Numerous companies, ranging from small to medium-sized companies to critical infrastructure industries, are relying on Managed Service Providers (MSPs) to monitor, manage, and protect their data. A joint cybersecurity advisory was published by the Five Eyes Intelligence Alliance in May warning MSPs about their role in growing supply chain attacks.
Cybersecurity and law enforcement agencies in the United States, United Kingdom, Canada, Australia, and New Zealand explained that MSPs have become the targets of growing cyber threats, including supply chain attacks, ransomware, and nation-state cyber espionage campaigns. There are key actions MSPs need to take to strengthen their defenses and protect themselves and their clients from increasingly sophisticated cyberattacks.
During the late 1990s dot-com era, MSPs emerged as internet service providers (ISPs) offering their clients firewall appliances along with the operational services that later gave rise to a managed security services concept. Eventually, MSPs expanded into full security service providers assisting global companies. Small to medium-sized companies who need assistance in strengthening their cybersecurity posture have turned to MSPs for cost-effective, scalable solutions and skilled protection. In today’s ever-changing landscape, cybersecurity is becoming a requirement for companies. Legacy technologies, including anti-virus and anti-malware, can longer protect against modern threat actors who don’t discriminate based on target size.
Building a strong cybersecurity defense with minimal resources can be difficult. What makes MSPs an attractive target for modern threat actors? Advanced Persistent Threat (APT) groups have targeted MSPs’ provider-client network access. MSPs’ clients rely on their providers to store data, manage communication platforms, and support their IT infrastructure. Because MSPs have access to all the clients’ networks, threat actors consider MSP companies as a single-entry point to various targets, not only stopping their attacks on MSPs’ clients but on their clients’ clients.
MSPs offer their clients continuous security monitoring and management services. Numerous MSPs provide subscription-based service models, allowing them to adapt to support each client’s individual needs. Many companies prefer to engage with MSPs to supplement the capabilities of their in-house IT teams, while others want assistance in obtaining 24/7/365 coverage, and other depends on access to cybersecurity experts to assist them to maintain and manage all area of a cyber ecosystem.
MSPs require their clients to grant them privileged access to networks and trusted connectivity to provide the services. Keeping this in mind, threat actors target vulnerable MSPs instead of directly targeting each MSPs’ clients. Threat actors can perform cyber espionage on MSPs and their clients following a successful breach to prepare for future operations, including ransomware attacks and double extortion.
Cybercriminals are frequently opportunistic, seeking the path of least resistance to access profitable targets. Cyberattacks on MSP companies are becoming more common as cybercriminals are using MSPs’ intimate level of access to clients’ networks as an initial vector. When vulnerable service providers are compromised, all downstream clients are instantly at risk of attack. A supply chain attack’s defining risk is the cascading effect on numerous target victims’ networks. Supply chain attacks will remain popular among threat operators due to the promise of greater rewards for less work. In recent years, supply chain attacks have become increasingly common and made news by targeting global critical infrastructure sectors.
In addition to the U.S. President’s Executive order on upgrading United States cybersecurity, the White House recently provided guidelines on bolstering cybersecurity protections against supply chain attacks. The National Institute of Standards and Technology (NIST) released a directive, following the Executive Order, outlining important security controls and practices for MSP adoption.
With supply chain attacks projected to continue, companies depending on MSPs need to ensure that their providers have strategic measures in place to reduce the risks. MSPs are legally expected to ensure their security architecture, governance, and capabilities are up to industry standards and need to re-evaluate their cybersecurity strategy and processes on a regular basis ensuring that they can fulfill recommended cybersecurity measures and controls.
- Prevent Initial Compromise & Targeted Attacks – To prevent compromises, MSPs need to harden vulnerable devices and remote access tools, including VPNs (virtual private networks). Vulnerability scanning is critical to this prevention since it assists MSPs in protecting their data while utilizing day-to-day software and web-facing applications. When MSPs strengthen their internet-facing remote desktop (RDP) services, targeted attacks, including password spraying, brute force attacks, and phishing campaigns, can be mitigated.
