The Five Eyes intelligence alliance, which is composed of cybersecurity companies from the U.K., U.S.A., New Zealand, Canada, and Australia, has released a joint advisory warning regarding the growing number of cyberattacks directed at managed service providers (MSPs).
MSPs are interesting targets for cybercriminals and nation-state threat actors. A lot of companies depend on MSPs to provide information and communication technology (ICT) and IT infrastructure services since it is usually less difficult and cheaper than creating the capabilities to take care of those functions internally.
So as to deliver those services, MSPs require reliable connectivity and privileged access to the systems of their customers. Cyber threat actors attack vulnerable MSPs and utilize them as the first access vector to obtain access to the networks of all firms and organizations that they support. It is a lot easier to carry out a cyberattack on a vulnerable MSP and acquire access to the sites of several businesses than to target those organizations directly.
If MSP systems are compromised, it may take a few months before detecting the intrusion. During that time, attackers may do cyber espionage on the MSP and its clients or get ready for other follow-on activities like ransomware attacks.
The Five Eyes agencies give advice for baseline security steps that MSPs and their clients ought to carry out and additionally recommend customers to evaluate their agreements with MSPs to make sure that the contracts indicate that their MSPs should implement the recommended procedures and controls.
Steps must be taken to enhance defenses to stop the initial compromise. Cyber threat actors generally exploit vulnerable devices and Internet-facing services and perform phishing and brute force attacks to obtain a foothold in MSP systems. The Five Eyes agencies encourage MSPs and their users to:
- Enhance the security of vulnerable devices
- Secure internet-facing solutions
- Protect against brute force and password spraying
- Protect against phishing
It is essential to activate or strengthen monitoring and logging processes to permit intrusions to be quickly discovered. Because attackers may compromise sites for months, all companies must keep their most crucial logs for about six months. The agencies in the alert suggest whether via a detailed security information and event management (SIEM) solution or discrete recording tools, apply and maintain a segregated logging regime to identify threats to sites.
It is essential to secure remote access applications and enforce multi-factor authentication as much as possible and ensure MFA is executed on all accounts that permit access to customer environments. Clients of MSPs ought to make certain that their contracts express that MFA ought to be utilized on accounts that are employed to get access to their systems.
The Five Eyes agencies additionally advise
- Handling internal architecture threats and segregating internal networks
- Deprecating outdated accounts and facilities
- Using the principle of least privilege
- Implementing software updates and patches quickly
- Creating and executing incident response and recovery plans
- Backing up systems and information on a regular basis and evaluating backups
- Understanding and proactively controlling supply chain risk
- Handling account authentication and authorization
- Promoting transparency
MSPs and their consumers will have unique environments, therefore the advice must be utilized as appropriate according to their particular security needs and rules.