Using Third-Party Risk Intelligence in Incident Response Strategy

According to recent research, only 32% of organizations have an incident response plan for supply chain attacks, and less than 30% have a plan for advanced persistent threats.  

When mitigating risk, developing an incident response plan isn’t enough. Without considering third-party risk and incident response, your organization is still vulnerable to vendor security events and their negative effects — including sensitive data theft, business disruption, and revenue loss. Moving forward, companies must add quality third-party risk intelligence to their incident response plans to identify and mitigate risk across their ecosystems.  

Let’s take a deeper look at the role of risk intelligence in incident response and how Black Kite can help.

The Importance of Speed in Third-Party Incident Response

General incident response addresses security incidents that occur directly in your organization. Third-party incident response, however, tackles vendor security events that can negatively impact your company. This is where speed comes into play; it’s usually easier for organizations to address incidents directly impacting their organization versus those that impact their vendor network. 

How quickly you can identify vendors impacted by a high-profile security event and implement a response plan often determines the level of damage (financial, reputation, etc.) you may incur. Right now, it takes an average of 204 days for organizations to contain data breaches. This stat doesn’t even speak specifically to third-party data breaches, which may take longer to identify and contain.

What Slows Third-Party Incident Response Strategy?

The current problem with third-party incident management is that it relies on assessments and questionnaires to determine whether or not a serious security incident has impacted a vendor. For clients with small vendor networks, this may be manageable. But often, companies have hundreds of third-party vendors and an even wider network of fourth- and fifth-party vendors. 

Sending assessments out to large networks is time-consuming. Not only does your organization need to wait for and collect the replies of all of their vendors, but they also have to analyze those vendor responses to determine if the security incident impacted them.  

The current third-party incident response identification process can take weeks and often requires more effort than most organizations can afford to devote to the process. As a result, many organizations fail to respond quickly to threats in their vendor ecosystem. Or, when an incident occurs, companies enact a blanket response for all of their vendors. Blanket responses can cause unnecessary business disruption or fail to properly contain or remove the threat.

The Importance of Third-Party Risk Intelligence in Incident Response

Adding vendor risk intelligence to your incident response strategy can help solve many of the shortcomings associated with third-party incident response plans. 

Risk intelligence gathers information on threats and threat actors from OSINT sources and combines it with contextual information and data to measure the potential impact on an organization. In third-party risk intel, contextual information often includes consideration of a vendor’s location and your organization’s industry. 

Instead of organizations learning about a security incident and sending questionnaires to all of their vendors, they can leverage risk intelligence to determine whether a vendor is likely to be impacted by the incident. Then, they would only send the questionnaires to those vendors.

For example, an organization that ordinarily sends questionnaires to 2,000 vendors during a security breach could leverage risk intelligence to identify the 20 vendors in their network likely to have been impacted by the breach and only send the questionnaire to them.  

Not only does this decrease the time spent collecting and analyzing questionnaire responses, but it enables organizations to act faster in implementing their incident response plan and prevent or mitigate the potential effects of a third-party breach, saving them from financial loss or business interruption.

How Can Companies Begin Leveraging Risk Intelligence in Third-Party Incident Response?

Before leveraging risk intelligence in your third-party incident response strategy, you must create an incident response team and designate roles in the response process. This step includes deciding what actions your team will need to take to quickly evaluate a vendor’s security status in the event of an incident. Often, the incident’s severity level determines the actions you’ll take. Options include: 

• Contacting the vendor directly. 
• Sending a questionnaire to all impacted vendors. 
• Conducting on-site vendor visits. 

Once you have a team in place and a set of actions that your organization can take in the event of an incident, you can begin collecting and analyzing OSINT on your vendors and the threat landscape. There are two key actions to implement here: 

• Create a continuous monitoring system: Traditional incident response relies on point-in-time data to assess a vendor’s security posture but doesn’t usually reflect real-time changes. Creating alerts for your vendors to flag security threats and successful attacks can help you accurately identify impacted vendors. 

Ensure fast access to risk intel: Time is of the essence when responding to incidents. In the event of an incident, your team should quickly access your collected and analyzed OSINT data to determine which of your vendors has been affected and how best to contact them to assess the severity of the impact.

How Black Kite’s Focus Tags™ Can Help With Third-Party Incident Response

Often, organizations struggle with gaining visibility into their vendors’ activities. They can’t quickly gather and process the amount of OSINT needed to identify affected vendors when a major cybersecurity incident occurs. They also have trouble tracking major incidents. Here’s where Black Kite’s Focus Tags™ can help. 

Focus Tags™ is an OSINT tool that allows companies to track high-profile cyber events and quickly identify which vendors have been affected. Events that trigger Focus Tags™ include: 

• Ransomware attacks. 
• Data breaches. 
• Zero-day vulnerabilities. 
• Known and exploited critical vulnerabilities. 

In addition to tracking high-profile events, an organization can customize Focus Tags™ to filter their vendor ecosystem. For example, users can add a custom tag to identify vendors who hold large amounts of their personal identifiable information (PII) or have access to their internal systems. These filters allow users to quickly identify high-risk vendors and take the necessary action to reduce risk to their organization.  

FocusTags™ also offers continuous monitoring. In addition to automating OSINT collection and analysis, the tool processes the data from a user’s vendor network and combines it with continuous threat monitoring. This combination offers unparalleled visibility into the security postures of an organization’s vendor network and real-time information on whether a security event has impacted them. 

Returning to our earlier example, the organization with 2,000 vendors could use Focus Tags™ to quickly identify the 20 vendors impacted by a major security event. They’d also be able to filter those vendors to identify the ones they share considerable PII with and those with access to their internal systems. Leveraging this information, the organization can send targeted questionnaires to the 20 vendors, helping them gather better data to respond faster and more effectively to the incident.