MSPs are charged with protecting their customers from cyberthreats. Even if you’re not primarily in the security business, SMBs often don’t draw the distinction—they often just assume you’ll handle all things IT, including security.
Cybercriminals frequently innovate their tradecraft, share knowledge with other criminals, and even rent out sophisticated malware services. This means you’ll have to keep up with the latest security tools to make sure you’re adequately reducing security risks.
In this blog and the next one in the series, we’ll cover some trends in cybercrime and offer a layered security model you can use to help protect your customers’ data.
As mentioned, cybercriminals frequently innovate. While many threats use older, tried-and-true methods, some hackers and criminals have moved cybercrime forward by either creating new attacks or building variations on older standards.
That said, let’s take a quick look at a few developments:
- Ransomware: Cybercriminals still use traditional ransomware to encrypt machines and data. But with the Maze ransomware attack, we saw cybercriminals threaten to breach and release data if victims didn’t pay a ransom. This puts additional pressure on victims to pay.
- Attack vectors: While email remains a top attack vector, we’ve seen criminals increasingly shift toward attacks using open internet-facing ports, particularly remote desktop protocol (RDP). This shift predated the pandemic, but was particularly devastating as organizations increasingly shifted to remote work.
- Fileless attacks: Most antivirus programs are built to scan only files. To counteract this, cybercriminals have increasingly used fileless attacks that run in system memory so AV programs can’t catch them. A fileless attack may leverage admin tools that are pre-approved by most systems like PsExec or PowerShell to gain persistence or cause damage.
- Attacks on MSPs: Finally, we’ve seen cybercrime increasingly aimed at MSPs, IT providers, and security providers. Criminals know that if they compromise one MSP, they can often gain access to data for multiple businesses. As a result, MSPs need to pay increasing attention to their own internal security. In some cases, MSPs may wish to hire an external MSSP to watch their internal network or run periodic pen tests to help further reduce risk.
The theme behind most of these is that cybercriminals have increasingly found ways to bypass defenses. For example, Maze ransomware renders backup and recovery moot, so you’ll have to focus more on preventing ransomware than recovery (although, backup and recovery is still extremely important, especially for traditional ransomware which still comprises the bulk of attacks). Fileless attacks seek to go around AV and often use pre-approved administrative tools, so traditional antivirus programs may be unable to catch these attacks.
The bottom line is this—the bar for security continues to rise.
Another important trend to mention involves the use of multi-stage attacks. Taking the example of the full attack chain for Ryuk ransomware can really help illustrate the importance of multiple security layers to hesitant prospects or customers.
To briefly summarize, most attacks cross multiple levels to be effective. However, the benefit is that this gives you multiple opportunities to prevent, stop, or recover from an attack.
For example, a common attack could start at the internet level with a malicious email. Here, a good email security solution can attempt to filter out the malicious email. If it slips past, it requires a user to click on the malicious link and, hopefully, their security training will remind them to think twice before clicking a malicious link. If that check doesn’t work, you could have an endpoint detection and response (EDR) solution note malicious behavior from the downloaded file, then quickly take action on your behalf.
The layers you need
To begin enhancing your security posture, it helps to have a framework in mind. Similar to the OSI model for networking, thinking in terms of the different levels at which an element of an attack can occur gives you a better chance of troubleshooting and, in the case of security, placing the right defenses.
While there are multiple frameworks out there to conceptualize attacks, we’ll present a simple one here.
It’s worth noting that data sits at the center of the model. In most cases, this is what cybercriminals aim for—to access data and either steal and resell it or encrypt it for a ransom. As a result, your goal is to stop attacks as far away from data as possible.
In other words, it’s important to have internet-layer protections to stop threats before they get to the network or device level. Doing so increases your chances of protecting that all-important data for your customers.
Around this data, we have five levels: device, application, people, network, and internet. Each layer has specific levels of protection you can add to stop an attack from reaching data. You’ll also notice that recoverability sits outside of this model—backups don’t necessarily help with prevention, but are absolutely essential during incident response and recovery. They need to be part of any security stack.
In part two of this series, we’ll cover what actually goes into each of these layers. You’ll get practical advice for the basics of handling each layer for your customers.