MSP’s the new attack target

In May 2022, cybersecurity and law enforcement agencies in the Five Eyes intelligence community announced an alarming global cybercrime trend. The most sophisticated cybercrime groups are beginning to specifically target managed service providers in order to gain access to their clients and users.

The Five Eyes intelligence alliance consists of state cybersecurity agencies in the United Kingdom, Canada, Australia, New Zealand, and the United States. These agencies share critical data with one another to improve the speed and accuracy of their security forecasts.

The cybercrime industry’s shift towards targeting managed service providers (MSP’s) underscores the value of scalability in supply chain attacks. Successfully compromising an MSP means gaining easy access to that vendor’s entire portfolio.

Sponsorships Available

Sponsorships Available

Sponsorships Available

This is a marked departure from the enterprise-driven cybercrime strategy of previous years. By targeting MSP’s, cybercriminals can quickly deploy scalable, high-volume exploits to vulnerable organizations who have placed their trust in compromised MSP’s. This enhances the reach and disruption of cyberattacks, without significantly impacting how much they cost to carry out. BlackFog expects this trend to continue well into 2022 and beyond.

According to a March 2022 research report on the threat landscape, MSP’s are under more pressure than ever before. Cybercriminals are paying close attention to these developments and are continuously looking for easier ways to monetize their activities.

• Nine out of ten MSP’s have suffered a successful cyberattack in the last 18 months. The same amount have seen the number of attempted attacks increase on a monthly basis.
• MSP’s now prevent an average of 11 cyberattacks per month.
• Automated backup adoption is increasing at a steady rate, reaching 85% adoption at the time of the report; this offers baseline protection against ransomware attacks.
• Multi-factor authentication is implemented by less than half of all MSP customers. This makes the majority of organizations vulnerable to compromised accounts and malicious insiders.
• 46% of managed service providers that suffer cyberattacks end up losing business as a result.

These findings demonstrate that while many organizations are advancing their security posture, the majority are still vulnerable to advanced cyberattacks. This is especially true of organizations that entrust security to their service providers and neglect to carefully validate how those providers actually treat their data on a daily operational basis.

MSP’s often market themselves as a fully outsourced, one-stop solution for small businesses and enterprises. Many encourage customers to entrust them with all of their data, taking on full responsibility for the integrity and security of that data.

This is a profoundly risky move to make. But the responsibility for verifying MSP security capabilities falls on the customer – specifically, the CISO or CIO.

Some MSP’s invest heavily in securing their networks against external attack while others cut corners and pass on savings to their customers. It’s rarely possible to distinguish the former from the latter until after you’ve already signed an agreement with them and deployed their technology.

By then it may be too late. In order prevent supply chain attacks, your organization must continue to shoulder responsibility for its security posture, even when outsourcing business processes to service providers.

This means carefully validating the behavior of MSP partners on your network. It means identifying and disabling inactive accounts and enforcing multi-factor authentication throughout the network. Organizations have to develop and maintain transparency when communicating with service providers about information security roles and responsibilities.

Transparency is a key goal in the relationship between the organization and its MSP partner, but it isn’t the same as trust. Organizations should not offer permanent access privileges to their partners or skip authentication requirements for the sake of production. These are critical elements of zero trust architecture, and they offer valuable resilience against supply chain attacks.

Businesses that adopt zero trust architecture are better positioned to protect themselves against these kinds of attacks. When an MSP’s network is compromised, zero trust policies ensure your network’s security does not immediately collapse as a result. The fewer privileged accounts you have roaming your network, the harder it is for cybercriminals to compromise and exploit them.

Zero trust architecture consists of a collection of technologies and policies that help prevent unauthorized users from moving laterally through compromised networks. These may include policies that specify multi-factor authentication for accessing sensitive data, or highly advanced technological solutions like log monitoring with user entity and behavioral analysis.

To optimize security outcomes using zero trust principles, information security leaders must recognize that managed service providers are essentially trusted insiders by default. They need deep, wide-ranging access to different parts of your network in order to do their job, and that comes with security risks.

Security-oriented service providers understand these risks and avoid letting their customers ignore security best practices. If your MSP insists on deploying a zero trust framework and regularly reviewing user access privileges, it’s a good sign.

The very best MSP’s will make targeted, personalized recommendations based on the unique security profile of your organization. They may even run simulations and gather data to support their arguments for hardening your network’s defenses.

Although security-conscious MSP’s represent an incredible value to organizations, information security is ultimately the responsibility of that organization’s IT leaders. Data is the crown jewels of any organization and must be treated as such. Maintaining best practice to protect the data entrusted to you must ultimately fall on the organization itself.

This can only be achieved by ensuring that no unauthorized data flows out of the network, either maliciously or carelessly. Advanced cybersecurity technologies such as data exfiltration prevention (ADX) make this possible. This technology prevents both external threat actors and malicious insiders from moving data outside the enterprise network environment.

This prevents initial compromise even when it comes through an MSP partner. It gives security analysts more time for monitoring and logging because they know that the organization has a multi-layered security profile. It improves network segregation but avoids damaging productivity and impacting the usability of most internal business processes.