Managed service providers (MSPs) are under increasing threat of cyber attacks, security agencies from the “Five Eyes” countries warned last week.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), NSA and FBI joined their counterparts from the UK, Australia, Canada and New Zealand in issuing the warning.
“We are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue,” the agencies said.
Officials also took to Twitter and other social media platforms to spread the word.
Attractive Target for Hackers
MSPs are an attractive target for hackers because they can gain access to many of their clients’ networks and IT environments at the same time. For the same reason, the IT service management (ITSM) providers whose software is used by MSPs have come under attack, most notably in the Kaseya hack last year.
The cybersecurity agencies warned MSPs to “expect state-sponsored advanced persistent threat (APT) groups and other malicious cyber actors to increase their targeting of MSPs against both provider and customer networks.”
The joint advisory added, “For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP and across the MSP’s customer base.”
Abigail Bradshaw, chief of the Australian Cyber Security Centre, said MSPs are essential to many companies worldwide, making them the perfect target for malicious hackers and state-sponsored cybercriminals.
The REvil ransomware attack of Kaseya struck dozens of MSPs and more than 1,500 of their customers, showing how quickly such attacks can multiply.
The agencies encouraged ransomware victims not to pay ransom demands. “Criminal activity is motivated by financial gain, so paying a ransom may embolden adversaries to target additional organizations or encourage cybercriminals to engage in the distribution of ransomware,” They said. “Paying the ransom also does not guarantee that a victim’s files will be recovered. Additionally, reducing the financial gain of ransomware threat actors will help disrupt the ransomware criminal business model.”
Also read: Top Managed Security Services for SMBs
Security Steps for MSPs
The agencies issued lengthy guidance for security measures MSPs should take, including hardening devices and internet-facing services, along with internal security and account controls. The guidance is also good for customers assessing an MSP’s security controls.
Prevent initial compromise
The agencies told MSPs to harden devices like VPNs, scan for vulnerabilities, and to take steps like protecting web-facing applications and educating employees on proper cybersecurity behaviors.
Improve monitoring and logging
The groups recommended that logs be stored for six months because of how long it can take to detect an attack, and the ability of advanced threat actors to hide within networks. Endpoint detection and network defense monitoring capabilities are also important, both for MSPs and their customers.
Enforce multi-factor authentication (MFA)
“Organizations should secure remote access applications and enforce MFA where possible to harden the infrastructure that enables access to networks and systems,” the security agencies noted.
They added that Russian state-sponsored hackers “have recently demonstrated the ability to exploit default MFA protocols; organizations should review configuration policies to protect against “fail open” and re-enrollment scenarios.”
Accounts should also be monitored for failed login attempts, which can be the sign of an attack.
Segregate internal networks
MSPs and their customers should segment networks and business systems to isolate them as much as possible – including not reusing admin credentials across customers.
Segmentation and microsegmentation are also fundamental technologies for “zero trust,” which basically means giving a user access to only the resources and level of access they need, also referred to as the “least privilege” principle.
Deprecate obsolete accounts and infrastructure
User accounts should be closed when no longer needed, and accounts with shared password should be changed when employees leave.
Organizations should also audit their network infrastructure, they said, “paying particular attention to those on the MSP-customer boundary” to identify and disable unused systems and services. Port scanning tools and automated system inventories can help.
Apply updates and backup systems and data
MSPs and their customers should also update their software, including operating systems, applications, and firmware, prioritizing software containing known exploited vulnerabilities.
Data and system backups are more critical than ever because properly done they provide an important defense against ransomware (see Best Ransomware Backup Services).
Develop incident response and recovery plans
As breaches appear inevitable for many organizations, the agencies recommended that incident response and recovery plans be developed and practiced; most MSP customers lack such plans.
Understand and manage supply chain risk
Because of the possibility of cascading cyber attacks, MSPs and their customers should also understand and protect against third-party risks.
Security Resources for MSPs and Their Customers
Channel Insider has published a number of guides for MSPs, managed security service providers (MSSPs) and their customers to help them navigate the security market. Here are a few of those: