Guest Column | December 10, 2019

4 Security Lessons For MSPs From New Threat Intelligence

By Emil Hozan, WatchGuard Technologies


Each year, security threats continue to grow in prevalence and sophistication. And as the security skills and resources deficit continues to swell in tandem, businesses of all sizes (and especially small, midsized and distributed enterprises) are increasingly looking to their trusted IT solutions providers to deliver simplified, managed security. In order to better protect customers in this evolving threat landscape, managed service providers (MSPs) must stay up to date on the latest attack techniques and security best practices. That’s one of the reasons WatchGuard’s Threat Lab security research team has been producing regular Internet Security Reports that offer insight into the latest malware and network attacks, the most impactful security events and more.

Let’s explore four key takeaways for MSPs from the new threat intelligence offered in our recent Internet Security Report for Q2 2019:

  1. Leverage Layered Security Services to Stay Ahead of Changing Malware Attacks – Malware detections in Q2 2019 skyrocketed by 64 percent over 2018 levels during the same period, while zero day malware (or unique malware variants with never-before-seen signatures) accounted for nearly 40 percent of all detections. Not only does this illustrate a growth in overall attack volume, but it also highlights that cybercriminals continue to use morphing techniques to obfuscate their attacks in hopes of evading legacy signature-based antivirus solutions. Both stats should make it abundantly clear that MSPs must protect their customers with a mix of anti-malware services that can detect and deter advanced persistent threats. Combining behavior-based malware detection and other advanced methods with traditional AV defenses will significantly improve your ability to protect your customers.
  2. URL and Domain Filtering Can Prevent Attacks Involving Malicious Links – We also uncovered DNS-level attack campaigns that use popular, legitimate content delivery networks (CDNs) (like CloudFront and CloudFlare) to hide from anti-malware services that detect threats based only on the root domain of a questionable URL. These attacks fell into three categories: malware domains, which are websites outright hosting malware; compromised domains, which are websites that threat actors exploited to host their own malicious JavaScript code; and phishing domains, where threat actors direct users to spoofed login screens to harvest their credentials. Regardless of the type, attackers try to deliver millions and millions of malicious links every quarter (including to your customers). As long as you’re protecting them with some form of web or DNS filtering security service, you can easily prevent users that accidentally click a bad link from visiting nefarious destinations or receiving malicious payloads. Don’t forget, you should use these same services to protect your own employees and business as well.
  3. Prioritize Better Back Up Hygiene – Did you know that the Baltimore Department of Public Works suffered a major ransomware attack this year? This painful incident was one that we analyzed in great detail in the report. Researchers found that the malware used in the incident was RobbinHood, and that the attackers set the ransom at roughly $75,000. Employee productivity took a major hit while the City of Baltimore was forced to rebuild many critical systems. The total estimated damages landed upwards of $17 million when all was said and done. This attack is a perfect example of what happens when you don’t deploy and test the right backup solutions. While there are many incredibly useful security services and programs out there, none of them are perfect. You and your customers must be equipped with backup solutions to recover your systems and data in the event of a successful ransomware infection. Done properly, this will allow you to ignore the ransom demands, restore everything you need and carry on with business as usual while working to prevent future incidents.
  4. Don’t Forget to Defend Yourself! – Many IT solutions providers are incredibly passionate about delivering quality IT and security services to customers, and sometimes their own potential exposure to cyber attacks can fall out of focus. As you can imagine, this can be hazardous for both MSPs and customers. Our latest report also includes a detailed analysis of a recent MSP-focused attack campaign that targeted a specific piece of IT management software. In this attack, the perpetrators used weak or stolen credentials to gain administrative access to the MSPs’ management tool, exploit its remote management services and use it to infect customers directly. Based on these attacks from Q2 2019 and similar ones we’ve seen in the past, it’s clear that attackers are increasingly targeting MSPs with the goal of reaching their customers. Regardless of size or revenue, it’s important to remember that as an MSP, your direct access to customer systems makes you a particularly lucrative and enticing target for online criminals. You can prevent MSP-focused attacks like those we saw in Q2 by practicing better password security, using multi-factor authentication services and training your employees on security best practices.

Based on the above findings, we know that evolving security threats and the growing need for comprehensive managed security services aren’t going anywhere any time soon. Use these key learnings and tips to better protect your customers and your business today. For deeper insights into the latest malware and network attack trends, check out the full report here and keep an eye out for new editions each quarter.

About The Author

Emil Hozan is a Security Analyst at WatchGuard Technologies, focused on network security. Emil’s responsibilities include quantifying threat data for WatchGuard’s quarterly Internet Security Report, contributing to WatchGuard’s security blog Secplicity, analyzing trends in network and malware attacks, sandboxing and testing new products and exploits, and reverse engineering malware samples

Emil can be reached online at and at our company website