Author Archives: Mikayla Townsend

Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk

Spooking the C-Suite

Halloween movies are the perfect metaphor for breaking down today’s scariest supplier breach tropes.

If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it’s where the money is. Like a relentless killer who cannot seem to be destroyed, third-party breach scenarios dominate the headlines. The scares are all different — compromised health recordsweapons designs, or automakers’ trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.

From my vantage point counseling senior executives on cyber-risk management, it is easy to see why the ephemeral specter of third-party cyber-risk haunts the C-suite. It’s because when you’re operating in your company’s own familiar environment, you often miss the warning signs of danger lurking — until something hits you. Leaders complain they can spend untold sums and time ratcheting down their company’s internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies, seemingly out of their control.

Let’s break down a few third-party breach tropes and how to confront them:

The Partner You Don’t Know

Creature from the Black Lagoon

Photo Credit: “Creature from the Black Lagoon”, Public Domain, from the Florida Memory Project hosted at the State Archive of Florida.

Just as the Creature from the Black Lagoon terrified boaters who stumbled onto his turf, many companies don’t learn of a third-party’s privileged access until a breach flops onto the deck and begins costly disruptions. Given how technology and business forces constantly evolve, it is very easy to overlook business partners who have accumulated through decentralized and delegated sourcing, M&A, and other shifts.

The best way to avoid a terrifying Halloween surprise (or any other time of year, for that matter) is to create cross-functional vendor management teams including sales, development, and marketing. These overseers can interface with both the chief information security officer’s (CISO) organization and other stakeholders, like the CFO. This will maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied.

The Trusted Partner Who Proves to Be Risky

Dr. Jekyll probably aced his security interviews and contract negotiations. After all, he’s a scientist! But what oversight mechanism kicks in when a company you trust one minute becomes the equivalent of Mr. Hyde the next?

The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It’s better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the Dark Web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly, or spilled out of a larger third-party breach. Early-warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.

The Promise and Peril of New Technology Frontiers

Dr. Frankenstein thought he could make death obsolete. In Event Horizon and Ex Machina, brilliant minds create new technologies that are awe-inspiring at first — but soon reveal terrifying, unintended consequences. Protagonists begin these films coolly and seemingly in control of technology that pushes boundaries but end up with more than they bargained for, and a total loss of control.

Today’s ubiquitous third-party data breaches fortunately do not cause loss of life or the rise of sentient machines. However, many a company has rushed to embed a hot new service provider’s remarkable technology without necessarily realizing or weighing the inherent risk being shouldered in the process. For example, companies that turned to a popular online chat tool, including Best Buy, Sears, and Delta Airlines, were affected when the high-profile, category-defining vendor behind the chat platform was hit with malware.

In fairness, any outsourced technology can be breached — not only those of hot, emerging startups. But this underscores the point that companies need to follow the trail to see where their data goes and “who” has access to “what.” While it’s unrealistic to expect a customer service leader to know her or his company’s entire risk appetite, it underscores the need to have cross-functional team-based approaches to sourcing and major investments in any new technology partner — particularly those running code on your site or in your product.

The Cliffhanger

THE END… or is it? When the 3:00 a.m. phone calls, harried email threads, tired spokespeople, and empty takeout containers subside after an exhausting data breach response, employees feel partially relieved. Yet they are also wary of “What else is out there?” This is akin to how our heroes feel after they finally destroy the last alien or zombie — right before the camera pans to an egg or one more infected person right before the credits roll. Hollywood and merchandisers love to set things up for a sequel, but executives and CISOs would be doomed to failure if they find themselves trapped in a reboot of the same breach screenplay six months later.

After every third-party breach affecting their business or a peer company, security leaders need to take stock of what happened, and study precursor activities or preconditions that allowed excessive risk to go unchecked. In some cases, attackers might have been remarkably lucky, or the root cause could be the result of unimaginable oversights in vendor behavior and decision-making.

It is true no organization can find everything that might be lurking in the night to do them harm. But taking a deeper look at these telling patterns can equip security professionals to speak up when they start hearing familiar assumptions and clichés from scripts they have seen too many times before.

Originally Posted on Dark Reading:—threats/spooking-the-c-suite-the-ephemeral-specter-of-third-party-cyber-risk/a/d-id/1333145 

The post Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk appeared first on LookingGlass Cyber Solutions Inc..

Symantec, IBM, FireEye Named Among Threat Intelligence Leaders

Looking Glass Cyber Solutions

Threat intelligence presents a massive growth opportunity for the channel as the global market is expected to more than double, reaching nearly $13 billion by 2023.

That’s according to a new report by MarketsandMarkets, which expects a compound annual growth rate of almost 20 percent. The market’s value is $5.3 billion today.

