Third-Party Breach Response: 5 Immediate Actions to Take

Third-party breaches are occurring with increasing frequency. One recent example is the security breach at identity service provider Okta, where a malicious actor leveraged stolen credentials to access the company’s support management system. Okta acts as a broker and intermediary for vast amounts of authentication and authorization sessions for applications used by thousands of customers. Therefore, the number of companies that could be impacted – directly or indirectly – is significant.

How would your company respond if one of your critical vendors experienced a breach?

This post offers suggestions for readying your third-party incident response program and shares five actions to take when one of your vendors is affected by a breach.

Tips for Readying Your Third-Party Incident Response Program

Maintain Awareness of Vendor Risks

First, it’s essential to continually monitor critical third parties for new and emerging cyber threats (as well as for potential operational, financial and reputational risks). While this may seem obvious, is can be a monumental task for organizations with a large vendor ecosystems. Instead of trying to manually stay on top of security news and community postings, look for threat intelligence providers that can automate and scale the monitoring process for you.

Review Basic Security Controls

Do any of your third-party vendors have access to your infrastructure, users and/or data? If so, then be sure to implement behavioral analysis tools to detect any anomalous activity. Also, stay on top of any software that’s being used, ensuring that it is current and patched to address any vulnerabilities. Microsegmentation and privileged user management tools can also help here.

Have a Communications Plan

Communications after a third-party breach or suspected incident are different from in-house incident management communications. Make sure you have vendor contact information readily available, and implement protocols for information gathering and escalation paths for when incidents occur. If the third party is a software or services vendor (see the 2020 SolarWinds breach), then there may be a “waterfall” effect that necessitates communications with customers and other stakeholders.

Consider Containment Strategies

How much access does the vendor have? This is a critical question when considering containment strategies. For instance, if the vendor has access to your data but not to your infrastructure, then you may be able to simply stop using the service or platform until more is known. However, if the vendor has any level of access to your IT environment, then you should have a plan to immediately quarantine and isolate that access.

Ask the Right Questions

When a third-party breach occurs, asking the right questions will help you to efficiently understand and mitigate the impact on your organization. Here are a few recommendations with guidelines for possible responses (to be tailored based on the specifics of the incident):

• Has the vendor been impacted by a breach or utilize a product/service impacted by breach? (Yes/No)
• What is the nature of the impact on the vendor? (High/Med/Low impact to systems, applications and/or data)
• Does the incident affect critical services delivered to your organization? (Yes/No)
• Has the vendor taken the following remediation steps? (List recommended steps, such as patching or updating affected systems)
• Has the vendor amended existing controls or implemented new controls to resolve and mitigate the impact of the breach? (Identified and already implemented; identified and in process of implementation; not identified and/or not able to be implemented)
• If controls are unable to be implemented, then what compensating controls or workaround methods are being implemented?
• Who is the point of contact for additional inquiries?