Ukraine Conflict: How to Prepare for Russian Cyber Attacks Against Third-Party Vendors

Russia’s invasion of Ukraine has elicited a unified response by NATO and its allies, with member nations imposing severe sanctions on Russia as punishment. Considering that some of the most severe third-party cyber-attacks – such as SolarWinds, Colonial Pipeline and JBS Foods – have been traced to Russia, the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have warned businesses and governments to be vigilant against potential ransomware attacks originating from Russia in retaliation for imposing these sanctions.

How should third-party risk management professionals respond?

Five Actions to Prepare for Supply Chain Attacks

1. Inventory All Suppliers

Begin by ensuring that you have centralized visibility into all suppliers since unmanaged, rogue vendors can present hidden risks to the organization. Third-party risk management platforms offer capabilities to automate vendor onboarding, reducing the time and effort required to manage vendors. Then, during the onboarding process, inherent risk scoring can help you determine how to assess your suppliers on an ongoing basis according to the risks they pose to your business.

2. Build a Comprehensive Profile for Every Supplier

As part of the inventorying process, build a comprehensive profile for every vendor that includes industry and business insights, demographics, 4^th-party technology relationships, Corruption Perception Index (CPI) scores, and other important information. This will help zero-in on potentially geo-politically exposed vendors. Instead of relying on multiple non-integrated tools to gather this information, look for centralized monitoring solutions that can automatically build that database for you.

3. Identify Technology Concentration Risk

One of the enduring lessons from the SolarWinds breach was that organizations should have known which of their suppliers or vendors were using the technology to better understand their own third-party attack surfaces. As part of the profiling process in Step 2 above, leverage the collection of 4^th-party technologies deployed in your supplier ecosystem to determine which would potentially be exposed to a targeted breach. Identifying relationships between your organization and third parties based on technology usage will help you discover dependencies and visualize attack paths into your enterprise.

4. Proactively Assess Suppliers for Business Resilience and Continuity Plans

Don’t wait for a cyber-attack to determine your suppliers’ business resilience plans. Instead, proactively engage vendors now with simple, targeted assessments that align with known industry supply chain security standards such as NIST 800-161
and ISO 27036. Results from these assessments will help you target needed remediations to close potential security gaps, for example in software development lifecycle management – a common weakness cited in software supply chain breaches. Good solutions will provide built-in recommendations to speed the remediation process and close those gaps quicker.

Questions to ask your third parties now include:

• Is the organization located in Ukraine or countries bordering Ukraine?

• Does the organization use vendors that are located in Ukraine or surrounding areas?

• Has the organization conducted a risk assessment to determine the level of impact caused to its employees, stakeholders, services and systems?

• What is the level of impact caused to the organization and its employees, stakeholders, systems and services?

• Does the organization have a documented continuity or recovery plan in place?

• Has the organization been required to activate its continuity or recovery plans?

• Has the organization updated its continuity or recovery plans to identify and address geopolitical risks and events?

• Has a Business Impact Assessment been conducted to identify recovery efforts?

Prevalent has compiled these questions into a multiple-choice Ukraine Conflict Geo-Political Third-Party Impact Assessment, which you can use to determine the business continuity implications of having suppliers in the Ukraine region. If you have suppliers potentially impacted by this event, this assessment is a good starting point to determine your exposure. It is also available to our customers as part of the Prevalent platform’s questionnaire library.

5. Continuously Monitor for Potential Cyber-Attacks

Centrally managing vendors, understanding concentration risk, and being more proactive about assessing vendor business resilience plans is a great start. However, you have to be continuously vigilant for the next attack. That’s why you should look for signals of an impending security incident by monitoring the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

Typical sources of third-party intelligence include:

• Cyber: Criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases.
• Business: M&A activity, business news, negative news, regulatory and legal information, operational updates.
• Financial: Turnover, profit and loss, shareholder funds.
• Global Sanctions Lists: OFAC, EU, UN, BOE, FBI, BIS, FDA, US HHS, UK FSA, SEC, etc.
• State-Owned Enterprise Screening
• Politically Exposed Persons Lists

As in Step 2, you can monitor these sources separately, or you can look for solutions that unify all the insights into a single solution, so all risks are centralized and visible to the enterprise.

Test Your Incident Response Plan Before the Next Third-Party Cyber-Attack

Many organizations struggle to get timely information about security incidents impacting their supply chains. Delays between a vendor incident and your own risk identification, analysis and mitigation will leave your organization exposed to operational disruptions. Prevalent can help.

The Prevalent Third-Party Incident Response Service enables you to rapidly identify and mitigate the impact of supply chain incidents by centrally managing vendors, conducting proactive event assessments, scoring identified risks, and accessing remediation guidance. Don’t get caught flat-footed by a third-party cyber-attack you know is coming. Contact us today to learn more or schedule a demo.