Third‐Party Risk Management (TPRM) and is included to provide a set level for the readers as well as to tie the cybersecurity and TPRM concepts together, as both domains are aimed at identifying and managing risk. Chapters 5 through 9 cover the vendor lifecycle of intake, ongoing security, and offboarding due diligence activities Chapter 5 reviews the activities and requirements for vetting and performing security assessments of new vendors or services from existing suppliers. Chapter 6 describes ongoing cybersecurity due diligence activities such as remote assessments. Chapter 7 is then devoted to the important complex topic of on‐site assessments, which are essential due diligence processes for the physical validation of security controls at a vendor site and the gold standard for assurance.
Chapter 8 covers the Continuous Monitoring (CM) program and how it is a crucial security control for vendors for the times in between the point‐in‐time assessments. Building a robust CM program means taking a set of tools and internal data to engage vendors on potential real threats that they may be unaware of and reducing risk collaboratively. Chapter 9, the last chapter on the vendor lifecycle, discusses offboarding. Many firms overlook this part of the lifecycle, so this chapter covers the critical steps and due diligence that must be done to ensure there's no risk to the data or connectivity from a vendor.
Section 2 begins with Chapter 10, which discusses the large topic of the cloud. The shared responsibility model is discussed and how it affects the security controls that your vendor is responsible for and what they have outsourced to the Cloud Service Provider (CSP). Cybersecurity, offshore vendors, cloud and privacy legal language and process is covered in Chapter 11; and then Chapter 12 details in depth the possible ways to test and perform due diligence on third‐party software. Connectivity to a vendor is a unique risk that opens a whole organization's network and data to an attacker traversing from the vendor or exploiting the hardware they use to connect, and is discussed in Chapter 13. Chapter 14 contains details on how to manage offshore vendor risk, while Chapter 15 wraps up with ways to take all the data collected with the due diligence and other cybersecurity activities to become more predictive for risks and produce reports.
Special Features
The notes found sprinkled throughout this book are designed to provide an example or expansion on topics that bring the topic (either in the chapter or the book as a whole) into a real‐world illustration or in‐depth analysis. Tips are added in the book to deliver information to the reader on how to improve a process or activity (or a common pitfall to avoid), while definitions help the reader to understand the concepts involved.
Chapter 1 What Is the Risk?
On December 10, 2020, ESET researchers announce they have found that a chat software called Able Desktop (Able)—part of a widely used business management suite in Mongolia including 430 Mongolian government agencies—was exploited to deliver the HyperBro backdoor, the Korplug RAT (remote access trojan), and another RAT named Tmanger. They also found and identified a connection with the ShadowPad backdoor, used by at least five threat actors in the exploit. Two installers were infected with the trojan and the compromised Able update system was installed with the malicious software. Evidence shows that the Able system had been compromised since June 2020, while the malware‐infected installers were delivered as far back as May 2018.
The post explains that HyperbBro is commonly attributed to the cybercriminal group named “LuckyMouse,” a Chinese‐speaking threat actor known for highly targeted cyberattacks. Primarily active in South East and Central Asia, many of their attacks have a political aim. Tmanger is attributed to TA428, also a Chinese Advanced Persistent Threat (APT) group. Because these two applications are used normally by different APTs and are now together in one attack, the ESET team theorizes that LuckyMouse and TA428 are sharing data and weapons; they are also likely the subgroup of a larger APT. Given the region and threat actors, it is considered to be a political attack that had been planned as early as May 2018, yet not carried out in earnest until two years later.
Advanced Persistent Threat (APT) is the term given to state actors (i.e., government run or authorized hackers) or large cybercriminal syndicates that have a lot of time and patience to perform very stealthy, large‐scale attacks aimed at political or economic goals.
The SolarWinds Supply‐Chain Attack
On December 13, 2020, FireEye, a global leader in cybersecurity, publishes on its website the first details about the SolarWinds Supply‐Chain Attack, a global intrusion campaign inserting a trojan into the SolarWinds Orion business software updates to distribute the malware. FireEye names the malware “Sunburst.” After the attackers successfully hacked into FireEye, their activity demonstrated lateral movement and data exfiltration. “The actors behind this campaign gained access to numerous public and private organizations around the world… . This campaign may have begun as early as Spring 2020 and is currently ongoing… . The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” as explained in the Summary from FireEye's website on December 13th.
The attackers added a .dll file (a configuration file) called SolarWinds.Orion.Core.BusinessLayer.dll to the Orion product, which had been digitally signed and enabled backdoor communications over HTTP (i.e., normal, unencrypted web traffic), to other servers. The Sunburst malware is suspected to have lain quietly for two weeks, while it performed some reconnaissance via executing commands that led to file transfers and to controlling the victim's servers (i.e., reboots, disabling services). Using a native product within Orion, the Orion Improvement Program (OIP), Sunburst blended in with the program's normal functions expertly. It even had the capability to sniff out the antivirus and cybersecurity forensic tools being used, likely to learn how to better go undetected.
“As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response,” according to Brad Smith, President of Microsoft (December 17, 2020) as posted on his blog about the SolarWinds attack.