It started with reports from Department of Homeland Security about a few managed services providers (MSPs) who were compromised, allowing threat actors to use their remote access as a pathway to multiple customers. At first, these appeared to be sophisticated, state-sponsored threat actors with specific targets in mind. Then a few more reports trickled in, where less sophisticated actors (more opportunistic cybercriminals) started to follow suit. While one small or medium-sized business might not be a valuable target, access to several through an MSP means cybercriminals could find a more valuable “needle in the haystack” in an MSP’s customer base. For example, gaining access to a doctor’s office or other healthcare provider through an MSP could grant bad actors access to health records, which can sell for up to $1,000, according to Becker’s Hospital Review.
Capitalizing on the trend
Next came the real opportunists—the ransomware criminals. Once this method of compromise was in the media, threat actors realized they could use the same tactics and procedures. Usually, ransomware attacks consist of gaining access to credential sets acquired through one of the many public data breaches and capitalizing on the fact that many humans like to reuse passwords across multiple accounts and services, and don’t always turn on two-factor authentication (2FA) like they should.
Cybercriminals use those credentials to access an MSP’s remote management solution. From there, they have remote access to multiple networks where they can install ransomware and start encrypting data. This presents two opportunities to get paid: either by the business that is compromised, or the MSP that wants to keep their reputation.
Even worse, now this threat of lost data is only one component. The bad actors are exfiltrating some of the data they have access to and are threatening to release it if they are not paid, as Brian Krebs recently reported. This means that having backups in place can get the business back up and running with some effort, but the risk of breach and reputation loss still looms if the ransom is not paid. While it is critical to have backups, this new trend stresses that prevention using layered security and best practices are more important than ever.
Get your house in order first
Since the MSP is in fact the supply chain risk in this scenario, it is becoming more likely that customers will start asking what you are doing to mitigate the risk of this happening to them. This starts with ensuring your own house is in order from a security standpoint. Here are nine keys things you should do:
- Implement or augment layered security solutions in your own network.
- Monitor critical systems for anomalies or unauthorized access attempts (or partner with a specialized MSSP to monitor your own network).
- Ensure your own employees are trained on the tactics used by bad actors—attachments, phishing, vishing, business email compromise, etc.—so they are not the source of the first foothold.
- Operate on a least privilege model with all credentials. Your techs should only have the level of access that is required to complete the task at hand.
- Update any internal, on-premise systems you use to support your customers. Some of these attacks started by exploiting a vulnerability in an internal system.
- Ensure 2FA is leveraged in all systems that support it.
- Require strong passwords and use a password manager to maintain credentials and who has access to them.
- Ensure your customers have a defined mechanism to report suspicious behavior so you can quickly assess the risk level.
- Develop an incident response and communication plan with your customers so they will be aware of higher risk during an incident, should one occur.
Communicate to your customers
Once you have your plan in place, ensure you put together some documentation on your cybersecurity practices so you can set your customers’ minds at ease. This documentation should include how you protect your own assets, how you protect access to your customers’ assets and credentials, and your expectations on how your customers should partner with you to ensure their security is up to today’s standards. In fact, it’s a good idea, as we start 2020, to be proactive and engage all your customers’ stakeholders with references to some of the recent attacks that have been taking place—it’s likely they have already seen some of it in the news. Then explain what you are doing to reduce the risks of these types of attacks in your environment, and what you will be recommending for improving their protection as well. This should include the same practices and services you are using to stay secure.
New year, new security you
This malicious activity shows no sign of stopping, so now’s the perfect time to sit down and look at enhancements to your security practices and offerings, and make changes where appropriate. If people have been reluctant to invest in their own security, this is also an excellent opportunity to revisit and adjust your relationship with all your customers when it comes to your offerings. Since security is a shared responsibility, your customers rely on you to effectively design, implement, and monitor security solutions, and train them on best practices to adopt. After all, you are the expert, which is why they hired you in the first place!
Setting the stage for a secure 2020 will allow you to sleep a little easier and let your customers know your success (and your risk) is tied directly to theirs. Let’s stay safe out there.
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd