Managed service providers are essential in the world of small businesses, ensuring service to those who can’t hire dedicated staff and powering them with world class technology. Unfortunately, some MSPs may inadvertently be a route used by cybercriminals to target their customer networks. By means as universal as phishing, MSPs are often unwittingly providing cybercriminals with an easy path into their networks and opening the door to data breaches that can cause expensive disruption for their customers, and irreparable damage to their own business. One example of how easily this can occur is when one of Continuum’s MSP partners was hit, most likely by a phishing campaign that stole its credentials. The data was then used to disable antivirus and “run scripts to deploy ransomware at several end clients.”
In that incident, the company quickly removed access to scripts or tasks that were capable of uninstalling antivirus or endpoint protection and limited the ability to create new custom scripts or tasks. Fast response was certainly the right thing to do, but the bigger question to MSPs is: how can you ensure that this doesn’t happen in the first place?
Common Attack Methods
Apart from the obvious damage to corporate goodwill at both ends, these disruptions are costly, and many of these can be both avoided, or better remediated when attacks do occur. MSPs must take heed that the most prominent observed tactics for cyber-attack point-of-entry include phishing, use of stolen credentials, and other social engineering techniques. Subsequent actions cyberattacks use to gain further access include common use of backdoors or compromised web applications.
Because users are the most vulnerable link in the attack chain, phishing is a reliable way of gaining a foothold to compromise a system. MSPs— and all enterprises — need to be hypervigilant about phishing and other common user mistakes. According to The Guardian, the average office worker gets approximately 120 emails per day. Enterprises themselves can contribute to phishing emails being clicked on since they often incentivize employees to click through to take an action in communications overloaded with text. On a busy day it is likely the employee will respond reflexively to “Action Required” and this can cue them to do the same with malicious emails.
Another common attack vector is stolen credentials, seen in several high-profile MSP data breaches. “Stolen” is a bit of a misnomer though and would be better considered as “mishandled.” Setting aside credentials gained via social engineering or phishing, companies can frequently lose track of credentials by keeping old or unnecessary accounts active, failing to monitor public exposure of accounts, failing to force resets after secondary breaches that may impact employees, or failing to enforce modern password policies—basically failing to pay attention.
Should any single account with exposed credentials be over-privileged, a significant breach is almost guaranteed. And the consequences for poorly executed credential handling can be quite severe. It was reported last year that an MSP had to pay more than $150,000 to recover data after a ransomware attack. The cyberattackers targeted RMM (remote monitoring and management) software and a cybersecurity management dashboard to infiltrate the MSP’s systems and hit customers as well with ransomware. MSPs take note: this expensive attack was successful via stolen credentials and not a breach.
MSPs are a popular secondary target for an assortment of advanced persistent threat (APT) groups, particularly those that are financially motivated. Rather than focus on a new or novel attack, MSPs must evaluate their overall security stance and begin improving their threat posture. Systems left unpatched, out-of-date asset management, the cybersecurity “skills shortage” or lack of proper security infrastructure – can all contribute to MSP vulnerability, regardless of the type of attack.
MSPs need be prepared to guard against a wide variety of threats, with malware as just one facet of a much larger threat landscape. The 2019 Verizon DBIR claims that only 28 percent of observed data breaches involve the use of malware for the initial intrusion. While malware plays a significant role in the subsequent exploitation, the numbers suggest the majority of public breaches are not driven by zero-day exploits or outlandishly complex intrusion paths. Given this fact, if MSPs can mitigate common entry points like phishing and compromised credentials, they can then provide their customers with the peace of mind that comes from knowing they are predominantly secure.
To stay ahead of cybercriminals, MSPs should take these three important security steps:
- Pay close attention to credentials. Credential management that includes limited external monitoring, timely access control and periodic privilege review doesn’t simply protect against catastrophic breaches—it protects against a host of attacks at all points of the technical sophistication spectrum.
- Employ anti-phishing best practices. Anti-phishing system design cues not only defend against employees leaking critical data, but also support more efficient corporate communications, keep employees safe, and ideally reduce their overall email load.
- Document and log security actions. Appropriate logging with timely human review not only cuts down time to breach discovery, but also assists in detailed risk analysis that can make for lean and effective security budgets into the future.
Cover all the Bases
The relationship between all of these security behaviors and observed MSP data breaches suggests that more attention to industry best practices is needed to eliminate or sharply diminish breach risk. Security starts at home, and adherence to security norms that have been well defined for years can go a long way toward preventing big breaches.
But buyer beware. Not all security solutions for MSPs stand up to the stringent demands needed to best support customers. Be sure that you are confident in the security intelligence your vendors supply, along with a deep understanding of the appropriate methodology needed to apply it. The best solutions will deliver well-targeted security protection in a manner that is timely, accurate and relevant, but also is tailored to the needs of each of your customers. Remember, the best metric for evaluating your security performance is the one generated by your own team and measured against a mature risk tolerance model. Be sure that your security vendors support their solutions with a strong, ongoing communications cadence with your own security team so that you can best ensure that your customers’ security requirements are met.
Done well, robust security is neither expensive, nor a luxury. It is a business requirement, and something that all MSPs, and their customers, need to succeed.