- Promote Cyber Hygiene – To protect the lifespan of their operations, MSPs need to follow cyber hygiene best practices, including keeping internal tools and software current. Patching needs to be done as soon as possible, especially for firewall and VPN appliances. Additionally, MSPs need to implement app-based MFA for all devices and remote monitoring and management (RMM) tools and monitor signs of malicious behaviors, including failed login attempts. Both MSPs and their clients need to exercise strict password management to avoid malicious credential-stuffing attempts. Password management needs to include complexity, rotation, and expiration cycle requirements.
- Implement Zero Trust Models – The zero trust model is implemented to limit the exposure of networks’ most sensitive data to unnecessary access. Users are only given the level of access required to perform their tasks. To begin, zero trust architecture necessitates the authentication of all users and machines before need-to-know permissions can be granted. Second, zero trust entails segmenting networks to isolate one part from the rest, making entire networks secure against threat actors seeking to expand laterally across systems.
- Execute Offboarding Procedures Properly – IT offboarding involves removing old accounts, instances, and tools that are no longer needed by companies. Accounts with shared passwords need to be deleted and user accounts need to be revoked in case of employee transition. As companies perform regular audits on their network infrastructure, port scanning tools and automated systems inventories can assist with the offboarding process.
- Manage Regular Backups – MSPs and their clients need to ensure they maintain redundant backup copies of all critical data and infrastructure so systems or any part of it can be restored in the case of failure, loss, or compromise. Backups need to be kept in remote locations, such as the cloud or dedicated physical servers. Backups need to be kept on separate systems, encrypted, and examined on a regular basis for unusual access and data integrity. Additionally, it’s critical to ensure that the backup policy is written, and backups are performed on a regular basis. Triple extortion ransomware adds to the chaos with threat operators directly approaching victims’ clients or suppliers and demanding ransom. The threats include publishing victims’ sensitive information and launching Distributed-Denial-of-Services (DDoS) attack. Even though backups are no longer sufficient to hinder ransomware attacks that exfiltrate and threaten to leak data, having regular backups ensures that companies hit by ransomware attacks can access data, carry out emergency communication processes, and execute their incident response plan that includes resuming affected services.
- Improve Internet of Things (IoT) Security – Even though the IoT (Internet of Things) industry has grown over the last decade with Internet and cloud-connected devices, integrating smart devices into workplaces, smart vehicles, and buildings can be another risk factor. Numerous security issues can plague IoT devices, including known default passwords, outdated or vulnerable firmware, and public internet-facing ports. Additionally, IoT devices are frequently left vulnerable since their restricted hardware resources are not suited to operate endpoint security solutions and the network extensions can become a potential access point for threat actors to exploit. MSPs and their clients need to implement network asset discovery to obtain visibility into connected IoT devices and block unauthorized devices.
- Have Incident Response & Recovery Plan in Place – In the event of security events, having a clear, proactive plan in place can determine how well companies respond to and recover from cyberattacks. Incident response (IR) plans are critical for increasing cyber resilience and can assist companies in identifying people, processes, and technologies that require improvement. Plans need to be regularly practiced and updated to ensure they’re up to speed with current business requirements and newly detected cyberattack patterns.
- Establish 24/7 Autonomous Detection & Response Solutions – MSPs need to have an effective response strategy as threat actors are continuously evolving and improving their attack methods. A quick response time can be the difference between a breach and business continuation when it comes to security events. MSPs frequently supplement their in-house team with comprehensive detection and response solutions ensuring the most efficient response time to protect their clients.
With the cyber threat landscape constantly changing and threat actors increasingly employing complex attack methods, MSPs provide affordable and scalable protection to meet clients’ needs. MSPs who base their security service on strong solutions, including XDR can prevent, detect, and respond to advanced persistent threats across their clients’ entire attack surface. Global MSPs have turned to SpearTip’s ShadowSpear Platform, our integrable managed detection and response tool, to proactively resolve current threats at machine speed. Learn how MSPs partnering with SpearTip can manage risk more efficiently across user identities, endpoints, cloud workloads, IoT, and other platforms.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.