Major threat-intelligence providers include such companies as Symantec, IBM, FireEye, Check Point Software Technologies, Trend Micro, Dell Technologies, McAfee, LogRhythm, LookingGlass Cyber Solutions and Proofpoint.

The key factors driving the market include the rise in interconnectivity due to IoT and bring your own device (BYOD), an increasing number of targeted attacks and pervasive advanced persistent threats (APTs), the need for organizations to deploy next-generation cybersecurity, and stringent directives for data protection.

With the increasing instances of cyberattacks, IoT and connected device vulnerabilities, and growing pressure from cybersecurity regulations, the security information and event management (SIEM) segment is expected to garner the most revenue during the forecast period.

Cloud-based threat intelligence is gaining traction among small and medium enterprises, as they are cost-efficient and don’t require purchasing, installing and maintaining hardware or software. Scalability, easier operations and attractive pricing are boosting the adoption of cloud-based services.

The banking, financial services and insurance (BFSI) vertical is expected to maintain the leading position in terms of revenue generation through 2023. The industry is a major target for cybercriminals, as it holds sensitive information of employees, customers, assets, offices, branches and operations. Also, with stricter regulations, and increasing instances of fraud and cyberattacks, the need for real-time detection and protection from advanced threats is driving growth in this segment.

North America is expected to maintain the largest share of the overall market through 2023. The presence of many threat-intelligence vendors, as well as widespread awareness about the services they offer, will continue to account for the region’s dominance.



The post Symantec, IBM, FireEye Named Among Threat Intelligence Leaders appeared first on LookingGlass Cyber Solutions Inc..

LookingGlass Cyber Solutions Software Platform Proactively Manages Third Party Cyber Risks to Business Data and Operations

Looking Glass Cyber Solutions

ScoutPrime™ Capability Delivers Continuous Monitoring and Real-Time Discovery of Elevated Breach Risks, Helping Decision-Makers Take Action and Manage Their Expanded Cyber Attack Surface


RESTON, VA — October 30, 2018 – LookingGlass™ Cyber Solutions, a leader in threat intelligence-driven security, today announced the general availability of its advanced Third Party Risk Monitoring offering. Built on the powerful ScoutPrime platform, the LookingGlass subscription service offering leverages the industry’s most comprehensive threat data along with a team of expert security and intelligence analysts to mitigate risks, provide continuous visibility into potential vendor exposure, and significantly reduce time to action with negligible false positives.

Beyond the digitized walls of every company is a world of vendors, suppliers, providers, and subsidiaries, all connected to a company’s network or data and each with the potential access to publicly expose customer information, intellectual property, or heavily regulated data. Without continuous insight into these broader networks and data relationships, businesses risk leaving an enormous portion of their attack surface unmonitored and unchecked, undermining their ability to pinpoint or remediate third party security weaknesses and avoid costly data breaches. And while more than 60 percent of companies admit they know where third party risks are most likely to arise, they acknowledge they struggle to detect them.[1]

The LookingGlass Third Party Risk Monitoring service delivers more than static scorecards or access to infrequently updated data bases. Using LookingGlass’ unique global Internet topology, the service quickly identifies third party network elements and assets to deliver 24x7x365 real-time notifications of compromises, vulnerabilities, and network breaches. LookingGlass’ experienced security analysts then review identified cyber threats for relevance, minimizing the likelihood of false positives. Designed for flexibility and scale, customers can monitor up to 5,000 third parties across over a dozen unique categories of cyber risk, obtaining a comprehensive view into vulnerabilities, breaches, open ports, misconfigured certifications and other evidence of a potential system risk or compromise. Users can also add, delete, or query any vendor at any time and, with built-in reporting, can collect and report metrics to company leaders to promote security visibility across the organization, all at an effective price point.

“When it comes to risk, companies have more than just their own perimeters to consider. Every new or existing vendor increases the possibility for exposure that could lead to a breach and impact revenue, brand, and reputation,” said Eric Olson, senior vice president of product at LookingGlass Cyber Solutions. “Changing regulations that require organizations to demonstrate effective identification and management of third party relationships and associated cyber risk add even more layers of complexity to the already time-consuming task of keeping networks secure from a constant barrage of evolving inbound threats. Our Third Party Risk Monitoring service empowers security teams to effectively manage their company’s security posture by delivering the efficient, reliable analysis essential to making strategic, proactive risk management decisions.”

The LookingGlass Third Party Risk Monitoring service can be delivered as a shared or hosted service via LookingGlass or select partners in the company’s worldwide Cyber Guardian Network™. It includes round-the-clock support along with on-boarding and provisioning. In addition to continuous monitoring of third parties, it also performs perpetual scanning of the surface, social, deep, and dark web for both structured and unstructured data, including phishing activity, compromised account credentials, and vulnerabilities in vendor products.

