In June, the US Secret Service issued a security alert warning about an increase in hacks of managed service providers (MSPs). Almost a year earlier, media reports highlighted what was then a growing trend of targeting MSPs with ransomware. Today, MSPs are waging a war on multiple fronts – not only on keeping their customers’ data safe but their own systems as well.
The premise behind this spate of MSP attacks has its roots in supply chain hacking. After all, why should hackers focus on a Fortune 500 company with extensive cybersecurity resources in place when they can get access through a partner who does not have such defences? It is all about taking the path of least resistance by using a smaller company as a back door instead of taking on a Fortune 500 enterprise head-on.
Hacking an MSP does provide one significant advantage. These service providers are likely to manage many customers, some up to the thousands. By compromising the MSP, hackers get the veritable keys to the kingdom and can easily infect any of their clients with malware.
Typically, there are three motives for an attack. The first is to gain access to data. This requires the threat actor to remain hidden to extract as much data as possible. Secondly, some hackers are intent on causing as much damage as possible. The ‘advantage’ of this is that the MSP or client organisation will immediately know they have been infected as services will start going down. And if the cause of the attack is proven to be through the MSP, then the service provider will face significant reputational damage as well as financial fines.
The third, and one of the most prevalent motives in recent months, is that of ransomware. By compromising an MSP, the hacker gets a much better return than going after each organisation individually. One hack can therefore translate to hundreds of ransomware opportunities yielding a greater financial reward.
And even though companies are advised against paying ransomware, they may have little choice especially if they are unable to restore their data.
Defence through deception
These risks mean it is no longer good enough just to try and protect the technology environment.
Instead, organisations should consider implementing honeypot technology that simulates enticing databases and services. In this way, when the hackers are lured to the honeypot, the company will know someone is snooping around on the network and can take proactive steps to isolate the damage and trace how they got into the system.
But whether you are an MSP or an end customer, security in a digital-centric environment depends on your budget. Keeping up with hackers can be an exceedingly expensive undertaking. To this end, honeypots are cost-effective to identify any potential nefarious actions.
Beyond this, organisations must consider two-factor authentication. This extra step means the hacker must have physical access to a secondary device, such as a mobile phone, to perpetrate the attack. And then, other basic security best practice must always apply. Things like not using easy passwords and having users change them every 30 days are fundamental.
The best defence centres on what you have, what you know, and who you are. Those authentication methods that incorporate all three of these elements present the MSP with the best possible security. One of the best ways this can be implemented is through the concept of just-in-time accounts. This sees the business creating a login for a user that disables once a specified time has elapsed. It also means security personnel do not have to remember to disable accounts as the process is completely automated.
For our part, Vox uses the same systems as many of the best MSPs in the world. All the right security technology is in place including multi-factor authentication. Furthermore, our sessions with customers are encrypted end-to-end, and we believe in session recordings. Not only does this help from a quality assurance perspective, but we can see that all the required steps were taken to maintain the integrity of the environment.
All our cybersecurity solutions are fit-for-purpose and follow the relevant ISO standards. But this is only part of the defensive equation. Companies cannot rest on their laurels when it comes to defence. Employees must be continually trained especially when it comes to the risk of social engineering attempts. A basic principle of this is to never give out passwords over the phone.
All businesses should get to the stage where they implement automated password rotations. This also ensures the company can change access privileges at the click of a button if there is a risk of a disgruntled employee.
Even though MSP hacks are not a new thing, the continually evolving cyberthreat landscape means that no organisation can ignore the trends at any point in time. A considered approach to cybersecurity reflective of the immediate business requirements must be critical to help defend the network against potential compromise.