Third-Party Breach Response: 6 Immediate Actions to Take

Use these 6 tips to improve your third-party breach response procedures.
By:
Dave Shackleford
,
Owner & Principal Consultant, Voodoo Security
September 17, 2024
Share:
2024 Blog Third Party Breach Response

In an era where data breaches are often a matter not of if but when understanding how to respond to a third-party security incident effectively is more crucial than ever. How would your company respond if one of your critical vendors experienced a breach? The first 24 hours after discovering a third-party incident are critical for setting the tone of your response efforts.

This post discusses the challenges of third-party breach response and provides six steps to take in the immediate aftermath of a successful cyberattack.

Challenges in Third-Party Breach Response

Preparing for “what-if” scenarios and worst-case incidents can be a complex task for any company that works with numerous third parties. Managing hundreds or thousands of vendor relationships adds layers of difficulty, making it hard to maintain a rigorous incident response process. The key challenges include:

  • Lack of visibility into the vendor ecosystem: Different departments managing vendors with disparate tools often result in a lack of a centralized vendor database. This makes it hard to assess and manage vendor-related risks effectively.
  • Time-consuming manual processes: Relying on manual methods, such as spreadsheets and surveys, to track security controls across third-party ecosystems is inefficient, error-prone, and difficult to scale.
  • Inadequate risk assessment questionnaires: Many questionnaires fail to capture specific vendor risks and overlook evaluating a vendor’s ability to respond quickly to incidents. This limits the organization’s ability to assess cybersecurity posture accurately.
  • Difficulty tracking, scoring, and managing risks: Without a structured process for reassessing risks, organizations often struggle to understand the implications of identified risks and determine how to prioritize and address them.
  • Lack of prescriptive remediation guidance: Without clear, actionable advice, identified vulnerabilities may remain unaddressed, leaving the organization exposed to potential threats.
  • Inadequate reporting on progress and mitigations: Poor reporting on risk mitigation efforts hinders accountability and transparency, making it challenging to communicate progress to senior leadership or board members, particularly in high-profile cases.

These challenges increase the time and cost of detecting and mitigating breaches. On average, third-party breaches cost 11.8% more and take 12.8% longer to resolve, with a breach lifecycle extending to 307 days. Faster detection and response times are crucial to reducing damage, as longer delays give attackers more time to exploit systems. Therefore, third-party risk management programs, like internal security programs, must be optimized for rapid response to emerging threats.

Third-Party Cybersecurity: Emerging Trends and What to Do in 2024

In this webinar, Dave Shackleford, CEO at Voodoo Security and SANS Senior Instructor, shares his insights on the most important steps to prepare your third-party cybersecurity program in 2024.

Six Steps to Take in the First 24 Hours After a Breach

The following steps are a quick list of actions to take should your organization be affected by a third-party breach. The type or the scale of a breach will impact the specific measures you take during each step.

Please note: These steps should not be considered comprehensive incident management guidance. Be sure to engage with your security operations center (SOC) team, auditors, and other internal parties.

1. Communicate

As soon as an incident is detected, immediately establish communication with the third party involved. It's crucial to have a pre-established communication plan as part of your overall incident response program. Begin by understanding the scope and impact of the attack, especially if it involves personal or sensitive data governed by regulatory standards. Discuss any Service Level Agreements (SLAs) or contractual obligations, and focus on maintaining calm, constructive dialogue.

Key Consideration: Incorporate a communication decision tree into your incident response plan, outlining what information should be communicated based on your current knowledge and the timing of your discoveries, including specific timeframes for deliverables.

2. Gather Information

Once contact is made and the breach scope is understood, gather detailed information about the incident. Treat this stage like a post-breach mini-assessment. Ask questions to clarify what happened, what data was accessed, potential exposures, and their recovery plans. Understanding their recovery timeline is essential, especially if the breach caused an outage.

When a third-party breach occurs, asking the right questions will help you to understand and mitigate the impact on your organization efficiently.

Recommended Questions (to be tailored based on the specifics of the incident):

  • Has a breach impacted the vendor, or has the vendor used a product/service affected by a breach? (Yes/No)
  • What is the nature of the impact on the vendor? (High/Med/Low impact on systems, applications, and/or data)
  • Does the incident affect critical services delivered to your organization? (Yes/No)
  • Has the vendor taken the following remediation steps? (List recommended steps, such as patching or updating affected systems)
  • Has the vendor amended existing controls or implemented new controls to resolve and mitigate the impact of the breach? (Identified and already implemented; identified and in process of implementation; not identified and/or not able to be implemented)
  • If controls cannot be implemented, what compensating controls or workaround methods are being implemented?
  • Who is the point of contact for additional inquiries?

3. Isolate

Containment strategies will vary based on the type of breach and the vendor’s level of access. For instance, if the vendor has access to your data but not your infrastructure, you may be able to stop using the service or platform until more is known. However, if the vendor has any level of access to your IT environment, quarantine and isolate access immediately.

Where possible, isolate affected systems and access points to prevent further unauthorized access. Implement local host restrictions, network access controls, privilege restrictions, and account removals or locks as necessary. A pre-established isolation playbook for vendors, service providers, and software will streamline this process. Without a comprehensive incident response plan, your team may struggle to respond quickly, increasing the risk of further damage.

4. Remediate

Remediation efforts must be swift and effective. The approach will vary depending on where the breach occurred. If internal systems are compromised, you must patch or mitigate the vulnerabilities to control the "blast radius” as quickly as possible. If the breach is confined to the third party, focus on understanding the affected data, initiating breach notifications, and ensuring compliance with relevant regulations.

5. Monitor Behavior

Monitoring is essential for detecting and understanding the breach's impact and preventing further unauthorized access. Keep an eye on internal behaviors from affected platforms or software. Unusual activities, such as unexpected network connections, should raise alarms. Monitor remote access activities between your organization and the third party to help detect anomalies. Try to stay informed about potential threats or vulnerabilities affecting similar organizations or technologies.

6. Check Threat Intelligence

Leverage threat intelligence to better understand and mitigate the breach’s impact. Organizations using threat intelligence can detect breaches approximately 28 days faster than those that do not. Identify internal indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Assess the type of potentially exposed data to inform how you formulate a targeted response and notify affected parties appropriately. Additionally, monitor for reputational impacts and track public information about the third party involved to gain insight into the breach's broader implications.

A third-party incident can severely impact your organization. Immediate, informed, and decisive actions are essential to mitigate these impacts. These six steps help mitigate the damage and lay the groundwork for a thorough recovery process.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps to Prepare for Third-Party Breaches

It’s clear that third-party breaches and incidents can have significant downstream implications on your organization’s operations. Be prepared by accounting for third-party risk in your incident response playbook. Know who you will contact, what SLAs are involved, which questions you will ask, and how you will proceed, given the answers. Since incident response programs are reactive by nature, implementing proactive measures as part of your overall third-party risk management program can help stave off threats before they impact your organization.

For more information, watch my on-demand webinar discussing third-party cybersecurity incidents and contact Prevalent for a demonstration of its third-party incident response capabilities today.

Tags:
Share:
Dave Shackleford
Dave Shackleford
Owner & Principal Consultant, Voodoo Security

Dave Shackleford is the owner and principal consultant of Voodoo Security and faculty at IANS Research. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. Dave is a SANS Analyst, serves on the Board of Directors at the SANS Technology Institute, and helps lead the Atlanta chapter of the Cloud Security Alliance.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo