It started with reports from Department of Homeland Security about a few managed services providers (MSPs) who were compromised, allowing threat actors to use their remote access as a pathway to multiple customers. At first, these appeared to be sophisticated, state-sponsored threat actors with specific targets in mind. Then a few more reports trickled in, where less sophisticated actors (more opportunistic cybercriminals) started to follow suit. While one small or medium-sized business might not be a valuable target, access to several through an MSP means cybercriminals could find a more valuable “needle in the haystack” in an MSP’s customer base. For example, gaining access to a doctor’s office or other healthcare provider through an MSP could grant bad actors access to health records, which can sell for up to $1,000, according to Becker’s Hospital Review.
Next came the real opportunists—the ransomware criminals. Once this method of compromise was in the media, threat actors realized they could use the same tactics and procedures. Usually, ransomware attacks consist of gaining access to credential sets acquired through one of the many public data breaches and capitalizing on the fact that many humans like to reuse passwords across multiple accounts and services, and don’t always turn on two-factor authentication (2FA) like they should.
Cybercriminals use those credentials to access an MSP’s remote management solution. From there, they have remote access to multiple networks where they can install ransomware and start encrypting data. This presents two opportunities to get paid: either by the business that is compromised, or the MSP that wants to keep their reputation.
Even worse, now this threat of lost data is only one component. The bad actors are exfiltrating some of the data they have access to and are threatening to release it if they are not paid, as Brian Krebs recently reported. This means that having backups in place can get the business back up and running with some effort, but the risk of breach and reputation loss still looms if the ransom is not paid. While it is critical to have backups, this new trend stresses that prevention using layered security and best practices are more important than ever.
Since the MSP is in fact the supply chain risk in this scenario, it is becoming more likely that customers will start asking what you are doing to mitigate the risk of this happening to them. This starts with ensuring your own house is in order from a security standpoint. Here are nine keys things you should do:
Once you have your plan in place, ensure you put together some documentation on your cybersecurity practices so you can set your customers’ minds at ease. This documentation should include how you protect your own assets, how you protect access to your customers’ assets and credentials, and your expectations on how your customers should partner with you to ensure their security is up to today’s standards. In fact, it’s a good idea, as we start 2020, to be proactive and engage all your customers’ stakeholders with references to some of the recent attacks that have been taking place—it’s likely they have already seen some of it in the news. Then explain what you are doing to reduce the risks of these types of attacks in your environment, and what you will be recommending for improving their protection as well. This should include the same practices and services you are using to stay secure.
This malicious activity shows no sign of stopping, so now's the perfect time to sit down and look at enhancements to your security practices and offerings, and make changes where appropriate. If people have been reluctant to invest in their own security, this is also an excellent opportunity to revisit and adjust your relationship with all your customers when it comes to your offerings. Since security is a shared responsibility, your customers rely on you to effectively design, implement, and monitor security solutions, and train them on best practices to adopt. After all, you are the expert, which is why they hired you in the first place!
Setting the stage for a secure 2020 will allow you to sleep a little easier and let your customers know your success (and your risk) is tied directly to theirs. Let’s stay safe out there.
Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.