How to perform a third party risk assessment – for mostly free! Part 1 of 3

March 17, 2021

Part 1: Mindset, Risk Mapping, and Assessment Techniques.

With a meteoric rise in successful supply chain attacks, many organizations have been scrambling to find solutions. Now more than ever, it is critical for organizations to effectively assess and monitor third parties with an integral role in their digital supply chain, bolster their capabilities to address the techniques covered in the MITRE PRE-ATT&CK Matrix, and maintain compliance with the Supply Chain Risk Management (ID.SC and/or DE.CM-6) subcategory requiring ‘External service provider activity is monitored to detect potential cybersecurity events’ portion of the NIST Cybersecurity Framework, and NIST SP 800-161.

A slew of solutions exist to solve parts of this problem; namely, security ratings services and questionnaire delivery software. Both of these software suites can add considerable value to any maturing vendor risk assessment process, but both come at a price which may not be accessible to more budget-restrictive security operations. In this series, Foretrace will be reviewing free/cheap/open-source solutions to performing one’s own vendor risk assessment/security rating process. This practical approach will enable any organization to start building its vendor risk assessment or third party monitoring program for next to nothing.

Approach Mindset

Perspective is important when approaching vendor risk assessments. An appropriate mindset to adopt when performing a vendor risk assessment is to view the organization being evaluated through the lens of an adversary. As with any adversary planning an attack, the first phase is reconnaissance and intelligence-gathering. Without the footprint of an organization to start with (accounts, hosts, software in use, IP blocks, etc.), there can be little for an attacker to operate from.

If an organization maintains a manicured digital footprint which provides attackers with little in the way of internal indicators, the attacker’s job is monumentally more difficult. This also implies the vendor may be taking a proactive approach to cyber security, which is an invaluable virtue to signal to partners and customers. If this organization will be handling any of the data originating from the organization performing the assessment, they should be considered an extension of its attack surface. When assessing whether an organization may introduce a security threat to one’s environment, they must be assessed from the perspective OF the security threat. To do this, we will approach a ‘vendor risk assessment’ as an intelligence-gathering and intelligence analysis exercise. While this is unlikely to scale for a large organization, it is a simple and impactful place to start to build an effective third-party risk program.

A great deal of this assessment can be performed passively from the internet, without touching the systems of the organization or formally contacting them in any way. Below, we introduce just a handful of tools and techniques to perform a basic hygiene assessment. The results found may serve as a broader reflection of the security maturity, policies, and capabilities within the organization being assessed.

Foretrace Formula: Basic Hygiene Scan

Risk category (NIST mapped) Technique What this may reflect Nature of scan
Identify – Asset Management (ID.AM-1) Enumerate hosts facing the internet, and the vulnerabilities which may be exposed on them. Vulnerability management capabilities and public asset security hygiene. Passive
Protect – Data Security (PR.DS-6)
Protect – Awareness and Training (PR.AT-1, PR-AT-3) Analyze the footprint of their account exposure (presence on sites, in breaches, and in pastes). Level of acceptable use policy enforcement, consistent use of insecure vendors, and potential misuse of corporate accounts for insecure personal services. Passive
Protect – Identity Management, Authentication, and Access Control (PR.AC-1)
Identify – Risk Assessment (ID.RA-2) Confirm their domains have never been reported as malicious on malware URL lists. Deployment of host-based security controls and logging/detection capabilities. Passive
Respond – Analysis (RS.AN-5)
Protect – Data Security (PR.DS-5 & PR.DS-7) Check their public github profile for the presence of secrets. Implementation of appropriate DevSecOps and CI/CD practices. Passive
Detect – Security Continuous Monitoring (DE.CM-6) Search for potential live phishing domains. A proactive / reactive approach to digital footprint security. Passive (optionally)
Identify – Risk Assessment (ID.RA-2)
Identify – Risk Assessment (ID.RA-1) Footprint their domains and subdomains for old/outdate software and active takeover vulnerabilities. Maturity of asset management, change management, and patching processes and procedures. Subdomain footprint – Passive
Protect – Information Protection Processes and Procedures – (PR.IP-12)
Detect – Security Continuous Monitoring (DE.CM-8). Web app analysis / takeover scan – Active
Protect – Data Security (PR.DS-6) Check their sites headers for proper security controls. Implementation of security controls on public facing websites and assets. Active
Protect – Information Protection Processes and Procedures (PR.IP-1)

Validating Risk

The Basic Hygiene Scan techniques are a starting point for any organization to initiate its own affordable vendor risk assessment process. These tactics are designed to complement the policy reviews and questionnaires by actually assessing the level of enforcement of what is claimed in the documentation provided by the organization. Essentially forcing them to–for lack of a more business-y, and actually relevant, phrase–put their money where their mouth is.

If the execution of these techniques manually simply does not scale for your organization, click here for a demo of the Foretrace platform, where we have built a comprehensive tool to automate the execution, analysis, and monitoring of these techniques and many more. If you would like to learn more about executing these techniques yourself, we will take a deep dive into the passive techniques listed in the above table in Part 2 of this series, and the active techniques in Part 3.