Think Like a Hacker for Successful Third-Party Risk Management (TPRM)

Written by: Candan Bolukbas, CTO and Founder

Contributor: Ferhat Dikbiyik, Chief Research and Intelligence Officer

As Sun Tzu said almost 3000 years ago, “To know your enemy, you must become your enemy.” While he was referring to military strategy, the same concept applies in the world of cyberattacks.

Shifting your mindset to start thinking how “the enemy” thinks can make all the difference in how you approach risk management. Looking at your tech ecosystem from the perspective of a malicious hacker can help you understand how to better protect yourself against cyber threats and proactively lower risk. 

3 Ways to Look at Your Ecosystem from a Hacker’s Perspective

So, how do you get into the head of an attacker who might try to break into your systems? Since I have spent much of my career as an ethical hacker, I have deep experience testing security controls from the “outside” in.

Here are three common threads that I’ve seen throughout my work in offensive security:

1. Reconnaissance is an important early stage in a cyberattack.

When tasked with breaking into a system as an ethical hacker, my team always prioritized reconnaissance: quietly scoping out an organization’s existing controls and looking for gaps. Doing our research made the attacks go much more quickly and efficiently once we started executing them.

In some cases, we found direct weaknesses in the organization’s infrastructure. More commonly, we uncovered weak points in the organization’s surrounding ecosystem, including third-party vendors. Because so many companies entrust their critical data and aspects of their operations to third parties, a weakness in one of these vendors’ systems can quickly become an entry point into the company itself. 

But can your team do anything to identify these types of cascading risks early on? Well, it can be extremely valuable if your team performs the same kind of reconnaissance on your ecosystem and then makes decisions based on what you find.

Here are a few findings that might grab the attention of a bad actor:

• Unpatched vulnerabilities
• Company/brand secrets accidentally left open to the public
• Lack of code- or server-level security controls on an organization’s infrastructure 
• Breached credentials of users / employees

Of course, there are many more, so make sure you think holistically and broadly about how and where a hacker might find a weakness in your systems, applications, vendors, employees, and beyond.

2. Motivations for choosing targets are often complicated.

When you’re trying to get into the mindset of a malicious hacker, the first motivation that often comes to mind is financial gain. And this is often the driving factor behind attacks. However, some threat actors attack for entirely different reasons. For example, nation-state-sponsored hackers may want to gain unauthorized access to critical infrastructure/government systems to spread political/social messages or otherwise damage political/social targets. During my time working for the Presidency in Turkey, we primarily focused on defending against these types of attacks. 

With all these factors in play, predicting exactly which organizations will be targeted when and by whom is nearly impossible. But when you have the right intel and adopt the mindset of an attacker, it’s very possible to predict whether or not a given organization would be eye-catching to certain types of attackers.

For instance, active mentions of an organization’s name and/or assets in hacker forums could show that it is more likely to become a target. As another example, ransomware groups tend to look at specific factors such as a company’s size, revenue, location, and industry when they choose a target. Understanding these factors can help you predict whether you or one of your vendors is likely to experience a ransomware attack and proactively set up defenses.

3. Compliance doesn’t matter to threat actors.

While compliance likely comes up a lot in security team meetings, most threat actors have probably never said the word “compliance” aloud in their lives. Malicious hackers will target a business that will further their causes, regardless of whether or not the business is compliant with certain regulations. 

Although it’s important for legitimate businesses to meet compliance requirements to stay on the right side of the law, compliance does not equal security, and hackers know this. If you want to actionably defend your business against attackers, don’t rely on compliance certifications to prove your systems and defenses are airtight. Instead, pay attention to indicators that something in your ecosystem could be an intriguing target for attackers (e.g., a high level of exploitability, mentions on hacker forums, highly valuable information, etc.).

Leverage Black Kite’s Hacker Perspective for Better Third-Party Risk Management

So, how do you practically incorporate this “hacker mindset” into your risk management initiatives? Sun Tzu’s strategy can also help us here, as he said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

In other words, it helps to know “yourself” — in this case, your entire ecosystem. Black Kite helps organizations better understand and mitigate third-party risk with actionable insights generated from a hacker’s perspective. 

For instance, we use hackers’ reconnaissance techniques to uncover vulnerabilities, weaknesses, misconfigurations, and other security issues within a tech ecosystem. We collect these data points using 298 controls recommended by the MITRE ATT&CK® matrix, Then, we combine the findings into 20 risk categories that organizations can use to better understand their risks and take proactive steps to mitigate them. 

We also leverage open source intelligence, such as internet-wide scanners, hacker forums, the deep/dark web, etc., to calculate a comprehensive Ransomware Susceptibility Index®️ rating. This score indicates the likelihood that your organization will experience a ransomware attack. 

To learn more about how Black Kite tackles TPRM from a hacker’s perspective, sign up for a free demo.