MSPs Under Attack: 7 Steps To Safe Havens, Protection, And Immunity

By Vince Crisler, Dark Cubed

In the first article in this two-part series, we examined the current state of MSP security as well as the related vulnerabilities uncovered during a comprehensive study of MSP network traffic. Data was gathered from a globally distributed group of MSPs.

As a result of this study, “Attacking the Gatekeepers: MSP Report,” we gained deep insight into what’s occurring on the MSP front, including the level of organization and sophistication of attacks — the outcome of which has reached an unprecedented order of magnitude. Our whitepaper verified nearly 700,000 malicious hosts actively targeting MSP networks.

But chasing every known issue isn’t the answer.

Remediation And Recommendations

We advocate analyzing network traffic in real-time and assigning a simple actionable threat score to every IP address and domain name observed across all environments: known threat, predictive threat, and community analytics-based. This enables simplified and automated response activities.

Too many MSPs conclude today that deploying a firewall with “advanced threat protection” suffices, when, in fact, this type of thinking and approach is what made the Gatekeepers targets.

True protection requires data analytics and visibility at a scale that has not traditionally been available to small and mid-sized companies. Any that have invested significant amounts of money into a cybersecurity infrastructure will emphatically agree that a firewall is only part of the solution and not THE solution given the current threat landscape.

It makes the job of the defender more difficult when attackers can use “ephemeral” infrastructure, such as hosting environments provided by established firms. Such activities require more nimble, flexible security organizations that can go beyond simply using threat intelligence as a guide due to the long timelines that traditional intelligence takes to produce. Moreover, organizations must consider implementing the capability to “age out” indicators based on their respective ownership and behaviors.

7 Steps To Safe Havens, Protection & Immunity
Each customer environment is as different as the MSPs serving them. That ultimately means no one solution fits all. Becoming more adept at identifying threats and their sources is critical, of course. Many steps can be taken immediately to improve security, controls, and protections. Here are seven ways both end customers and their MSPs can better protect networks and data in the wake of this new rising tide of malevolent activity striking at the heart of our industry:

1. Remote access via VPNs utilizing two-factor authentication
2. Advanced password management practices led by organizational policies applied to both MSP and customer accounts
3. Service accounts for MSP agents and services – and disablement of automated logons for them
4. Restricting MSP accounts by time and/or date with expiration dates reflecting contractual end dates
5. Disabling MSP accounts until they are needed and shut down once related work is complete
6. Leveraging network architecture that includes account tiering so higher-privileged accounts never have access or visibility on lower-privileged network layers 
7. Robust analytics that integrate threat intelligence from multiple sources on the MSP network and the networks of MSP customers (to detect changes in the threat environment)

We also strongly recommend continuous monitoring of relevant government reporting that ranges from the National Cybersecurity and Communications Integration Center (NCCIC) within the Department of Homeland Security (DHS) to the Cybersecurity and Infrastructure Security Agency (CISA). For example, TA18-276B covers advanced persistent threats specifically exploiting MSPs, found at https://www.us-cert.gov/ncas/alerts/TA18-276B.

For a more complete understanding of cybersecurity issues plaguing MSPs and their customers as well as what to do about them, check out the “Attacking the Gatekeepers” study in its entirety at https://darkcubed.com/msp-report.

As an industry, we can always do better. On the cybersecurity front, improvement isn’t an option. It’s imperative that should reign over all other priorities.

About The Author

Vince Crisler, CEO and president of Dark Cubed, has more than 20 years of IT and cybersecurity leadership within the Department of Defense, federal civilian government, and the private sector. A Former Chief Information Security Officer of the White House, Crisler is a proven cybersecurity and IT strategy leader