Targeting of MSPs Shows Increasing Stakes of Cyber Warfare
MSPs are coming under attack. The attacks were first reported by the Australian government and now we are getting warnings from the United States.
According to the National Cybersecurity and Communications Integration Center (NCCIC), there are ongoing attempts to infiltrate the networks of global managed service providers (MSPs). Since May 2016, advanced persistent threat (APT) actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.
What should we make of these reports and how can MSPs defend ourselves against future attacks?
Recognize New Role of MSP in Today's Society
The role of MSPs has undeniably changed. Gone are the days when MSPs were new business models being practiced by dying VARs and break/fix companies. If the U.S. government acknowledges the dominant role MSPs have today, I think we can safely say MSPs have arrived.
The NCCIC says the following about MSPs: "The number of organizations using MSPs has grown significantly over recent years because MSPs allow their customers to scale and support their network environments at a lower cost than financing these resources internally. MSPs generally have direct and unfettered access to their customers’ networks and may store customer data on their own internal infrastructure. By servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk."
MSP Attack Vectors
Knowing where you may be vulnerable to attack is half the battle. According to the NCCIC, "APT actors use a range of 'living off the land' techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.
Simply put, MSPs need to really pay attention to their remote access practices. This includes:
- Hardening remote access policies
- Effective on-boarding techniques for MSP users
- Internal audit/review practices
- Developing effective internal focused security monitoring, i.e., SIEM
More details about prevention and responses if you suspect your MSP was attacked can be found here.
The bulletin does not suggest not using an MSP. Instead, it acknowledges the legitimate role MSPs play in helping their clients manage IT, and further goes on to state that many end-user organizations don't fully utilize an MSP's services, suggesting that the client and not the MSP is ultimately responsible for securing and managing the network.
In any case, MSPs need to be aware of these new threats and be prepared to have conversations with clients about how to respond to them. We have entered a brave new world of managed services.