CrowdStrike‘s latest research shows a disturbing trend in ransomware increasingly attacking MSPs.

The cloud-native endpoint protection platform provider’s 2020 Global Threat Report observed activity using remote management software to target many companies through a single point of entry in MSPs and cloud service providers, while also seeing a string of health care attacks by first breaching an MSP.

While the attention is often on protection for organizations, CrowdStrike found that it’s critical MSPs plan ahead to combat these attacks.

CrowdStrike’s Jennifer Ayers

Jennifer Ayers, vice president of OverWatch and security response at CrowdStrike, tells us protection requires three things: people, process and tools.

“A critical component is having the right team mix with the right skill sets and knowledge to understand the types of threats that may be targeting not just the MSP but also their customer,” she said. “In an ever-changing threat landscape, the need to understand the what and why an MSP may be a target is important. Second is ensuring that environments have the right security applied. For example, we know taking advantage of remote desktop protocol (RDP) is a very common technique used by adversaries. Are the right tools in place to monitor and reduce RDP usage?”

In addition, MSPs can use a comprehensive solution that unifies next-generation antivirus (AV), IT hygiene, endpoint detection and response (EDR), cyber threat intelligence and proactive threat hunting, Ayers said.

“They can also standardize their threat intelligence, a critical security tool in today’s threat environment, to have better visibility into adversary activity and the assets being targeted so that they know what and how to protect them,” she said.

CrowdStrike saw an increase in ransomware incidents, maturation of the tactics used and increasing ransom demands from e-crime actors. Increasingly these actors have begun conducting data exfiltration, enabling the weaponization of sensitive data through threats of leaking embarrassing or proprietary information.

Moving beyond e-crime, nation-state adversaries continued unabated throughout 2019, targeting a wide range of industries, according to CrowdStrike.

Another key trend in this year’s report is the telecommunications industry being targeted with increased frequency by threat actors, such as China and North Korea. CrowdStrike intelligence assesses that various nations, particularly China, have interest in targeting this sector to steal intellectual property and competitive intelligence.

“In 2019, big-game hunting (BGH), another term for enterprise-scale, targeted ransomware operations, was the most lucrative enterprise for e-crime adversaries,” Ayers said. “More than a dozen of the largest ransom demands reported were in the millions compared to the hundreds of thousands the year before. Numerous adversaries specializing in the delivery or development of malware benefited from supporting customers or partners conducting BGH operations. Of all e-crime threats, ransomware represented 26% of what was reported in 2019. The number climbs to 37% of threats when ransomware reports are combined with reports of banking trojan malware operated by BGH adversaries (e.g., TrickBot).”

The trend toward malware-free tactics accelerated, with malware-free attacks surpassing …

… the volume of malware attacks. In 2019, more than half (51%) of attacks used malware-free techniques, compared to 40% in 2018, underscoring the need to advance beyond traditional antivirus (AV) solutions.

“This shift is due to the fact that malware-free attacks allow threat actors to slip past legacy technologies, such as antiquated antivirus, and go undetected in a victim’s environment for longer periods of time by typically using native OS tools, or other legitimate tools commonly allowed in environments,” Ayers said. “Malware-free attacks generally require a wide range of more sophisticated detection techniques to identify and intercept adversary activity, including behavioral detection and human threat hunting.”

CrowdStrike has seen multiple ransomware intrusions into environments where security controls were in place, but not configured to block attacks or not fully deployed, Ayers said. Smart organizations will take the time to maximize their protection to combat the dramatically increased impact that the proliferation of BGH has on organizations, she said.

“Two-factor authentication (2FA) should be established as a baseline for all users because today’s attackers have proven to be adept at accessing and using valid credentials, quickly leading to deeper compromise,” she said. “In addition to 2FA, a robust privilege access management (PAM) process will limit the damage adversaries can do if they get in, and reduce the likelihood of lateral movement.”

While technology is clearly critical in the fight to detect and stop intrusions, the end user remains a critical link in the chain to stop breaches, Ayers said. User awareness programs should be initiated to combat the continued threat of phishing and related social engineering techniques, she said.

“2019 brought an onslaught of new techniques from nation-state actors and an increasingly complex e-crime underground filled with brazen tactics and massive increases in targeted ransomware demands,” said Adam Meyers, vice president of intelligence at CrowdStrike. “As such, modern security teams must employ technologies to detect, investigate and remediate incidents faster with swift preemptive countermeasures such as threat intelligence, and follow the 1-10-60 rule (detect intrusions in under one minute, investigate and understand threats in under 10 minutes, and contain and eliminate the adversary from the environment in under 60 minutes).”