Back to Intelligence

Mitigating Third-Party Risk: Strategies to Secure Your Supply Chain

SA
Security Arsenal Team
April 5, 2026
6 min read

Introduction

The modern security perimeter is no longer defined by firewalls and castle walls; it is defined by the vendors you trust. For years, defensive strategies focused on locking down internal networks, but today's attack surface has shifted outward. The next major breach targeting your organization likely won't come from a brute-force attack on your external perimeter; it will likely come through a trusted vendor, a SaaS tool adopted by the finance team, or a subcontractor unknown to IT.

As highlighted in recent reporting by Cynomi, "Securing the Modern Perimeter: The Rise of Third-Party," this gap represents one of the most critical vulnerabilities in current corporate defense postures. For managed security service providers (MSSPs) and internal security teams, the challenge is no longer just securing your own infrastructure—it is about gaining visibility into the security posture of the entire ecosystem you are connected to.

Technical Analysis: The Supply Chain Attack Vector

Third-party risk manifests in several technical forms, often bypassing traditional security controls because the traffic or actions originate from trusted sources.

  • Compromised Vendor Credentials: Attackers steal credentials from a vendor with access to your network (e.g., via a phishing attack on the vendor). Since the credentials are legitimate, they bypass standard authentication alerts.
  • Shadow IT and Unauthorized SaaS: Business units frequently adopt SaaS tools without IT oversight. These platforms may have weak security controls, and data exfiltration to these platforms often appears as "safe" web traffic.
  • Software Supply Chain Compromise: Malicious code injected into a legitimate software update (similar to the SolarWinds or Kaseya incidents) provides attackers with a direct tunnel into the deepest parts of a network, often signed with valid digital certificates.

The severity is Critical because these attacks exploit the inherent trust established between organizations. Traditional defenses like Intrusion Detection Systems (IDS) or perimeter firewalls are often configured to allow traffic from known vendor IPs or whitelist specific software update paths, creating a blind spot for defenders.

Executive Takeaways

For security leadership and CISOs, the rise of third-party risk requires a shift in governance and strategy:

  1. Zero Trust is Mandatory: Trust is never assumed. Verify every user and device, whether they are an employee or a vendor contractor. Segment networks strictly so that vendor access is limited to only the specific resources required.
  2. Inventory is King: You cannot defend what you cannot see. Organizations must maintain a real-time inventory of all software, SaaS applications, and vendors with network access.
  3. Contractual Security Compliance: Security requirements must be embedded in vendor contracts. Vendors should be contractually obligated to notify you of breaches within a specific timeframe and demonstrate their own security compliance (e.g., SOC 2, ISO 27001).

Defensive Monitoring

Detecting third-party risks requires monitoring for anomalies in how trusted entities behave. Defenders should look for vendors accessing data they shouldn't, known remote administration tools running in unusual contexts, or unauthorized data transfers to consumer-grade cloud storage.

SIGMA Detection Rules

The following SIGMA rules help detect suspicious activity often associated with third-party compromises or unauthorized vendor tools.

YAML
---
title: Suspicious Remote Access Tool Execution
id: 5e8f4a2d-1c3b-4b5e-9f6a-2d1e3b4c5d6f
status: experimental
description: Detects the execution of common remote access tools often used by vendors but initiated from non-standard paths or by unexpected users.
references:
  - https://attack.mitre.org/techniques/T1219/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.command_and_control
  - attack.t1219
  - attack.initial_access
  - attack.t1078
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\anydesk.exe'
      - '\teamviewer.exe'
      - '\splashtop.exe'
      - '\supremo.exe'
      - '\logmein.exe'
      - '\bomgar.exe'
  filter_legit_path:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
  filter_admin_user:
    User|contains:
      - 'Administrator'
      - 'SYSTEM'
      - 'Domain Admins'
condition: selection and not 1 of filter_*
falsepositives:
  - Legitimate IT support activities initiated by administrators
level: high
---
title: Potential Data Exfiltration to Personal Cloud Storage
id: f3e2d1c0-b9a8-4765-8c4d-3e2f1a0b9c8d
status: experimental
description: Detects processes uploading data to known personal cloud storage providers, which may indicate data leakage via third-party tools or shadow IT.
references:
  - https://attack.mitre.org/techniques/T1048/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.exfiltration
  - attack.t1048
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'dropbox.com'
      - 'drive.google.com'
      - 'onedrive.live.com'
      - 'mega.nz'
    DestinationPort: 443
  filter:
    Image|contains:
      - '\Program Files\'
      - '\Program Files (x86)\'
      - '\Windows\System32\'
    Initiated: 'true'
condition: selection and not filter
falsepositives:
  - Legitimate synchronization by approved corporate backup tools
level: medium

KQL Queries

For Microsoft Sentinel or Defender for Identity, use the following queries to identify risky sign-ins from external partners or guests.

KQL — Microsoft Sentinel / Defender
// Detect external guest users accessing sensitive resources from unusual locations
SigninLogs
| where ResultType == 0
| where UserType == "Guest"
| extend RiskLevel = tostring(RiskLevelDuringSignIn)
| where RiskLevel in ("medium", "high")
| project TimeGenerated, UserPrincipalName, AppDisplayName, Location, DeviceDetail, RiskDetail
| order by TimeGenerated desc


// Identify sign-ins from vendor IP ranges that have failed previously (Potential brute force on vendor account)
SigninLogs
| where ResultType != 0
| join kind=inner (
    SigninLogs
    | where ResultType == 0
) on UserPrincipalName
| project TimeGenerated, UserPrincipalName, IPAddress, Location, AppDisplayName, ResultType
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where count_ > 5

Velociraptor VQL

Use Velociraptor to hunt for unauthorized remote management software or persistence mechanisms often left behind by third-party support technicians.

VQL — Velociraptor
-- Hunt for installed remote support software
SELECT Name, Publisher, InstallDate, VersionString
FROM Software()
WHERE Name =~ 'AnyDesk' OR Name =~ 'TeamViewer' OR Name =~ 'Splashtop' 
   OR Name =~ 'LogMeIn' OR Name =~ 'GoToAssist'

-- Hunt for persistence via services that might be related to vendor tools
SELECT Name, DisplayName, ImagePath, StartType, ServiceType
FROM services()
WHERE DisplayName =~ 'remote' OR DisplayName =~ 'support' OR DisplayName =~ 'connect'
   AND NOT ImagePath =~ 'C:\\Windows\\System32\\'

Remediation

To close the gaps in your security posture regarding third-party risk, implement the following remediation steps:

  1. Implement Vendor Tiering: Classify vendors based on the data they access and their criticality. Tier 1 vendors (critical access) require quarterly risk assessments and continuous monitoring.
  2. Enforce Least Privilege (JIT): Use Just-In-Time (JIT) access for vendors. Instead of standing accounts with always-on privileges, grant access only for the duration of a specific support ticket or task. Automatically revoke access when the task is complete.
  3. Network Segmentation: Place all third-party connections into a dedicated VLAN or isolated network segment. Do not allow vendor VPNs or RDP sessions to connect directly to the core internal network; force them through a jump host with session recording and monitoring.
  4. Shadow IT Discovery: Deploy CASB (Cloud Access Security Broker) solutions to discover and monitor unsanctioned SaaS applications. Block connections to high-risk, consumer-grade storage sites that are not approved for corporate data.
  5. Patch Management for Third-Party Software: Ensure that all software installed by vendors is subject to your internal patch management policies. Do not allow vendors to self-update software outside of your change management windows.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub

penetration-testingred-teamoffensive-securityexploitthird-party-risksupply-chainvendor-managementsoc-mdr

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action