In an era where data breaches are often a matter not of if but when understanding how to respond to a third-party security incident effectively is more crucial than ever. How would your company respond if one of your critical vendors experienced a breach? The first 24 hours after discovering a third-party incident are critical for setting the tone of your response efforts.
This post discusses the challenges of third-party breach response and provides six steps to take in the immediate aftermath of a successful cyberattack.
Preparing for “what-if” scenarios and worst-case incidents can be a complex task for any company that works with numerous third parties. Managing hundreds or thousands of vendor relationships adds layers of difficulty, making it hard to maintain a rigorous incident response process. The key challenges include:
These challenges increase the time and cost of detecting and mitigating breaches. On average, third-party breaches cost 11.8% more and take 12.8% longer to resolve, with a breach lifecycle extending to 307 days. Faster detection and response times are crucial to reducing damage, as longer delays give attackers more time to exploit systems. Therefore, third-party risk management programs, like internal security programs, must be optimized for rapid response to emerging threats.
Third-Party Cybersecurity: Emerging Trends and What to Do in 2024
In this webinar, Dave Shackleford, CEO at Voodoo Security and SANS Senior Instructor, shares his insights on the most important steps to prepare your third-party cybersecurity program in 2024.
The following steps are a quick list of actions to take should your organization be affected by a third-party breach. The type or the scale of a breach will impact the specific measures you take during each step.
Please note: These steps should not be considered comprehensive incident management guidance. Be sure to engage with your security operations center (SOC) team, auditors, and other internal parties.
As soon as an incident is detected, immediately establish communication with the third party involved. It's crucial to have a pre-established communication plan as part of your overall incident response program. Begin by understanding the scope and impact of the attack, especially if it involves personal or sensitive data governed by regulatory standards. Discuss any Service Level Agreements (SLAs) or contractual obligations, and focus on maintaining calm, constructive dialogue.
Key Consideration: Incorporate a communication decision tree into your incident response plan, outlining what information should be communicated based on your current knowledge and the timing of your discoveries, including specific timeframes for deliverables.
Once contact is made and the breach scope is understood, gather detailed information about the incident. Treat this stage like a post-breach mini-assessment. Ask questions to clarify what happened, what data was accessed, potential exposures, and their recovery plans. Understanding their recovery timeline is essential, especially if the breach caused an outage.
When a third-party breach occurs, asking the right questions will help you to understand and mitigate the impact on your organization efficiently.
Recommended Questions (to be tailored based on the specifics of the incident):
Containment strategies will vary based on the type of breach and the vendor’s level of access. For instance, if the vendor has access to your data but not your infrastructure, you may be able to stop using the service or platform until more is known. However, if the vendor has any level of access to your IT environment, quarantine and isolate access immediately.
Where possible, isolate affected systems and access points to prevent further unauthorized access. Implement local host restrictions, network access controls, privilege restrictions, and account removals or locks as necessary. A pre-established isolation playbook for vendors, service providers, and software will streamline this process. Without a comprehensive incident response plan, your team may struggle to respond quickly, increasing the risk of further damage.
Remediation efforts must be swift and effective. The approach will vary depending on where the breach occurred. If internal systems are compromised, you must patch or mitigate the vulnerabilities to control the "blast radius” as quickly as possible. If the breach is confined to the third party, focus on understanding the affected data, initiating breach notifications, and ensuring compliance with relevant regulations.
Monitoring is essential for detecting and understanding the breach's impact and preventing further unauthorized access. Keep an eye on internal behaviors from affected platforms or software. Unusual activities, such as unexpected network connections, should raise alarms. Monitor remote access activities between your organization and the third party to help detect anomalies. Try to stay informed about potential threats or vulnerabilities affecting similar organizations or technologies.
Leverage threat intelligence to better understand and mitigate the breach’s impact. Organizations using threat intelligence can detect breaches approximately 28 days faster than those that do not. Identify internal indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Assess the type of potentially exposed data to inform how you formulate a targeted response and notify affected parties appropriately. Additionally, monitor for reputational impacts and track public information about the third party involved to gain insight into the breach's broader implications.
A third-party incident can severely impact your organization. Immediate, informed, and decisive actions are essential to mitigate these impacts. These six steps help mitigate the damage and lay the groundwork for a thorough recovery process.
9 Steps to a Third-Party Incident Response Plan
When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.
It’s clear that third-party breaches and incidents can have significant downstream implications on your organization’s operations. Be prepared by accounting for third-party risk in your incident response playbook. Know who you will contact, what SLAs are involved, which questions you will ask, and how you will proceed, given the answers. Since incident response programs are reactive by nature, implementing proactive measures as part of your overall third-party risk management program can help stave off threats before they impact your organization.
For more information, watch my on-demand webinar discussing third-party cybersecurity incidents and contact Prevalent for a demonstration of its third-party incident response capabilities today.
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024
Why third-party breaches are on the rise, who is being affected, and what you can do...
09/20/2024
Learn how integrating the NIST Privacy Framework with third-party risk management (TPRM) helps organizations enhance data...
09/12/2024