From small to medium businesses to critical infrastructure entities, more organizations are relying on MSPs to monitor, manage, and safeguard their data. In May, the Five Eyes intelligence alliance published a joint cybersecurity advisory warning MSPs about their role in growing supply chain attacks. Cybersecurity authorities and law enforcement agencies from across the United States, United Kingdom, Canada, Australia, and New Zealand reported MSPs being the targets of increased cyber threats including supply chain attacks, ransomware, and nation-state cyber espionage campaigns.
MSP organizations make up a significant portion of the collective cyber defense industry. In this post, we outline key actions that MSPs should be taking to shore up their defenses to ensure they are keeping themselves, and by extension, their customers safe from increasingly advanced cyberattacks.
MSPs | A Springboard for Malicious Cyber Threats
Managed Service Providers (MSPs) got their start during the dot-com era of the late 1990s. What began as internet service providers (ISPs) offering their clients firewall appliances and the operative services to go along with them later kickstarted the concept of managed security services. With time, MSPs evolved to full security service providers supporting organizations globally. Small to medium sized organizations needing support to build up their cybersecurity posture have turned to MSPs for affordable, scalable solutions and expert protection.
Now, cybersecurity has become a necessity for businesses operating in today’s ever-changing landscape. Legacy solutions such as anti-virus and anti-malware can no longer stave off advanced threat actors who do not discriminate based on the size of a target. For many organizations, the task of building a strong cybersecurity defense with limited resources can be daunting. This is where MSPs have come in to support.
So what makes MSPs such an attractive target for modern threat actors? Advanced Persistent Threat (APT) groups have set their sights on MSPs’ provider-customer network access. Customers of MSPs depend on their providers to store their data, manage communication platforms, and support their IT infrastructure. Due to the access MSPs have to all of their customer’s networks, threat actors see MSP businesses as a single entry point to a variety of targets – not stopping their attack on the MSP’s customers, but oftentimes, attacking their customer’s customers, too.
The Inherent Risks of MSP’s Service Pillars
In general, MSPs provide continuous security monitoring and management services to the customers they serve. Most MSPs offer subscription-based service models allowing them to tailor the support to the specific needs of each customer. Many businesses choose to work with MSPs to augment the abilities of their own in-house IT teams, others seek support achieving 24/7/365 coverage, and many rely on access to cybersecurity experts to help them maintain and manage all aspects of a cyber ecosystem.
MSPs, at the core, provide the following cybersecurity-focused services:
- Continuous Intrusion Detection & Response
- Identity & Privilege Access Management
- Firewall Management & Monitoring
- Patch & Vulnerability Management
- Virtual Private Network (VPN) Management
- Risk Evaluation & Compliance Management
- Cybersecurity Expertise & Education
To provide these services, MSPs require their customers to provide them with privileged access to networks and trusted connectivity. With this in mind, threat actors capitalize on vulnerable MSPs rather than trying to target each of an MSP’s customers directly. After a successful breach, threat actors may also conduct cyber espionage on the MSP and its customers to prepare for future activities such as ransomware attacks and double extortion.
The Nature of Supply Chain Attacks
Cybercriminals are often opportunistic and always looking for ways to reach lucrative targets using the path of least resistance. Attacks against MSP businesses are emerging as cybercriminals leverage MSP’s intimate level of access to customer networks as an initial access vector. When one vulnerable service provider is successfully breached, suddenly all their downstream customers are at immediate risk of attack. The cascading effect on multiple victim networks is the defining risk of a supply chain attack. With the promise of greater rewards for less work, supply chain attacks will continue to be popular with cybercriminals.
Supply chain attacks have become more prevalent and made headlines by targeting critical infrastructure sectors globally in the last few years. As an extension to President Biden’s Executive Order on improving U.S. cybersecurity, the White House recently issued guidance on strengthening cybersecurity protections specifically combating supply chain attacks. The Executive Order was followed by a directive released by the National Institute of Standards and Technology (NIST) which outlines major security controls and practices for MSP adoption.
Key Defenses to Expect from MSP Businesses
With supply chain risks expected to continue, businesses turning to MSPs must ensure their providers put strategic safeguards in place to reduce these risks. MSPs are contractually obligated to ensure that their security architecture, governance, and capabilities are up to industry standards and need to regularly re-evaluate their cybersecurity strategy and processes to make sure they can meet recommended cybersecurity measures and controls.
1. Preventing Initial Compromise & Targeted Attacks
An MSP’s first step to preventing compromise is to harden vulnerable devices and remote access tools such as VPNs (virtual private networks). Vulnerability scanning is integral to this prevention as it helps MSPs protect their data as they continue to use their day-to-day software and web-facing applications. Targeted attacks such as password spraying, brute force attacks, and phishing campaigns can also be mitigated when MSPs shore up their internet-facing remote desktop (RDP) services.
