Hackers Are Going After Managed Security Providers
According to the FBI, CISA, and the NSA, Supply Chain Attacks Are Becoming More Common.
Australia, Canada, New Zealand, the United Kingdom, and the United States are the members of the intelligence partnership known as the “Five Eyes” (FVEY). These nations are signatories to the multilateral UKUSA Agreement, which is a pact for coordinating their efforts in the field of signals intelligence.
As BleepingComputer reports, members of the intelligence organization known as the Five Eyes (FVEY) issued a warning to managed service providers (MSPs) and the consumers of those MSPs, stating that supply chain hacks are becoming more common.
Multiple cybersecurity and law enforcement organizations from FVEY nations (NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI) have collaborated to provide recommendations for managed security providers (MSPs) on how to protect networks and sensitive data from the growing number of cyberattacks.
Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.
The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers. This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.
Recommendations: What Should MSPs and Their Customers Do?
This advisory comes with specific measures on how to secure sensitive information and data through transparent discussions centered around re-evaluating security processes and contractual commitments to accommodate the customers’ level of risk tolerance.
Managed Service Providers and their customers should apply the baseline security measures and operational controls described below, according to the UK, Australian, Canadian, New Zealand, and US cybersecurity authorities. Customers should also check that their MSP’s contractual agreements state that these safeguards and controls are implemented.
Prevent Initial Compromise
Malicious cyber actors use insecure devices and internet-facing services, conduct brute force assaults, and use phishing techniques to infect MSPs. These attack tactics should be mitigated by MSPs and their clients. The following are some useful mitigation resources for initial compromise attack methods:
- Enhance the safety of sensitive devices.
- Keep internet-facing services safe.
- Protect yourself against brute force attacks and password spraying.
- Enhance the safety of sensitive devices.
Improve and Enable Monitoring and Logging Operations
Since it can take months for events to be identified, FVEY cybersecurity authorities advise that all companies save their most significant logs for at least six months. They should implement and maintain a segregated logging regime to detect network threats, whether using a comprehensive security information and event management (SIEM) system or discrete logging tools. In addition to implementing application allowlisting/denylisting, companies should establish endpoint detection and network defense monitoring capabilities, whether through contractual arrangements with an MSP or on their own.
- MSPs should keep track of the delivery infrastructure operations they utilize to serve customers. As needed and contractually agreed upon, MSPs should additionally log both internal and customer network traffic.
- Customers should allow effective system monitoring and logging. If clients hire an MSP to monitor and log their systems, they should make sure that their contract requires the MSP to implement comprehensive security event management that allows for adequate monitoring and logging of provider-managed customer systems. Additionally, customers should have visibility over logging operations, including the provider’s presence, activity, and connections to client networks, as stipulated in the contractual agreement (customers should verify that MSP accounts are appropriately monitored and audited). Last but not least, customers should be notified of proven or suspected security events and incidents occurring on the provider’s infrastructure and administrative networks, and these should be sent to a security operations center (SOC) for examination and triage.
Enforce Additional Access Methods such as Multifactor Authentication (MFA)
To harden the infrastructure that allows access to networks and systems, organizations should secure remote access apps and impose multifactor authentication where possible.
- MSPs should advocate for MFA implementation across all customer services and products.
- Customers should check their contracts to see if MFA is required for the services and products they get. MFA should be required in all MSP accounts that access customer environments, according to contracts.
Manage Internal Architecture Risks and Network Segregation
Organizations should be aware of their surroundings and segment their networks. To mitigate the impact of a compromise throughout the company, identify, organize, and isolate key business systems and apply appropriate network security policies to them.
- All connections between internal systems, customer systems, and other networks should be reviewed and verified by MSPs. To restrict the impact of a single vector of attack, separate customer data sets (and services, when applicable) from each other, as well as from internal corporate networks. Do not use the same admin password for many customers.
- All connections between internal systems, MSP systems, and other networks should be reviewed and verified by customers. Ensure that identity providers and trusts are managed across environments.
Employ the Principle of Least Privilege (POLP)
The principle of least privilege (POLP), also named the “principle of least authority” (POLA) or “the principle of minimal privilege” (POMP), stands for a cybersecurity best practice based upon granting the minimum required access that a user needs to perform an assigned task.