For more information on the LookingGlass Third Party Risk Monitoring Managed Service or to schedule a demo, please visit:


About LookingGlass

LookingGlass Cyber Solutions delivers unified threat protection against sophisticated cyber attacks to global enterprises and government agencies by operationalizing threat intelligence across its end-to-end portfolio. Scalable threat intelligence platforms and network-based threat response products consume our machine-readable data feeds to provide comprehensive threat-driven security. Augmenting the solutions portfolio is a worldwide team of security analysts who continuously enrich our data feeds and provide customers unprecedented understanding and response capability into cyber, physical and 3rd party risks. Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle. Learn more at



Christy Pittman
W2 Communications for LookingGlass

[1] Third Party Risk: Exposing the Gaps. Thomson Reuters, 2016,

The post LookingGlass Cyber Solutions Software Platform Proactively Manages Third Party Cyber Risks to Business Data and Operations appeared first on LookingGlass Cyber Solutions Inc..

Keeping Our Nation’s Lights On… Cyber Threat Intelligence to Safeguard our Infrastructure

Allan Blog-Keeping Our Nation's LIghts On

Imagine if our national electrical grid were to stop functioning with no immediate hope of re-establishment. The likelihood of such an event might not seem high but the impact on every home, business, and person in the nation would be significant.

The widespread ramifications of such an attack is the very reason why our nation’s critical infrastructure –electric grids, power plants, etc. – is a prime terrorist target to those intending to cause significant harm to our nation, and at the minimum propagate fear and mass hysteria.

Having worked in the cybersecurity industry for more than three decades, and as LookingGlass’ CTO, there is nothing more important to myself or our company than to use every available asset and capability to provide our critical infrastructure providers with enhanced security against these types of attacks.

So, with the stakes set high, let me introduce what LookingGlass views as key ways to fortify critical infrastructure provider’s security posture.


Insight #1: Know the adversary and the target(s)

The first step is always to know the who, what, why, and would an adversary would attack. The mitigation response for one risk or actor group may not apply to another group. Some actors may be interested in fraud (via system data manipulation) whereas others may be motivated to sabotage or cause harm with intent to disrupt operational systems rendering them useless. Depending on the target and outcome, the actors may use similar tactics, techniques, and procedures (TTPs) or potentially different TTPs. All of this re-enforces the importance of quality intelligence so you can better profile and understand potential adversaries and their objectives.

Consider developing a matrix similar to the one below that identifies high-level motives and use that matrix to develop strategies on threat response across each identified motive.

Figure: High-Level Adversary Categories and Objectives

Figure: High-Level Adversary Categories & Objectives



Actor Example: NullCrew

  • Founded in 2012 to support Wikileaks founder Julian Assange
  • Responsible for multiple high profile cyberattacks
  • Preferred targets: Cable Companies & ISPs
    • Also targeted financial services companies, universities, Department of Defense, & technology companies such as Sony and ASUS
  • Members of NullCrew include: Zer0Pwn, rootcrysis, nopnc, and Siph0n
  • On February 1st, 2014, NullCrew claimed to have hacked Bell Canada and compromised their database server
  • Prior to the claim, the group published a list of leaked Bell Canada client information containing usernames, email addresses, plain-text passwords, and some credit card data


Insight #2: Understand the attack surface

Understanding the attack surface allows you to develop an understanding of where your organization is vulnerable and thus open to an attack, as well as any potential attack method. This is extremely significant when considering risk brought about by third parties.

Three aspects to scoping the attack surface are shown below.

Figure: Understanding the Intelligence Driven Attack Surface

Figure: Understanding the Intelligence Driven Attack Surface

Internet Intelligence

  • Collect the organization’s Internet point of presences and of all related organizations. This should also include how those networks are connected and how traffic is routed to them.
  • Consider monitoring Border Gateway Protocol (BGP) for route changes as well as CIDR ownership announcements to detect either malicious reconfiguration or hijacking attempts.
  • Depending on the size of critical infrastructure being protected, monitoring for all changes and other relevant meta-data (e.g. ownership/containment) for these networks it could potentially be a significant undertaking. Therefore, we recommend to either plan for large capacity data and processing or consider methods that only focus on specific networks and systems.
    Figure: Example of CIKR Internet POPs

    Figure: Example of CIKR Internet POPs


High-Quality Threat Intelligence

Once you have a well-defined understanding of what systems and processes to protect within your critical infrastructure, the next step is to collect relevant and actionable threat intelligence.There are many sources of threat intelligence that could be relevant to your critical infrastructure. Intelligence selection and refinement is a key part of maximizing the benefits to security operations. Consider choosing intelligence that can provide insight into the behaviors associated with malicious activities and any indicators (network, social, host) that can give insight into active attacks. Types of intelligence for consideration:

