Top 5 Ways Cybercriminals Breach Managed Service Providers
Nobody likes to talk about breaches. Public information is minimal, and issues are usually swept under the rug. No CISO or MSP wants to be featured in the news about the following cybersecurity incident. And yet, breaches happen, and it is crucial to be prepared.
Below is a list based on multiple conversations with MSPs over the years and recommendations to prevent the incidents.
1. Phishing and social engineering
Attackers send sophisticated emails or trick employees and customers into visiting fake websites, tricking readers and visitors into downloading malicious software or providing their credentials to the attackers. Modern attacks may include AI-generated images, audio and video, and employees can be invited into video conference calls, like in the story of an employee who sent $25 million based on a deep fake call with the CFO.
The most important protection method against attacks is mandatory security awareness training for employees and customers. Humans are, and will be, the weakest link in cybersecurity, and that link should be reinforced with knowledge.
Additional measures should include email security and anti-phishing/URL filtering solutions to limit exposure to malicious emails and websites, as well as the ability to report suspicious emails and block them for the rest of the organization.
2. Weak and re-used credentials
Brute-force password guessing may be a thing of the past, as most applications limit the attempts to enter passwords and introduce significant delays, rendering direct password guessing impractical. However, stolen hashes of passwords are a completely different story. Attackers steal hashed passwords from vulnerable services and applications and then run brute-force attacks, trying to guess the passwords.
The solution here is to enforce strong password policies – requiring a certain length and complexity and regular password updates. A good practice is to educate people to use memorable passwords with multiple words like “MyFavoriteAddressIsVanDeGraaffDr#1”. Passwords don’t have to be impossible to remember. Otherwise, people will save them in notes or write them down – potentially exposing them to attackers.
Another good idea is to have multi-factor authentication enabled and mandatory, with an authenticator app on the phone serving as a second factor.
Enabling single sign-on is also a good practice. That way, there is only one entry point, one strong password and one-second factor authentication for an employee to use. Convenience helps avoid insecure workarounds employees can choose to use.
3. Unpatched vulnerabilities
Cybercriminals exploit known vulnerabilities in software – operating systems, applications, IoT devices – to penetrate the network, gather information or obtain remote control over the infrastructure. The most dangerous attacks are on remote monitoring and management tools (RMMs) – if there are vulnerabilities in RMM, it means attackers get access to all customer devices.
The solution is to establish and enforce vulnerability scanning and patch management policy. Run system scans for vulnerable software regularly and apply patches. To avoid issues with updates, test patches in sandboxes or on a limited number of devices before rolling them out to all devices.
4. Supply chain attacks
Attackers compromise customers’ infrastructure to penetrate MSPs’ infrastructure and gain access to other customers. Getting administrative access to one customer, accessing tools used to communicate with the MSP, or accessing network shares and applications in the MSP networks can be leveraged to collect information for future attacks on an MSP or its customers.
A subset of those attacks is a “man-in-the-middle” attack when the attacker intercepts communications between MSPs and customers and uses them to gather information, influence decisions, or extract money by redirecting payments to the wrong bank accounts. Those types of attacks are becoming more widespread due to the automation of attacks, ease of replacing bank payment information, relatively small payments and delays in recognizing the payments.
The solution is to verify the sender and recipient and pay attention to verify any suspicious messages. If something does not seem right, any employee's first reaction should be to call the customer. Any third-party access and privileges should be limited to the minimum necessary to conduct the business, and all activities should be monitored and audited. Not to mention, a VPN or Zero-Trust network policy should be in place for remote access.
5. Insider threats
Malicious insiders or former employees who still have access, or employees tricked or forced to act on behalf of cybercriminals, are becoming a real issue for the MSPs. Who do you trust if you don’t trust your team?
There is no silver bullet, yet a few things could help to protect the infrastructure. Starting with using the least privilege principle or “need to know” basis for all access and a detailed audit log of all activities and implementing tools for monitoring user activity and flagging suspicious and unusual behavior. It is crucial to have regular security reviews, verify who has access, and be highly swift with revoking access from people who do not need it to do their jobs anymore. A Data Loss Prevention (DLP) solution could also be useful.
Conclusions
It is tough enough to be an MSP and responsible for the operations of multiple businesses. Cybersecurity concerns add more to the plate of MSP owners, putting them under much additional pressure. Therefore, it is essential to build security policies and implement the tools to enforce them as soon as possible and then conduct regular reviews and policy updates. With proper tools and processes, making an MSP secure becomes second nature—like pushing pedals and steering the wheel in a car, the necessary activity to get from one place to the other.