Throughout their network environment, organizations should use the concept of least privilege and update privileges immediately when administrative roles change, use a tiering model for administrative accounts to avoid giving them access or privileges they don’t need, and employ full privilege accounts across the company only when absolutely essential, and consider using time-based rights to further limit their use.
- MSPs should use this approach to prevent default administrator access in both internal and customer settings.
- Customers should check that their MSP implements this idea in both the provider and customer networks.
Update Your Software
Firmware, operating systems, and apps should all be updated by businesses. Apply security patches first to software that contains known exploited vulnerabilities.
- Internal network updates should be implemented as promptly as feasible by MSPs.
- Customers should familiarize themselves with their MSP’s software update policy and insist that thorough and timely upgrades be given on a regular basis.
Data and Backup Systems
Backups, including “gold images” of essential systems in case they need to be rebuilt, should be updated and tested on a regular basis. Backups should be kept isolated from network connections that could allow ransomware to propagate; many ransomware variations try to locate and encrypt/delete accessible backups. Isolating backups allows systems and data to be restored to their prior condition in case they are encrypted by ransomware.
- MSPs should back up internal data as well as customer data on a regular basis (if contractually permissible) and keep offline backups encrypted with separate offline encryption keys. Customers should be encouraged to create secure, offsite backups and practice recovery skills, according to providers.
- Customers should make sure that their contract includes backup services that match their resilience and disaster recovery needs. Customers should specifically request that their MSP implement a backup solution that automatically and continuously backs up critical data and system configurations and stores backups in an easily accessible location, such as a cloud-based solution or a location that is isolated from the corporate network.
Prepare and Practice Emergency Reaction and Recovery Plans
All organizational stakeholders, including CEOs, technical leads, and procurement officials, should have roles and duties in incident response and recovery plans. Organizations should keep hard copies of plans up to date so that responders may access them if the network is down.
- MSPs should create and test internal incident response and recovery strategies on a regular basis, and customers should do the same.
- Customers should make sure that their contracts include incident response and recovery strategies that suit their resilience and catastrophe recovery needs and must ensure that these plans are tested on a regular basis.
Supply Chain Risk Management
Using risk assessments to identify and prioritize resource allocation, all businesses should proactively manage ICT supply chain risk across security, legal, and procurement divisions.
- MSPs should be aware of their own supply chain risk and how to manage the hazards that this poses to their clients.
- Customers should be aware of the supply chain risks connected with their MSP, especially those posed by third-party vendors or subcontractors. They should also establish clear network security expectations with their MSPs and understand the level of access their MSP has to their network and data. Customers should also ensure that their contractual arrangements meet security requirements and that their contract specifies whether the MSP or the customer is responsible for specific responsibilities like hardening, detection, and incident response.
Authentication and Authorization Management
Best practices for password and authorization management should be followed by all businesses. Failed authentication attempts immediately following an account password change could signal that the account has been compromised, thus organizations should monitor logs for unexpected failed authentication attempts.
- MSPs should double-check that the customer limits MSP account access to MSP-managed systems.
- Customers should not allocate MSP accounts to internal administrator groups, but rather limit MSP accounts to MSP-managed systems. Using the principle of least privilege, grant access and administrative permissions only to those who need to know. They should verify that MSP accounts are being used for the intended purposes and activities, and that they are disabled when not in use, through audits.
How Can Heimdal Help?
Threat prevention is critical to your organization’s cybersecurity because it is an efficient approach to building numerous levels of proactive defense. As cyber attackers get more sophisticated, so should the methods we deploy to combat them. This is where Heimdal comes into play.
To keep its assets well protected, a company should have the proper tools in place. Take for instance our Heimdal Threat Prevention, a DNS traffic filtering tool and a product that works on emergent and hidden threats identification. Heimdal’s security suite encompasses many more efficient products focused on different areas like ransomware encryption protection, patch management, and email security.
If you’re ready to take your digital defense to the next level, you can always contact us or book a demo to schedule a free consultation with one of our security specialists.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.