How to use NIST SP 800-61 guide to be better prepared for third-party risk

How to use NIST SP 800-61 guide for third-party risk?

As your business grows, so does its third-party ecosystem. But with growth comes a greater sense of responsibility which entails increasing cybersecurity measures and protecting your company against cyberattacks. Ensuring your organisation’s cyber defences are at an optimal level is paramount in today’s digital age to protect against technology outages, credential and data exposures, denial-of-service attacks, ransomware, and other threats. Here we will take a look at NIST SP 800-61 guide, explain what it is and how you can use it to mitigate third-party risk.

The number of cyberattacks against organisations of all sizes is increasing right around the globe. But not only are they affecting your business, but also your suppliers and service providers, which can have a devastating and long-lasting effect on your reputation and overall profit margin. To help counter these threats, the National Institute of Standards and Technology (NIST) has come up with practical guidance (NIST SP 800-61 guide) on how businesses can tackle threats which affect both the organisation and its third-party vendors. Let’s take a closer look.

Using the NIST SP 800-61 incident handling guide as a third-party risk management framework 

The NIST Computer Security Incident Handling Guide, Special Publication 800-61 (Revision Two) guide outlines four foundational phases that should be considered by internal or external security teams in their incident handling programs. Let’s take a closer look at each phase and how third-party risk management is covered within each phase: 


  1. Communication plans 

Always devise internal communication plans, contact lists, and escalation procedures. The same should be conducted for key third-party vendors and contacts. 

  1. Technology 

Ensure response teams always have access to incident analysis software and hardware. 

  1. Documentation 

Record incident analysis resources, including technology, port lists, baselines of expected network activity, network diagrams, and more. 

  1. Facilities 

Create secure storage facilities and internal war rooms. 

  1. Prevention 

Incorporate network, host, and malware security software. Undertake both internal and third-party risk assessments, and ensure your business has a security awareness training program in place. 

Detection and analysis 

  1. Attack vectors 

Consider all the pathways cyber attackers can take to reach your organisation (e.g., phishing, web application attacks, impersonation, lost/stolen equipment, improper usage, etc.). Also, map all your relationships and connections to third and fourth parties.  

  1. Signs of an incident 

Keep an eye out for indicators of incidents that have already occurred and precursors of potential upcoming incidents. Third-party risk monitoring services come in really handy here for analysing private and public sources of threat intelligence. 

  1. Incident analysis 

Determine whether an incident has occurred by investigating the accuracy of the precursors and indicators. NIST SP 800-61 guide outlines various recommendations for a thorough and easy analysis. 

  1. Incident documentation 

Incorporate an issue tracking system into your own system to keep a record of important information about each incident. Ensure your third-party risk management platform includes document management capabilities for vendor incident tracking. 

  1. Incident prioritisation 

NIST suggests prioritising incidents based on their information impact, functional impact, and recoverability. Tiering your suppliers and vendors for assessment and monitoring on the front end can help when responding to incidents. 

Containment, eradication, and recovery 

  1. Containment 

Containing and reducing the impact of an incident is the key motivation behind any cybersecurity team. Containment of an incident can include blocking network traffic, suspending an errant user account, redirecting attackers to a sandbox, quarantining systems, and other actions. Several criteria need to be considered when weighing up the best decision which includes factoring in potential short or long-term damage, service availability, available resources, need for evidence preservation, and more. 

  1. Evidence gathering 

Not only is evidence gathering necessary for resolving any incident, but it is also critical for any potential legal proceedings that may arise. Legal guidance is crucial when evidence gathering and with record-keeping requirements to guarantee that the evidence will be admissible in court. 

  1. Identifying attackers 

Identifying attacking hosts is key to thwarting attacks. This can be achieved by pinpointing IP addresses, via incident databases, search engine research, and monitoring attacker communication channels. Third-party cyber risk monitoring is also key to identifying attackers. 

  1. Eradication and recovery 

Eradication is the action taken to wipe the threat from a system or network. The recovery is the action taken to recover the system or network. Both should be undertaken swiftly and are key to minimising damage to the network. 

Post-incident activity 

  1. Identifying lessons learned 

Review incidents via de-briefing sessions to learn from past mistakes. Reports can be used for internal purposes and training, and for updating operational procedures. 

  1. Leveraging incident data 

Leveraging incident data can be used for justifying additional investments and, most importantly, for identifying systemic security weaknesses.  

  1. Creating an evidence retention policy 

Finally, create an overarching policy for broader data retention policies, retaining incident evidence based on potential use in legal cases, and cost constraints. A third-party risk management platform can also help tag, catalogue and store documentation and evidence related to third parties. 

Accounting for third parties 

When considering third-party vendors and suppliers in your incident handling planning, it’s important to note whether there are any third-party organisations connected to your network and whether they could be a potential source of malware infection. Another important point to consider is whether any third parties store your data, and could your organisation be affected by a ransomware infection that hijacks their data stores. If any of these points are relevant to your organisation, it’s extremely important to keep on top of third-party risk in your incident handling process. 

It’s also extremely important to incorporate questions about incident handling processes in your third-party risk assessments. Accompanying your periodic assessments with continuous monitoring will also help when it comes to identifying third-party incidents or exposures before they impact your business.  

Get in touch with RiskXchange to find out more. 

How RiskXchange can help  

RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. 

With full visibility over your eco-systems’ entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.   

About RiskXchange 

RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cyber security risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.  

RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyberattack by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.