Security Experts:

Recorded Future Adds Third-Party Risk to Threat Intelligence Platform

Over the last few years, the supply chain has emerged as a primary attack vector for both criminal gangs and nation-state groups. Attackers are compromising often smaller and less well-defended suppliers in order to gain access to larger primary targets. This problem is getting worse with the increasing digital transformation of business around the world -- more companies are dealing electronically with each other than ever before.

Recorded Future has now released an extension to its threat intelligence platform: a Third-Party Risk module.

"We believe that digital transformation is increasing risk for organizations on two fronts," explains Levi Gundert, VP of intelligence and risk: "firstly, the number of connected partners organizations have; and secondly, the attack surface for each one of those partners. This illustrates a clear need for more dynamic and transparent risk analysis, so security teams are better informed about their threat landscapes."

Recorded Future LogoThe Third-Party Risk module is, suggests Recorded Future, a natural extension of its primary threat intelligence service -- providing its customers with a risk posture score for their existing and potential third-party suppliers. The company already has risk analytics for around 100,000 companies. This number is growing daily. About 70% are public companies, and 30% private companies. 

In an associated blog post today, Matt Kodama (VP of product) gives further details. The service comprises tens of thousands of company intelligence cards, providing a single source to intelligence-generated supplier risk scores. These risk scores are dynamically generated from real-time data with transparent sourcing and risk rules. Access to the risk data is from within the Recorded Future threat intelligence platform, allowing security teams to rapidly see and respond to new threats in their third-party suppliers.

"Recorded Future uses open, closed, technical, and proprietary internet data to create analytics mapped to a company's infrastructure and corresponding exposures," Gundert told SecurityWeek. "Specific data points considered in a risk score could include alleged company credentials discovered in criminal forums, number of typosquat domains, malware traffic from a company's network to a known Command and Control (C2) server, and/or a count of internet facing systems with known vulnerabilities."

"By analyzing real-time threat activity targeting third parties, in addition to third-party infrastructure and vulnerability data, we're providing a more complete view of risk. This comprehensive outlook allows our clients to understand current weaknesses and better evaluate the potential impact of emerging threats to their organization." added Matt Kodama. 

The dark web footprint analyzes incidents of a company's name within the criminal forums -- the more frequently it is found, the higher the risk of abuse or attack. Leaked data from a potential third-party client would be particularly concerning. It could indicate that the company has already been compromised, and that criminals might have access to important credentials. "A spearphishing attack that seems to come from a trusted business partner," warns Recorded Future, "is far more compelling than one from a stranger."

Domain abuse finds and reports on typosquat domains. Their existence could indicate an ongoing or future phishing attack against the third-party. If successful, a 'stepping stone' attack against Recorded Future's customer could be launched.

Third-parties that use web technologies are particularly at risk -- especially if those technologies are unpatched. The risk severity can be determined by the potential impact of an attack, and any indication that a vulnerability is being actively exploited.

The IT policy violation risk indicator examines an infrastructure for indications of misuse or abuse. For example, an IP address hosting a command and control server indicates that the company is more susceptible to attack and may pose a risk to companies they do business with.

"For a long time, we described threat intelligence as ëgoing beyond the wall' -- providing a view of all threats developing outside the confines of an organization. But that's really just the first half of the story -- and it's not enough to protect a diverse ecosystem," explains Christopher Ahlberg, CEO and co-founder of Recorded Future. "We know that digital transformation is increasing cyber risk. We also know the only way to counteract this growing threat is to better understand how partner organizations impact our own threat landscapes. By offering Third-Party Risk as part of the Recorded Future Platform, we're helping organizations strengthen their own defenses and build healthy bonds between partners." 

Boston, Mass.-based Recorded Future raised $25 million in a Series E  funding round led by Insight Venture Partners in October 2017. This brought the total sum raised by the firm to $57.9 million. 

Related: Supply Chain Cyber Risk: Your Digital Shadow is Getting Longer 

Related: China-based Hackers Target Managed Service Providers 

Related: Microsoft Uncovers Multi-Tier Supply Chain Attack 

Related: IBM Supply Chain Breached as Storwize USBs Ship With Malware 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.