In today’s world Managed Service Providers are businesses' answer to managing their technology risk. For larger organisations, keeping an in-house digital team is not part of their strategy. For smaller companies, outsourcing is the only way to bridge an expertise gap and keep up with rapidly evolving technology.
MSPs are now such an integral part of the digital ecosystem that companies trust more of their sensitive data with them, so it makes sense that they will become serious targets for ransomware crews who see huge value and plenty of vulnerabilities.
Multiple extortion
The damage ransomware can cause organisations is a surprise to nobody – queue colonial pipelines and a plethora of other examples reported ad nauseum. Despite the scale of these big attacks, they pale in comparison to what ransomware crews do when they infiltrate an MSP.
When attackers find a vulnerability in an organisation, they can compromise it and then extort that organisation, but finding a vulnerability with an MSP means potentially compromising every organisation that MSP services. Attackers can now execute double and triple extortions paralysing an array of organisations, something that previously would have only been possible by nation states.
Most worryingly, a successful attack on an MSP opens the door for quadruple extortion. In this scenario attackers don’t just go after the provider but go after customers who rely on the services of their MSP to function or protect their most sensitive data.
Recently a nation state targeted a software vendor of remote monitoring and management (RMM) tools, Solarwinds. RMM tools allow teams to monitor and management IT systems. This attack allowed the adversary access to government agencies, cyber security software developers and other key organisations. Cybercriminals are now following suit. REvil, a cybercriminal organisation identified a vulnerability in Kaseya, another RMM tool and in July 2021, used this vulnerability to compromise multiple MSPs and their customers, holding their data to ransom.
Customers will suffer the consequences
An MSPs ‘raison d’etre’ is in part one of its biggest vulnerabilities. For many businesses, MSPs provide a knowledge gap and can provide expertise or services that are too expensive to manage with an in-house team. Naturally, MSPs have unfettered access to multiple systems, as is required to complete their services. The problem with this model is that organisations now have little visibility about what is happening behind the scenes leaving them in the dark when trouble ensues.
Most people think that these problems aren’t as big an issue for organisations who still have in-house teams that can quickly manage threats and often ensure staff in their organisation are well educated. However, organisations forget that while they may not have outsourced all of their systems, they usually leverage MSPs to manage smaller pieces of infrastructure, such as the management of their databases, development of a new application or providing expertise in a CRM. A lack of visibility surrounding a critical piece of infrastructure can hinder an entire threat response and waste valuable time.
Reducing the risk
The solution to this isn’t terminating every agreement with any organisation with access to the business’ systems. Operating a business has and will always carry some level of risk, and every organisation is required to have at least some level of relationship with a handful of MSPs. Organisations need to think seriously about striking the right balance between still providing access to MSPs but reducing the risk involved with providing the high level of access to external parties.
The key is for organisations to perform assessments of their MSPs to ensure that they have sound information security practices and are protecting their environments similarly if not better than the organisation itself.
Ensuring that the behaviour of MSPs is monitored and investigations into any questionable behaviour is done effectively and immediately is key to ensuring that organisations don’t suffer the consequences of the growing target attract attackers.