• Nick Ascoli

How to perform a third party risk assessment – for mostly free! Part 1 of 3



Part 1: Mindset, Risk Mapping, and Assessment Techniques.



With a meteoric rise in successful supply chain attacks, many organizations have been scrambling to find solutions. Now more than ever, it is critical for organizations to effectively assess and monitor third parties with an integral role in their digital supply chain, bolster their capabilities to address the techniques covered in the MITRE PRE-ATT&CK Matrix, and maintain compliance with the Supply Chain Risk Management (ID.SC and/or DE.CM-6) subcategory requiring ‘External service provider activity is monitored to detect potential cybersecurity events’ portion of the NIST Cybersecurity Framework, and NIST SP 800-161.


A slew of solutions exist to solve parts of this problem; namely, security ratings services and questionnaire delivery software. Both of these software suites can add considerable value to any maturing vendor risk assessment process, but both come at a price which may not be accessible to more budget-restrictive security operations. In this series, Foretrace will be reviewing free/cheap/open-source solutions to performing one’s own vendor risk assessment/security rating process. This practical approach will enable any organization to start building its vendor risk assessment or third party monitoring program for next to nothing.


Approach Mindset


Perspective is important when approaching vendor risk assessments. An appropriate mindset to adopt when performing a vendor risk assessment is to view the organization being evaluated through the lens of an adversary. As with any adversary planning an attack, the first phase is reconnaissance and intelligence-gathering. Without the footprint of an organization to start with (accounts, hosts, software in use, IP blocks, etc.), there can be little for an attacker to operate from.


If an organization maintains a manicured digital footprint which provides attackers with little in the way of internal indicators, the attacker’s job is monumentally more difficult. This also implies the vendor may be taking a proactive approach to cyber security, which is an invaluable virtue to signal to partners and customers. If this organization will be handling any of the data originating from the organization performing the assessment, they should be considered an extension of its attack surface. When assessing whether an organization may introduce a security threat to one’s environment, they must be assessed from the perspective OF the security threat. To do this, we will approach a ‘vendor risk assessment’ as an intelligence-gathering and intelligence analysis exercise. While this is unlikely to scale for a large organization, it is a simple and impactful place to start to build an effective third-party risk program.


A great deal of this assessment can be performed passively from the internet, without touching the systems of the organization or formally contacting them in any way. Below, we introduce just a handful of tools and techniques to perform a basic hygiene assessment. The results found may serve as a broader reflection of the security maturity, policies, and capabilities within the organization being assessed.


Foretrace Formula: Basic Hygiene Scan


Validating Risk


The Basic Hygiene Scan techniques are a starting point for any organization to initiate its own affordable vendor risk assessment process. These tactics are designed to complement the policy reviews and questionnaires by actually assessing the level of enforcement of what is claimed in the documentation provided by the organization. Essentially forcing them to--for lack of a more business-y, and actually relevant, phrase--put their money where their mouth is.


If the execution of these techniques manually simply does not scale for your organization, click here for a demo of the Foretrace platform, where we have built a comprehensive tool to automate the execution, analysis, and monitoring of these techniques and many more. If you would like to learn more about executing these techniques yourself, we will take a deep dive into the passive techniques listed in the above table in Part 2 of this series, and the active techniques in Part 3.