A Joint Advisory released today by members of the Five Eyes intelligence alliance warned MSPs and their customers that they’re being targeted by supply chain attacks. Excerpts:
This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data
Among many recommendations, the advisory recommends the following preventive measures ands provides links to resources.
- Improve security of vulnerable devices
- Protect internet-facing services
- Defend against brute force and password spraying
- Defend against phishing
- Enable/improve monitoring and logging processes.
- Enforce multifactor authentication (MFA).
- Manage internal architecture risks and segregate internal networks.
- Apply the principle of least privilege.
- Deprecate obsolete accounts and infrastructure.
We are glad that the advisory comes with specific tactical measures as guidance. Digging into the advisory details, we see a common theme around protection from password centric attacks (brute force, spraying, phishing, lack of MFA, re-enrollment and account recovery). The report also emphasizes that MFA should also be enforced with their upstream service providers.
Research has shown that users with MFA enabled are up to 99% less likely to a compromise, yet adoption remains low. We believe that implementing MFA across an organization is a first step and for it to be successful, the following should be taken into account:
· MFA needs to be easy to deploy and use
· MFA should be easy to use and not introduce friction
· MFA should incorporate both active and passive mechanisms to allow fast access
· MFA should incorporate application and user behavior to reduce cumbersome static policy
For a mature organization we recommend eliminating as many passwords as possible in parallel with MFA, especially for sensitive customer management accounts. Removal of passwords eliminates all password centric attacks in the advisory, i.e. brute force, password spraying, phishing, and knowledge-based account recovery.
Supply chain attacks are always a concern, but even more so when thinking of the access given to IT managed service providers. MSPs provide for a single entry point to access a bevy of targets not only stopping at the MSP’s direct customers but also their customers’ customers. This is the true threat of a supply chain attack, many small to medium enterprises have made the business decision to outsource their IT functions. This method is extremely cost effective and provides a greater ability to meet the ever changing and growing needs of the organization in an economical manner. However, if that MSP does not secure themselves against compromise it puts all systems downstream at risk. It would be like contaminating the entire Mississippi River by simply dumping poison in Lake Itasca in Minnesota.
MSPs are also trying to pivot into security functions for their customers as well, which increases the concern of a lack of focus. We can’t be all things to all people without diminishing our ability to be excellent in areas of focus. IT and Security are natural siblings in technology services, but they are each complex topics requiring a proper focus to do well, and should be leveraged as such.
MSPs are critical infrastructure as they support multiple end customers with private and public cloud and network infrastructure services. The FVEYs advisory specifically highlights state-sponsored advanced persistent threat (APT) groups who are likely to target MSPs on customer data that can cascade into further cyber espionage or ransomware attacks. Such threat actors have sophisticated toolkits that can operate underneath the network session layer where VPN encryption usually takes place. This makes all network traffic flows vulnerable to Steal Now Decrypt Later (SNDL) forms of Man In The Middle (MITM) attacks.
MSPs should bolster their security operations with advanced threat detection and invest in military grade network protection solutions to assure customer data protection. End customers and businesses should utilize a modern VPN that offers network obfuscation and multipathing capabilities that enables both data privacy, security and virtual infrastructure resiliency even in the event the network provider “underlay\” is compromised through such methods.
This should be no surprise to those who follow CyberSecurity. The hackers go where the gold is. The move in that last decade has been to the cloud and almost immediately following, to managed cloud services – the MSSP. The MSSPs are a welcomed force is the battle against cyber threats. The fact that a centralized group can share advanced tools and secure practices across their tenants is a positive for the industry. It is imperative that these groups stay on top of the latest trends and automation – especially around identity security.