2. Promoting Holistic Cyber Hygiene
MSPs should operate on cyber hygiene best practices to ensure the longevity of their operations. This means keeping internal tools and software up to date. Patching should be completed in a timely manner especially for firewall and VPN appliances.
MSPs should also establish app-based MFA for all devices and remote monitoring and management (RMM) tools and monitor often for failed login attempts – a typical sign of malicious activity.
Additionally, both the MSP and their customers should practice strict password management to ward off any malicious attempts at credential stuffing. Password management may include requirements for complexity, rotation, and expiration cycles.
3. Implementing a Zero Trust Model
The purpose of the zero trust model is to minimize the exposure of a network’s most sensitive data to unnecessary access. Each user is only given the level of access they require to perform their tasks. First, zero trust architecture requires all users and machines to authenticate before need-to-know permissions can be granted. Second, zero trust involves segmenting a network to isolate each part from the rest, making the entire network secure against threat actors attempting to spread laterally across systems.
4. Executing Proper Offboarding Procedures
IT offboarding entails the removal of obsolete accounts, instances, and tools should they no longer be required by a business. Accounts with shared passwords must be deleted, and in the case of employee transition, their user accounts will also need to be revoked. Port scanning tools and automated system inventories can help with the offboarding process as businesses perform regular audits on their network infrastructure.
5. Managing Regular Backups
Both MSPs and their customers should make sure they have redundant backup copies of all essential data and infrastructure such that the system or any part of it can be restored in the event of failure, loss or compromise. Backups should be stored remotely, either in the cloud or on a dedicated physical server. Best practices recommend both.
It is vital that backups are on separate systems, are encrypted, and frequently reviewed for anomalous access and data integrity. It’s also important to ensure that the backup policy is documented and that backups are made on a regular schedule.
As ransomware attacks evolve, many threat actors are exfiltrating their victim’s sensitive data in addition to encrypting it, ensuring they have additional leverage to collect the ransom demanded. This type of ransomware attack tactic is called double extortion and leaves the targeted MSP or client with the risk of having the stolen data published.
Triple extortion ransomware adds another element to the frenzy with the attackers directly approaching a victim’s clients or suppliers and demanding ransom from them as well. Their threat? Publication of their sensitive information and, increasingly, the launch of a Distributed-Denial-of-Service (DDoS) attack.
While backups are no longer enough to thwart ransomware attacks that exfiltrate and threaten to leak data, having regular backups means that businesses that have been hit by such attacks can still access data, carry out emergency communication processes, and implement their incident response plan, including resuming affected services.
6. Improving Internet of Things (IoT) Security
While the IoT industry has boomed in the past decade with internet and cloud-connected devices, the integration of smart devices to the workplace, and even smart vehicles and buildings, represents another risk factor. IoT devices suffer from a number of security issues, including known default passwords, outdated or vulnerable firmware, and public internet-facing ports. Further, IoT devices are often left unprotected as their restricted hardware resources are unsuitable for running endpoint security solutions. These extensions of a network could each become a potential access point for a threat actor to exploit. MSPs and their customers should ensure they implement network asset discovery to gain visibility into connected IoT devices and block those that are unauthorized.
7. Planning for Incident Response & Recovery
Having a clear, actionable plan in place in the case of a security event can determine how effectively a business responds to and recovers from cyber attack. Incident responses (IR) plans are crucial for building up cyber resilience and can help businesses identify the people, processes, and technologies that need to be bolstered. Plans should be practiced on a scheduled basis and updated often to ensure it is up to speed with current business requirements and newly-identified cyber attack trends.
8. Establishing 24/7 Autonomous Detection & Response
As threat actors continue to evolve and upgrade their methods of attack, MSPs need to establish an effective response strategy. In case of a security event, having a fast response time could mean the difference between breach and business continuity. MSPs often augment their in-house team with a robust detection and response solution to ensure the most efficient response time possible to protect their customers.
With the cyber threat landscape always in a state of flux and threat actors using increasingly sophisticated methods of attack, MSPs offer affordable and scalable protection to fit the needs of their customers. MSPs that base their security services on robust solutions such as XDR are able to prevent, detect, and respond to advanced persistent threats across their customer’s entire attack surface.
To effectively serve all its customers, MSPs globally have turned to SentinelOne’s Singularity™ Platform, allowing them to proactively resolve modern threats at machine speed. Learn how SentinelOne works with best-in-class security service providers to more effectively manage risk across user identities, endpoints, cloud workloads, IoT, and more.