Heimdal Security Blog

Hackers Are Going After Managed Security Providers

Australia, Canada, New Zealand, the United Kingdom, and the United States are the members of the intelligence partnership known as the “Five Eyes”  (FVEY).  These nations are signatories to the multilateral UKUSA Agreement, which is a pact for coordinating their efforts in the field of signals intelligence.

Context

As BleepingComputer reports, members of the intelligence organization known as the Five Eyes (FVEY) issued a warning to managed service providers (MSPs) and the consumers of those MSPs, stating that supply chain hacks are becoming more common.

Multiple cybersecurity and law enforcement organizations from FVEY nations (NCSC-UK, ACSC, CCCS, NCSC-NZ, CISA, NSA, and FBI) have collaborated to provide recommendations for managed security providers (MSPs) on how to protect networks and sensitive data from the growing number of cyberattacks.

Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against the MSP as well as across the MSP’s customer base.

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers. This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.

Source

Recommendations: What Should MSPs and Their Customers Do?

This advisory comes with specific measures on how to secure sensitive information and data through transparent discussions centered around re-evaluating security processes and contractual commitments to accommodate the customers’ level of risk tolerance.

The FVEY is actually signaling just the distant sound of a dynamite blast — the true cyberwar is getting closer by the day. MSPs are a critical line of defense for their clients – more than 60% of businesses use an MSP for at least one operation, so it’s obvious that the cybercriminals would have turned to this sooner or later – the stakes are just too high.   The frequency of attacks on MSPs rose by more than 65% between 2020 and 2021 – and will surely continue to grow -, so I totally agree with FVEY; fighting hackers requires a collaborative effort from both MSPs and their clients. As for Heimdal, we are already working on systems that will revolutionize cybersecurity for MSPs and MSSPs, as well as our customers. Morten Kjaersgaard, CEO Heimdal™ Security

Managed Service Providers and their customers should apply the baseline security measures and operational controls described below, according to the UK, Australian, Canadian, New Zealand, and US cybersecurity authorities. Customers should also check that their MSP’s contractual agreements state that these safeguards and controls are implemented.

Prevent Initial Compromise

Malicious cyber actors use insecure devices and internet-facing services, conduct brute force assaults, and use phishing techniques to infect MSPs. These attack tactics should be mitigated by MSPs and their clients. The following are some useful mitigation resources for initial compromise attack methods:

Improve and Enable Monitoring and Logging Operations

Since it can take months for events to be identified, FVEY cybersecurity authorities advise that all companies save their most significant logs for at least six months. They should implement and maintain a segregated logging regime to detect network threats, whether using a comprehensive security information and event management (SIEM) system or discrete logging tools. In addition to implementing application allowlisting/denylisting, companies should establish endpoint detection and network defense monitoring capabilities, whether through contractual arrangements with an MSP or on their own.

Enforce Additional Access Methods such as Multifactor Authentication (MFA)

To harden the infrastructure that allows access to networks and systems, organizations should secure remote access apps and impose multifactor authentication where possible.

Manage Internal Architecture Risks and Network Segregation

Organizations should be aware of their surroundings and segment their networks. To mitigate the impact of a compromise throughout the company, identify, organize, and isolate key business systems and apply appropriate network security policies to them.

Employ the Principle of Least Privilege (POLP)

The principle of least privilege (POLP), also named the “principle of least authority” (POLA) or “the principle of minimal privilege” (POMP), stands for a cybersecurity best practice based upon granting the minimum required access that a user needs to perform an assigned task.

Throughout their network environment, organizations should use the concept of least privilege and update privileges immediately when administrative roles change, use a tiering model for administrative accounts to avoid giving them access or privileges they don’t need, and employ full privilege accounts across the company only when absolutely essential, and consider using time-based rights to further limit their use.

Update Your Software

Firmware, operating systems, and apps should all be updated by businesses. Apply security patches first to software that contains known exploited vulnerabilities.

Data and Backup Systems

Backups, including “gold images” of essential systems in case they need to be rebuilt, should be updated and tested on a regular basis. Backups should be kept isolated from network connections that could allow ransomware to propagate; many ransomware variations try to locate and encrypt/delete accessible backups. Isolating backups allows systems and data to be restored to their prior condition in case they are encrypted by ransomware.

Prepare and Practice Emergency Reaction and Recovery Plans

All organizational stakeholders, including CEOs, technical leads, and procurement officials, should have roles and duties in incident response and recovery plans. Organizations should keep hard copies of plans up to date so that responders may access them if the network is down.

Supply Chain Risk Management

Using risk assessments to identify and prioritize resource allocation, all businesses should proactively manage ICT supply chain risk across security, legal, and procurement divisions.

Authentication and Authorization Management

Best practices for password and authorization management should be followed by all businesses. Failed authentication attempts immediately following an account password change could signal that the account has been compromised, thus organizations should monitor logs for unexpected failed authentication attempts.

How Can Heimdal Help?

Threat prevention is critical to your organization’s cybersecurity because it is an efficient approach to building numerous levels of proactive defense. As cyber attackers get more sophisticated, so should the methods we deploy to combat them. This is where Heimdal comes into play.

To keep its assets well protected, a company should have the proper tools in place. Take for instance our Heimdal Threat Prevention, a DNS traffic filtering tool and a product that works on emergent and hidden threats identification. Heimdal’s security suite encompasses many more efficient products focused on different areas like ransomware encryption protection, patch management, and email security.

If you’re ready to take your digital defense to the next level, you can always contact us or book a demo to schedule a free consultation with one of our security specialists.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.