In keeping with the new policy of providing timely and relevant information to the public on cyber threats, CISA has just released a joint statement with the NSA and FBI along with Five Eyes intelligence agencies on the threat to managed service providers (MSPs). This, by extension, also includes various managed security provider variants such as MSSP and MDR companies. The alert comes after a May 6th alert by ThreatLocker, warning of increased attacks using MSP remote management (RMM) tools.
This is not a new threat or tactic. In August 2019, 22 cities in Texas were all simultaneously hit with ransomware, the commonality between them being that they were all customers of the same (compromised) MSP. Kaseya VSA is another example of the same tactic, and other service providers have been targeted to obtain access to their customer base, for example Tyler Technologies and Blackbaud.
The value to the threat actor is efficiency of scale. If one can compromise a business that has authorized remote access into lots of other businesses, it’s quicker and cheaper than compromising each one individually – the MSP becomes the first island, and the hopping starts from there.
Recommendations are what you should have been doing all along, however the key recommendation from the CISA alert is that, “MSP customers should ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory”, which are:
- Minimizing the Internet-facing systems and taking steps to mitigate brute-force and password-spraying attacks
- Enabling network and endpoint monitoring, with 6 months of log retention
- Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems
- Create and exercise incident response plans
- Manage 3rd party and supply chain risk
All good recommendations and note these are the things that should have been occurring anyway. The implication here for MSPs is that they will be asked to provide their own security documentation as table stakes for new business, whether or not those controls are contractually stipulated. Accordingly, the implication for the businesses that contract MSPs is that they need to start asking those key questions, and use the information obtained as part of the procurement process.
At Critical Insight, we knew long ago that we needed to voluntarily bring in auditors to check our work on securing the operation and customer data. For five years running we endure a SSAE-18 (SOC-2) examination for security controls that are in place, and effective. I routinely provide our SOC-2 Type 2 report to our customers and for those that are more mature this is an annual request, yet this is still a small fraction of our customers. Third-party risk management – even if it’s just asking for audited security controls – is much more important in the context of recent geopolitical events.
Much like insurance companies becoming de-facto regulators for all industries, MSPs now having to plainly state their own security controls is part of a larger trend: non-regulatory, market-based drivers for cybersecurity. Want to keep doing business? Better be ready to show those papers.