  • Structured Threat Intelligence
    • Malware hosting/distribution particularly malware that has been crafted to attack Critical Infrastructure and Key Resources (CIKR) systems or by actors known to attack CIKRs
    • Virus/Botnet infection known to infect CIKR systems
    • Command-and-Control activity that may be detected in any phase of the kill-chain
    • Malicious/Scanning behavior
    • Spamming or Phishing observed that would target users or systems within CIKRs
    • Questionable Asset Use within CIKR networks or connected networks
    • Emergent vulnerabilities specifically relevant to CIKR systems
    • Malware network parameters and malicious certificate information that can be used to detect such behavior
  • Unstructured Threat Intelligence
    • Compromised Account Credentials of organization admins and known third parties that are responsible for CIKR maintenance
    • Reported breaches of third parties, especially those that are responsible for some aspect of CIKR systems
    • Vulnerabilities found/announced in a third party’s product that could be used to attack the CIKR environment
    • Suspicious domain registrations & spear phishing exposure that would result in attacks being launched against CIKR infrastructure identified during the internet intelligence phase.
Figure: Example of Unique Threat Types and Threat Instances

Figure: Example of Unique Threat Types and Threat Instances

Connecting Human & Machine Insight

Intelligence derived from machine correlation of raw security data alone might not yield the same results as an effective machine + human intelligence combination can provide. Machine algorithms can be effective at processing large volumes of data and well-known patterns that can be easily computed without ambiguity. In some cases, machine algorithms can learn to improve their function provided sufficient data (training data) and appropriate learning algorithms are applied with suitable guidance from skilled experts.

However, the human-being may also have context that the machine does not (data gaps). We can fill those gaps with human analysis for additional understanding and insight that is not easily quantified into a program.  Additionally, the human element can identify multi-factor context and relationships across unrelated network behaviors that without substantial effort, machine-learning systems would not identify with sufficient accuracy.

For critical infrastructure protection, having human expertise complement machine-driven analysis is a vital check-and-balance for both detection and response, especially when making automated decisions to mitigate threats driven by intelligence.

Figure: Aggregated Threat Risk Across CIKR Sectors

Figure: Aggregated Threat Risk Across CIKR Sectors

Insight #3: Profile and identify the (weakest) links

For many critical infrastructure providers, the weakest link in their attack surface may not be their organization but a third party provider or supply chain organization on which they rely. The risk introduced by organizations who are not directly managed by your organization is highly dependent on the relationship those organizations have to the business operations and their access to critical systems. If a third party organization has admin rights to controlling or monitoring critical infrastructure systems, that organization has the same amount of risk for becoming a target as the primary owner of the equipment.

Continuous monitoring and assessments of third parties and supply chain organizations should be built-in to your security program to bring awareness and active response to weak spots in your attack surface. Consider the following questions when assessing third parties:

  1. Do we know and understand active application vulnerabilities in our own org as well as our third parties?
  2. Can a third party be used to attack our infrastructure? If yes, what are the detection and response strategies for such an attack and how do they differ from an external adversary?
  3. Do we know what data has been leaked from our third parties or supply chain? If a third party is compromised how can that impact our own security posture?

Here are some key elements to monitor for both your organization and all third party vendors:

  • Network Footprint
  • System Compromises & Infections
  • Account Compromises
  • External Facing Vulnerabilities
  • Domain & Spear Phishing Risk
  • Intelligence Indications & Warnings


Insight #4: Effective Business Process Integration

One of the key factors to improved CIKR protection is how well the threat intelligence practice is integrated into the business processes that manage those CIKR systems. It is not just what data is collected but how efficiently data is refined, how effectively is data enriched, and the subsequent processing that can affect changes to the security response of the organization.

This is particularly important when CIKR networks provide potentially life-saving services and the processes to identify and respond to threats to those networks must be highly efficient and responsive. Data-processing systems and workflow processes do not exist in isolation of each other and organizations must implement methods that connect those elements with the data in a meaningful manner that supports the security team and their operations.

The security team should focus on reducing incident time to resolution; increasing the capability of detection (& mitigation effectiveness) and numerous other important operational metrics driven by a mature intelligence processing model.

Figure: Example Intelligence Data to Reporting Operations Workflow

Figure: Example Intelligence Data to Reporting Operations Workflow

Protecting our nation’s critical infrastructure is an important issue that organizations need to prioritize. If some of the topics I outlined seem a few years down the road for your organization, then consider starting with the basics: continuously update and patch systems, regularly change passwords, train employees to identify and report cyber threats, and start implementing automation of mitigation to address known threats into your systems.

If you would like to learn more about how LookingGlass can help secure your critical infrastructure, contact me @tweet_a_t or our team @LG_Cyber.


The post Keeping Our Nation’s Lights On… Cyber Threat Intelligence to Safeguard our Infrastructure appeared first on LookingGlass Cyber Solutions Inc..