Increase in MSP Targeted Cyber Attacks
On May 11, 2022, members from the Five Eyes (FVEY) intelligence agency made an announcement warning managed service providers (MSPs) of the increase in cyber-attacks made towards these organizations. FVEY is made up of multiple intelligence agencies from around the globe that work together to provide information and guidance regarding global cyber threats. Law enforcement and cybersecurity firms including the FBI, NSA, and CISA published an alert with guidance on how to respond to threats made against targeted MSPs.
"The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue."
Alert (AA22-131A)
The specific risk that this alert is concerned with is how advanced persistent threats (APTS) are targeting customer networks through MSPs. Regardless of whether or not the customer's network is internally or externally hosted, threat actors can gain access through a vulnerable managed service provider. If these clients work with other organizations around the globe these breaches in security could have global consequences.
The following are recommendations for managed service providers to better secure their client base and reduce data breaches.
Preventing Initial Compromise
Cyber criminal's easiest targets are insecure, public facing services that can be breached in order to gain a foothold into the larger network. This means that to prevent the initial attack it is crucial that MSPs secure their IT systems from the get-go. FVEY recommends the following:
- Securing Remote Access solutions and implementing vulnerability scanning.
- Protect internet facing services such as web servers, or anything on a public service.
- Implement Microsoft Update on brute force and password spraying activity.
- Defend your organization from phishing attacks and social engineering. This can be done through security awareness training and education on cyber threats.
Improve Monitoring and Logging Processes
Event logging can aid forensics in understanding how a cyber-attack happened and what vulnerabilities were exploited to access your organization. Since it is often months before attacks are detected, it is recommended that logs are held for at least 6 months. MSPs should log internal and customer network activity to detect and respond to threats more accurately. Additionally, customers should implement logging on their own systems in order to help managed service providers respond to threats.
Multi-factor Authentication
Another important recommendation is enforcing multi-factor authentication on every device used to access the IT infrastructure of your organization. When possible, it is valuable to have another form of authentication outside of a standard username and password. While MFA isn’t full proof it does add an extra layer of protection to your network that a simple password doesn’t. Services like Microsoft Authenticator or Duo Mobile are simple apps that can provide MFA services to your organization. Make sure to cooperate with your customers when implementing MFA solutions.
Principle of Least Privilege
The principle of least privilege is one that every organization should implement, especially MSPs. This concept is based around the idea that employees should only have access to what is necessary to conduct work operations. Standard users shouldn’t have Administrator rights if they don’t need them to work. This principal limit who has access to sensitive information on your network and contributes to an overall decrease of your organization's attack surface. An important aspect of least privilege is making sure that permissions and access is kept up to date. All it takes is one out of date privilege for cyber criminals to access your network.
These are just a few recommendations the FVEY has provided in order to protect vulnerable/targeted MSPs from unwanted intruders. You can read the alert in its entirety here
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.