MSP Security in the Spotlight
Cyber threat actors are increasingly targeting managed service providers (MSPs) and have been exploiting lax MSP security to gain access to MSP networks, then abusing the privileged access to client systems to conduct extensive attacks on downstream businesses. According to data from Check Point, cyberattacks on MSPs increased by 67% between 2020 and 2021, and attacks are expected to continue to increase.
The damage that can be caused by a successful attack on an MSP can be considerable. If a ransomware threat actor compromised a large MSP, attacks could be conducted on hundreds of businesses. An analysis by the Foundation for Defense of Democracies Center on Cyber and Technology Innovation and Intangic estimated the cost of such an attack on an MSP and 600 MSP customers, which caused significant business disruption for more than 3 days, would result in tens of thousands of job losses and economic losses of $77.8 billion. To put that figure into perspective, the economic impact would be worse than that of Hurricane Sandy in 2012.
Attacks such as these are not only theoretical. In July 2021, the REvil ransomware gang conducted a supply chain attack on Kaseya and gained access to the networks of around 40 MSPs that used Kaseya VSA software. The gang then conducted attacks on an estimated 1,500 downstream businesses.
Given the increase in cyberattacks targeting MSPs and the significant damage and financial impact such attacks can have, it is no surprise that the spotlight has been turned on MSP security. MSP security should be improved to make these attacks less likely to succeed. Customers of MSPs should ensure that their MSPs have implemented appropriate security for MSP systems as well as their own.
MSP Security Best Practices
Cybersecurity agencies in the United States, United Kingdom, Australia, New Zealand, and Canada have issued guidance on MSP security in light of the increase in cyberattacks and made several recommendations for mitigations and how to harden MSP security to improve resilience to cyberattacks and better protect customers. Specifically, MSP security can be improved by:
- Enabling monitoring and logging processes, especially delivery infrastructure activities for providing services to customers and internal and customer network activity
- Enforcing multifactor authentication on all accounts with access to customer environments and for all customer products and services
- Managing internal architecture risks and segregating internal networks and customer data. Reviews should be conducted of all connections between internal systems, customer systems, and other networks and they should be verified.
- Avoiding default administrative privileges and applying the principle of least privilege
- Updating software, applications, operating systems, and firmware on internal networks as quickly as possible.
- Backing up internal and customer data regularly and testing backups to make sure data recovery is possible. Backups should be encrypted and stored externally
- Developing and exercising internal incident response and recovery plans and recommending customers should do the same
- Understanding MSP’s own supply chain risks and taking steps to manage those risks
- Being fully transparent and clearly stating what is covered by the contractual agreements and what services are not included
- Verifying customers have restricted MSP account access to systems managed by the MSP
How Customers of MSPs Can Improve Security and Manage Cyber Risk
Steps can be taken for improving MSP security, but customers of MSPs must also play a role. Customers of MSPs should be aware of the supply chain risks associated with using MSPs and must manage the risks across security, legal, and procurement groups. They should conduct organization-wide risk assessments and carefully prioritize the allocation of resources and cyber investment. Transparency is important. Customers should have a comprehensive understanding of the MSP security services being provided and be aware of any security functions that are not covered by their contractual arrangements. Audits of service level agreements and contracts should be conducted to ensure that the responsibilities of each party are clearly defined.
Customers of MSPs should also
- Enable and improve monitoring and logging processes
- Stipulate multi-factor authentication is used for all MSP accounts, products, and services
- Manage internal architecture risks and segregate internal networks
- Depreciate obsolete accounts and infrastructure
- Apply the principle of least privilege, limit administrative access, and use zero trust principles
- Ensure vulnerabilities are patched/fixed promptly
- Ensure contractual agreements cover system and data backups and backups are tested
- Develop and exercise incident response and recovery plans
- Diligently manage authentication and authorization for MSP accounts
Preventing the Initial Compromise
Cyber threat actors use a variety of techniques for gaining initial access to systems, and MSPs and their customers need to take steps to block the main attack vectors. The security of vulnerable devices should be improved by conducting vulnerability scanning and patching vulnerabilities promptly. Secure methods of remote access should be used, such as VPNs, and the security of those remote access solutions should be hardened.
Attacks are often conducted on Internet-facing services, so strategies should be adopted for improving resilience, such as protecting web applications from credential stuffing attacks. Brute force and password spraying are common, so measures should be implemented to protect against these attacks, such as changing default passwords, setting complex passwords, using password managers, multi-factor authentication, and ensuring there are account lockouts after successive login failures.
Phishing is the most common method of gaining access to systems and this is an area of security that requires multiple layers of defense for MSPs and their customers. Email security gateways should be implemented that use signature and behavior-based detection mechanisms for blocking malware, sender policy frameworks for detecting email impersonation attacks, and link scanning. Outbound scanning is also recommended for identifying compromised mailboxes.
Web filtering solutions can provide an extra layer of protection by blocking access to malicious websites linked in phishing emails and blocking web-borne attacks. Customers should request these MSP security services if they are not already implemented. Security awareness training is also important to prepare employees and teach them how to identify and respond when suspicious emails are received, along with phishing simulations to assess resilience and identify weaknesses.