The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and a host of other cybersecurity and law enforcement agencies are urging organizations to take steps to guard themselves against possible compromise of their managed service providers (MSP) as advanced threat actors and nation states are expected to up their attacks against those service providers.
Attacking and compromising a managed service provider – which provides IT services to many organizations – can yield a much bigger reward for a threat actor than attacking just one specific company. In fact, several large-scale cyberattacks in the past have targeted service providers that, depending on their size, hold the keys to the networks of hundreds or thousands of organizations.
Due to the network and privileged access MSPs have, they are becoming a much larger target for sophisticated threat actors to gain initial access, with attacks seeking initial access via MSPs expected to increase, according to a new CISA advisory.
Along with the U.S., these attacks are expected to increase in the UK, Australia, Canada and New Zealand. A successful compromise of an MSP could result in a wide range of follow-on attacks against both the provider and across their customer base.
For both MSPs and their customers, CISA’s advisory urges them to take steps to prevent initial compromise, including hardening remote access VPN solutions, scanning and patching for vulnerabilities, protecting internet-facing services, defending against brute force and password spraying attacks and taking steps to combat phishing attacks.
However, customers of MSPs are advised to take further steps to make sure their service providers are taking precautions themselves.
According to the advisory, customers should enable monitoring and logging of their systems, but also ensure that their contracts with MSPs require them to implement comprehensive security event management, provide visibility of logging activities and notify the customer of confirmed or suspected security events occurring on the provider’s systems.
CISA also highlights the importance of multi-factor authentication, urging customers to ensure that MFA is implemented on all of the products and service they receive from their MSP, in addition to implementing the protocol on all MSP accounts used to access customer networks.
In addition to applying network security controls to reduce the impact of a compromise across the organization, organizations should ensure that the networks used for MSP access are segregated from the rest of the networks.
CISA’s guidance also calls for the application of the principle of least privilege, urging organizations to ensure that the MSP applies the principle to both provider and customer network environments.
Organizations working with MSPs should also disable MSP accounts that are no longer managing their infrastructure, including disabling user accounts when someone leaves either organization.
The relationship with MSPs should also include transparency around software update policies and patching vulnerabilities. Customers should understand their MSPs policy on software updates and request that those updates are delivered quickly and as an ongoing service.
The guidance from CISA also spells out what kind of system backups MSPs should provide to customers, as well as the importance of incident response and recovery plans built into the contracts.
Customers should also set clear network security expectations with their service providers and understand the risk that comes with granting network access to an MSP, and ensure that MSP accounts are not assigned to internal administrator groups.
“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. “Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”
Leave a Reply