Citrix NetScaler Zero-Day: How to Mitigate Risk from Impacted Vendors

About the NetScaler Zero-Day Vulnerability

Citrix Systems has announced
that, as a result of a zero-day remote code execution (RCE) bug, approximately 15,000 NetScaler ADC and Gateway servers are vulnerable to cyber-attacks. Vulnerable appliances must be configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication virtual server to be vulnerable to attacks.

Threat actors began advertising the Citrix ADC zero-day flaw the first week of July on a hacker forum. Citrix released security updates to address this RCE vulnerability on July 18, 2023, urging customers to install the patches as soon as possible. Since the announcement, several organizations, including the U.S. Cybersecurity & Infrastructure Security Agency (CISA), have recommended that companies take immediate steps to remediate this vulnerability.

In this post, we recommend five questions to ask your third-party vendors to determine their usage of NetScaler and understand their response to any related security incidents. We also share three best practices to better automate your organization’s third-party incident response.

3 Best Practices for Third-Party Vendor Security Incident Mitigation

Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can deliver the visibility and automation necessary to proactively find and mitigate the risks that can disrupt your business. Start with these three steps:

1. Identify vendors that could be using the impacted technology

Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place – and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system accessible by everyone involved in your vendor management initiatives. Your central system of record should allow imports of vendor profile data from any existing spreadsheets or via an API connection to your current procurement solution.

Once you have centralized all your vendors, use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular case, this exercise would reveal which vendors use NetScaler. Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to identify organizations using the impacted technology, so you can prioritize which of your vendors require further assessments.

2. Issue event-specific risk assessments

Once you have identified vendors with the impacted technology deployed in their environments, engage them with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161
and ISO 27036. Results from these assessments will help you target remediations necessary to close potential security gaps. Good assessment solutions will provide built-in recommendations to speed remediation and quickly close those gaps.

Start your event-specific assessment based on the five questions* we identified in the section above, weighting answers according to your organization’s risk tolerance:

* These are basic questions meant to expose some initial information. Your organization may choose to ask different or additional questions.

3. Continuously monitor impacted vendors

It’s important to be continuously vigilant; not only for risks stemming from the NetScaler zero-day, but also for those coming from the next attack. Start by monitoring the Internet and dark web using continuous cyber monitoring to reveal listings of stolen credentials for sale and other signals of an impending security incident.

Your monitoring efforts should cover criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases, and negative news. Dark web monitoring revealed this particular vulnerability on a hacker forum.

You can monitor multiple individual sources – or you can use a solution that unifies insights from multiple sources, centralizes all risk data, and makes it visible to key stakeholders. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place or not.

Next Steps: Activate Your Third-Party Incident Response Program

If a cybersecurity incident occurred in your vendor ecosystem, would you be able to quickly understand its implications and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A programmatic third-party incident response plan should include:

• A centrally managed database of vendors and the technologies they rely on
• Pre-built business resilience, continuity and security assessments to gauge the likelihood and impact of an incident
• Scoring and weighting to help focus on the most important risks
• Built-in recommendations to remediate potential vulnerabilities
• Stakeholder-specific reporting to answer the inevitable board request

For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, request a demo today.