Attacks against the MSP ecosystem
The managed service provider (MSP) sector has seen strong growth since 2019. Indeed, 81% of MSPs across the globe reported an increase in their client base during this period, according to a recent Kaspersky study. Moreover, almost everyone surveyed (94%) expects this trajectory to continue, predicting revenues will increase over the next two years.
However, the potential reach of providers into multiple customers’ systems, as well as established trusted relationships, have not gone unnoticed by cybercriminals, who are actively looking for opportunities to leverage this. As a result, the industry has started experiencing an increased number of attacks involving MSPs and other players within the ecosystem.
RMM software vendors’ compromise
Vendors producing remote monitoring and management (RMM) software attract particular interest, as they are positioned at the very top of the supply chain. If attackers are able to compromise such software, they will instantly get access to the whole chain of trusted relationships – and can abuse them to their advantage.
A heads-up for MSPs: attack modes to bear in mind
Naturally, direct attacks against managed service providers also take place. There were several ransomware attacks on big IT service companies – in April and May 2020.
In addition to the abuse of compromised RMM software, there are other possible attack vectors to be aware of. MSPs can be attacked using all the regular vectors, be it vulnerabilities or misconfiguration of network equipment, web-based or supply chain attacks – but those scenarios involving communications, email in particular, are worth special attention. Communication between managed service providers and their clients occurs on a regular basis and tends to be perceived with a considerable level of trust. This creates the potential for business email compromise (BEC), including forged emails mimicking trusted communications or even involving email account take-overs. This approach can work both ways: attackers can reach clients directly if they know who their service provider is, and vice versa, they can mimic the client in order to compromise the MSP.
Protect – and get protected
Being paid a ransom, gaining access to the system of a specific business, collecting data about clients, espionage, or interruption of business – hackers’ goals may be different, and MSPs should consider all of them to ensure their own security, as well as the security of their clients. The tactics, techniques, and procedures (TTPs) used in such operations tend to have a considerable level of sophistication and, thus, call for equally advanced countermeasures. The solutions used must be able to detect obscure activity indicators, and their operators must have the skill and experience to understand where and what to look for – as well as, preferably, the knowledge of what to expect.
In the meantime, clients expect their service providers to be trusted advisors, especially in the fallout of the pandemic and the increasing pace of digitalization and remote work. For MSPs, this may be the right time to strengthen their position in the field of cybersecurity. In fact, the majority (93%) of managed service providers are already planning to add new services to their cybersecurity portfolio. As well as ensuring robust defenses, this approach will also help win new business. As we see above, the market is growing actively but so too is the competition.
Managed Detection and Response (MDR) is one solution that fits the bill. It combines threat intelligence and automated detection technologies with expert skills of seasoned threat hunters. This allows for not only timely detection of multiple minor signs of attack, but also correlates them with each other and external threat data. This means that the attack can be detected even if it starts with very tiny activities spread across the network or uses tactics mimicking legitimate activity. MDR doesn’t put heavy requirements on staff engaged in cybersecurity management, lifting the burden of complex threat analysis to outsourced specialists, whilst offering monitoring instruments and response tools to use according to the expert’s recommendations.
Threat intelligence is another top choice for many MSPs (46%). Such services help against advanced, evasive, and sophisticated techniques. APT reporting allows IT security experts to leverage knowledge of the most recent attacks and actors targeting specific industries or regions and take preventive measures against them. Other services, such as threat data feeds, allow IT security teams to automate detection and prioritize incidents while supplying enough context for further response. That’s all thanks to its delivery of the most recent indicators of compromise (such as IPs, hashes, URLs and so on) to the SIEM system or other IT security systems.
Ideally, it is advisable to have both the provider and their clients covered by the same solutions; in other words, the MSP should offer clients the same services they use themselves. Besides the benefit of volume discounts, this approach leads to additional synergy that is helpful when facing the supply chain scenarios not unlike those mentioned above. For example, if an outsourced SOC team identifies a malicious presence in the client’s infrastructure, they, knowing who the service provider is, can dig deeper into the MSP’s telemetry to discover signs of malicious presence. The reverse situation is also possible, even though with many serviced tenants, it would be the MSP issuing a warning.
This would allow proactive searching for signs of a supply chain attack and to unravel the whole sequence quickly, which is critical to prevent damage or, at least, alleviate it considerably.
But, even in the case of some customers not being covered by the same subscription, it is possible, based on the information received, to offer one-time services such as targeted attack discovery or incident response retainer. This would help not only discover evasive threats hitting customers, but also gain additional trust – and probably pave the way to full-scale subscriptions to Kaspersky services, which would mean additional revenues for the provider.
While developing IT security offerings for their clients, it is important that service providers partner with trusted vendors on issues where expertise and specific resources are necessary. Cybersecurity becomes not only essential for MSPs’ business continuity, but as a business enabler. And the quality of service defines both client satisfaction and security.
Kaspersky offers a wide range of services and solutions including managed detection and response, threat intelligence and protection from targeted attacks that aim to help both MSPs and their clients address growing cybersecurity risks and focus on their business. To learn more about Kaspersky’s MSP program, visit the website.
