From Direct to Distant: The Challenge of Third and Fourth-Party Digital Risk Management

On July 31, The Information published an article titled “In an Unusual Move, Nvidia Wants to Know Its Customers’ Customers.” It occurred to me that Chief Information Security Officers (CISOs) would like to know their vendors’ vendors. Why? To help prevent or minimize legal or compliance failures. Our increasingly interconnected ecosystem of technology and security suppliers creates a dearth of visibility for risk implications. One vendor exposure or compromise can quickly create a cascade effect, such that third-party visibility may no longer suffice, even for the often evolving compliance frameworks. As Ocean’s Thirteen pointed out - where a successful casino heist partly began with dice manufacturing in Mexico - targets are best compromised through their trusted relationships.  

Let’s walk through a few recent examples. The security industry uses terms like “third-party risk” as a catch-all to describe potential harm from a neighbor. In reality, most risk impacts trigger via third-party cyber exposures or breaches. 

Example 1: Rage against the (slot) machine

Our first example is courtesy of the brilliant folks at Insikt Group. On May 5, they published a Recorded Future research lead, “Rage Against the (Slot) Machine,” in which they detail three different suspected Chinese state-sponsored threat activity groups’ (TAG-67, TAG-78, and TAG-79) rummaging and eavesdropping in foreign commercial networks (Philippines and Taiwan)—specifically, the networks of software suppliers that support online gambling in China. Online gambling is illegal in mainland China, so a reasonable motive is that China was engaged in an intelligence-gathering effort by infiltrating online gambling software supply chains.

Suppose you happen to be part of the Philippine Offshore Gambling Operators (POGOs) coterie (which, allegedly, links to money laundering and tax evasion). In that case, the ongoing compromise of your software supply chains may present a concern, maybe even a risk. It’s a third-party risk because of the direct software vendor relationship.

Example 2: Code signing certificates

Another example of digital supply chain risk (staying in the gaming industry) also originates from the prodigious Insikt Group. On August 1, they published a research lead detailing TAG-80s (another suspected China-nexus group) theft of a Taiwanese gaming company’s code signing certificate to improve the efficacy of a malicious implant (Brute Ratel C4 for the technically inclined) placed inside multiple Vietnamese government networks. While these government organizations didn’t have a relationship with the Taiwanese gaming company, they, like most organizations, relied on a broader ecosystem of technical checks for ascertaining code authenticity and legitimacy. 

Example 3: Mimicking investment firms 

A different type of third-party risk involves shared information. On March 23, Insikt Group detailed domain typosquat campaigns executed by TAG-71 (a North Korean state-sponsored group) against financial services companies in Japan, Vietnam, and the United States. Suppose the DPRK was able to establish and maintain unauthorized access inside venture capital or private equity organizations. In that case, confidential portfolio information might be accessed to evaluate future targets for digital thievery. 

The fourth-party conundrum 

Now enters the vendor’s supplier and the potential for fourth-party breaches and exposures. The risk analysis for a CISO is a twist on Inception - layers upon convoluted layers of digital relationships to manage. Which way is up or out? 

The Record recently reported that Missouri-held PHI (protected health information) was compromised via the MOVEit file transfer software. The catch is that IBM Consulting was a relational intermediary. “The department uses IBM Consulting for a range of technology-focused services. An IBM spokesperson told Recorded Future News that the MOVEit file transfer software is ‘used in a small number of consulting engagements, with less than a handful having any personal data impacted.’

‘IBM systems were not impacted by the breach. The Missouri Department of Social Services (DSS) used MOVEit Transfer, a non-IBM product, provided by a third-party supplier under an engagement with IBM Consulting to transfer files wherever they needed to go, not to IBM,’ the spokesperson said.” These relationships between consultants, clients, and third-party software providers are common, and for Missouri DSS, this could be a case of fourth-party risk. 

A similar situation occurred more recently with the Ivanti Endpoint Manager Mobile (EPMM) tool. For organizations using affected versions of EPMM, the issue is third-party visibility, but where a consulting organization maintains a relationship between the technology provider and client, it may be a fourth-party issue. 

Facing the legalities

Understanding risk in these relationships matters because the potential for a legal or compliance failure is increasing, particularly for publicly traded companies, due to the SEC’s new rules on incident disclosure (taking effect in December 2023). Legal commentators are opining on the crux of the new regulations - specifically the definition of “material” in this context - however, CISOs should be thinking through the third and fourth parties that could contribute to a material adverse cyber event. 

Additionally, U.S. Homeland Security just announced an audit of cloud security that will likely result in new rules, at a minimum, for government agencies. The complexity of cloud environments and the interwoven SaaS spaghetti in approved and shadow IT environments means that CISOs have plenty to consider in developing future strategies.