For some companies, managed services providers (MSPs) can be a godsend—a force multiplier that allows them to support more customers and more employees without the effort and expense of expanding their IT department. MSPs are vendors with access to a corporate network, allowing them to conduct day-to-day maintenance, patch management, and even major projects such as cloud migration. They, along with managed security services providers (MSSPs), allow clients to boast a fully fleshed-out IT and security infrastructure while still focusing on their core competencies.
Over the last few months, however, attackers have treated MSPs and MSSPs not as security providers, but as singular points of failure allowing them to exploit multiple companies at the same time. Taking down a single MSP means potentially infecting and breaching every single one of its clients. How can MSPs resist this new threat?
A number of recent data breaches and ransomware incidents show that attackers are beginning to target MSPs in their supply chain attacks.
The first sign that attackers were targeting MSPs came back in 2019, when attackers linked to the Ministry of State Security in China were tied to a breach that affected eight service providers—including the MSP arms of HP, IBM, and Fujitsu. These attacks followed a Department of Homeland Security memo warning that attackers were preparing to use island-hopping tactics to follow the trail of data from MSPs into their customer networks.
Things began to escalate from there, and in 2020 the US Secret Service released another memo building on the findings of the Homeland Security document. Here, they noted that attackers were becoming more creative in terms of how they used breached MSPs to victimize their customers. Systems from breached MSPs were being used to infect customers with ransomware, scam them into sending unnecessary payments, and even steal from the end-customers of MSP clients. What’s more, these attacks were being carried out by criminal groups as opposed to state-sponsored hackers.
Events culminated in July 2021 with the largest ransomware attack on record. A ransomware group known as REvil admitted responsibility for attacking an MSP known as Kaseya and then using those same island-hopping tactics to infect thousands of customers across 17 countries, demanding a $70 million ransom. Shortly after making this demand, the ransomware group scrubbed its presence from the internet, perhaps fearing a state-sponsored reprisal. This means that hundreds of customers whose data has been encrypted—and had no recourse other than to pay the ransom—now have no way of retrieving their data.
One of the colossal ironies in the world of information security is that the companies who are charged with protecting others can fall victim to the same attacks. MSPs are a new target, but companies like FireEye, LastPass, and Verizon Enterprise (creator of the benchmark annual Data Breach Investigations report) have all reported cyberattacks over the last few years. MSPs and MSSPs are therefore the latest iteration of an old pattern, but the question remains—what are they doing wrong?
In the case of Kaseya, it appears that the company fell victim to age-old hubris. Whistleblowers at the organization say that they flagged vulnerabilities in the company’s cybersecurity strategy over a three-year period, only to have their warnings ignored. Kaseya relied on obsolete operating systems, failed to use strong encryption, and neglected to patch vulnerable software. One whistleblower said that the company stored customer passwords in plain text(!).
If you’re from an MSP and you’re reading this, we’re going to assume that you’re making more than a basic effort to adhere to cybersecurity best practices. Your network, in other words, might be less of an open invitation to attackers. How would someone try to breach your network in that event?
While no one can say this for sure, the original Department of Homeland Security report highlights a common strategy—island hopping. What’s most likely to happen is that your organization won’t be the “patient zero” of a widespread data breach. You might not even be on the attacker’s radar until they breach one of your customers. They, the attacker will try to breach every vendor in the infected customer’s supply chain—which now includes you.
Since you’re already connected to the customer’s network, it’s relatively easy for attackers to find an unmonitored connection that leads back to your own HQ—and once they find your HQ, the attackers can easily travel back downstream to your customers. Remember that because your customers don’t have much in the way of their own information security infrastructure, they’ll be almost entirely unable to defend against a data breach. Their security relies on your ability to monitor your network.
MSPs need to enhance their visibility so they can combat the risk of becoming involved in a supply chain attack. The days of relying on the client's switch SPAN ports are over, as they are known to introduce additional vulnerabilities and do not provide complete visibility. By integrating a visibility fabric of network TAPs and packet brokers with your security solution, MSPs can protect customers' networks - without running the risk of dropped packets or network blind spots.
Also, TAPs such as Data Diode TAPs can enforce one-way traffic between your customers and your security tools, preventing attackers from moving laterally or infecting other clients. Inline Bypass TAPs ensure 24/7 availability for active inline tools and prevent them from becoming a single point of failure.
Pairing TAPs with a robust visual suite of security tools for your network, like Teleseer, ensures adversaries cannot hide in plain sight.