Founder and CEO, HighCastle Cybersecurity
Third party, nth party, and supply chain risk are responsible for several of the most devastating attacks in information security over the past several years. Security experts continue to collaborate to bring a platform to the market that represents a disruptive solution for this pervasive problem.
To do this, we must first understand the magnitude of third party, nth party, and supply chain (we’ll call them “organizational ecosystem partners”) information security risk, understand how trust-based models are an ideal method to address this vulnerability, and how artificial intelligence can be trained to think like a threat actor in designing an attack that leverages third-party networks as an entry point to a target.
A major vulnerability
In 2017, the number of breaches attributable to these organizational ecosystem partners accounted for roughly 25 percent of all data breaches. As of June 2019, this number has jumped to 52 percent.
The access that organizational ecosystem partners have to company networks is typically privileged and mostly unmonitored, and red flags can go undetected for hundreds of days. We believe many of these attack types are mis-classified, as the true identity of the target “patient zero” typically remains unknown.
For example, consider the attack on Hilton Hotels. Threat actors installed malware on point-of-sale (POS) terminals inside franchised locations at Hilton properties in order to obtain cardholder data. This is interesting, because it disguises who the actual target truly was. Presumably the franchisees’ POSs were more vulnerable than Hilton’s or the credit card issuers’, and likely they were easier to penetrate.
Does this attack meet the definition of an ecosystem partner attack? We believe so, though it was not classified as one. Hilton was reported as the direct target. Five different credit card issuer banks concurred that the breaches had one feature in common — they were all sourced from franchisees’ POS machines on Hilton properties.
A potential solution
If there was a platform that formed an ecosystem between the Hilton franchisees, Hilton properties, and credit card issuers, perhaps this attack could have been prevented. The concept of using a trusted and verified relationship to solve this problem is a compelling possibility.
Artificial intelligence is particularly well-suited as part of the solution as it can be trained to make decisions by synthesizing evidence. We can position AI to determine if an organizational ecosystem partner’s network is actively being breached, or is at high risk of such an attach, by:
- Using data collected over time on organizational ecosystem breach indicators, along with the “evidence” (i.e., in-place security controls)
- Training the elements of AI to assess, infer, and predict decisions about the probability of breach risk using the principles of ethical hacking, combined with the penetration testing execution standard.
This will provide AI with the framework that contextualizes data to make assessments, draw inferences, and ultimately make decisions about the origination and targets of attacks, and the best way to proceed.For more information and a copy of the complete white paper visit www.reconaissis.tech/research , and follow us on Twitter and LinkedIn.
Meghan Gorman, Founder and CEO, HighCastle Cybersecurity, [email protected]