The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with four international security organizations including the United Kingdom’s National Cyber Security Centre (NCSC-UK), issued an advisory to help managed service providers (MSPs) and customers secure sensitive data.
The advisory is aimed at raising organizations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.
Malicious actors are increasingly targeting MSPs through a variety of cyberattacks, looking for weak points on vulnerable devices and internet-facing services.
They’re deploying methods from password spraying and phishing to what the advisory called “brute force” to gain access and wreak havoc on organizations.
An attack on an MSP can have wide-ranging consequences, as they are often used as a launchpad for broader attacks on the MSP’s customer networks within the businesses they support.
“MSPs have privileged access to many customers,” said John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company. “Why hack one victim when you can hack hundreds or thousands for the cost of one hack?”
He explained a data breach at an MSP isn’t simply a data breach at an MSP, but rather a data breach at all their customer sites; those customers likely had no real way to detect or prevent it.
“It’s a worst-case scenario from a legal liability point of view, as well,” he added.
Reducing MSP Risk
The advisory recommended actions organizations should take to reduce their risk, including the enablement of monitoring and logging, as well as the implementation of endpoint detection and network defense monitoring capabilities.
The recommendations cover actions such as preventing initial compromises and managing account authentication and authorization, as well as best practices for the development and exercising of incident response and recovery plans.
These should include roles and responsibilities for all organizational stakeholders, including executives, technical leads and procurement officers.
Bambenek said the first step MSPs need to take is to understand they are highly targeted entities, so they need to plan and deploy strong protections.
“Having a large insurance policy isn’t going to do that job,” he said. “All privileged access to their customer data needs to be highly regulated using MFA, behavioral detection and they need to manage their software, if applicable, to prevent unauthorized code changes.”
The advisory also recommended organizations use risk assessments to identify and prioritize the allocation of resources to better understand and proactively manage supply chain risk across security, legal and procurement groups.
Targeting Third-Party Partners
Phil Neray, vice president of cyber defense strategy at CardinalOps, a threat coverage optimization company, said going after MSPs is an increasingly common type of supply chain attack, where the adversary targets a trusted third-party to gain access to their end customer.
He explained one of the earliest examples of this was the 2013 Target breach, where the adversary stole legitimate credentials from an HVAC contractor to enter Target’s network via their supplier portal.
“It’s especially serious with MSPs because it gives threat actors privileged access to proprietary information stored in email, SharePoint and other systems, as well as the ability to disable security and IT monitoring tools that could alert the SOC to suspicious activity,” he said.
Neray added ransomware groups like Gold Southfield have used an MSP compromise to deliver REvil malware to MSP customers.
Gerardo Dada, CMO at Keeper Security, a provider of zero-trust and zero-knowledge cybersecurity software, said there are three specific areas where MSPs may lag and, therefore, where they should take immediate action:
The first is to implement zero-trust, zero-knowledge and least-privilege principles.
“These are not just buzzwords or concepts that only apply to large companies,” he said. “They are the foundation of good security practices.”
The second area deals with network segmentation, which requires isolating systems in discrete, software-defined networks or separate physical networks, to minimize the impact of a compromised system.
Dada pointed to identity security as the third area where MSPs should focus, as passwords and credentials are the primary targets of cybercriminals—whether these are human credentials or machine credentials like an API key or a database password.
“Every MSP should implement strict identity and access processes, password and secrets management and governance and 2FA for all systems—for everyone, including all their customers’ users and contractors,” he said.
He added that like most criminals, cybercriminals targeting MSPs will likely continue looking for the weakest link. Just like a robber will find the one house on the block that has no alarm system, a cybercriminal may target the MSP with the weakest security.
If they are targeting an organization, they will target the person with the weakest security processes: Contractors, interns or even people who are not technically sophisticated like administrative personnel, Dada said.
“There is also this concept of ‘blood in the water;’ when a particular attack or avenue of compromise is successful, more sharks will swarm,” Dada said. “We’ve seen some painfully successful MSP and third-party compromises. The attackers are pivoting to what is successful.”
The National Security Agency (NSA), and Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the New Zealand National Cyber Security Centre (NZ NCSC) and the Canadian Centre for Cyber Security (CCCS) rounded out the list of security partners involved in drafting the advisory.