Free Newsletters for the Channel
Register for Your Free Newsletter Now
Find out who, instead, is the problem and how MSSPs must fix their own, and clients', IT environments now.
January 19, 2021
Details about the giant SolarWinds breach continue to emerge. On Tuesday, Symantec said it found a previously unidentified strain of malicious code unleashed in the attacks. And Wired just published a piece warning of copycat hacking attempts. For managed security service providers, the question becomes one of preventing such threats in the first place.
That may prove wishful thinking.
“There is no guaranteed, foolproof way.”
Asigra’s Eran Farajun
That’s the word from Eran Farajun, executive vice president of Asigra, a data protection vendor that works with managed service providers. Notably, Farajun was among the few experts in recent years predicting an attack that would target remote monitoring and management platforms. It was just a matter of who, when and where.
Since early last year, Farajun has been recommending that all players – providers, customers, partners – separate apps such as backup from the RMM stack. He preached this best practice because once malware gains entry, it then can access mountains of data.
For a while, Farajun’s pleas might have seemed overblown. Then came the SolarWinds fiasco.
In December, hackers, whom U.S. authorities suspect as having ties to Russian state intelligence, inserted malicious code into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. The code lived in updates released between March and June of 2020.
This led to security breaches at numerous U.S. government agencies. Those include the Treasury Department, the National Telecommunications and Information Administration and the Department of Homeland Security. The attackers also hit SolarWinds’ corporate clients, including FireEye, as well as Microsoft’s closely guarded source code.
Now, victims of the SolarWinds breach remain in clean-up mode. They’re also thinking about prevention. Indeed, this is top of mind for many an MSSP. But warding off a cyberattack takes more than technology. And this is where a lot of people fall prey to misconceptions.
Too many technology insiders operate under “a false sense of security,” Farajun told Channel Futures.
“The hackers aren’t the problem,” he added. “The IT professionals are the problem.”
Wait. What was that?
Correct, Farajun said — it’s the very people charged with protecting networks and data who paved the way for the SolarWinds attack.
“They think if they buy this vendor, or even an MSSP service, ‘I’m good,’ ‘I can sleep at night,’” he said. “People think it’s going to be solved technologically. The bad guys know that, and that’s what they take advantage of.”
So what’s an MSSP to do? Get more expensive. In other words, Farajun said, be costly to hack.
“A healthier way to deal with this false sense of security is to recognize that the bad guys are always ahead; they’re always going to be a step ahead,” Farajun said.
The better approach? MSSPs must …
… build their own environments – and their clients’ – with such intricacy and depth that attackers will have to invest extensive time, energy, effort and skill to get the goods.
And most won’t. They will move on to an easier victim. So, Farajun said, outrun the tiger.
“It’s a race between you and your peer,” Farajun said. “It reminds us of the old joke about the safari and the tiger. You’re sitting under a tree and your friend says, ‘We can’t outrun this tiger.’ You say, ‘I don’t need to outrun the tiger; I just need to outrun you.’”
Asigra comes at the SolarWinds breach from a different perspective than some other companies.
“We’re a backup vendor so we have a certain view of the market,” Farajun said. “And it’s that you’ve got to protect your backups.”
Not a lot of IT people do that “because they think [backup’s] just there and not an important application category to protect,” Farajun said.
Shock sets in when hackers take over unprotected backups. The bad guys then delete those files, “and when they know you can’t restore, you have to pay.”
Understand this: In the enterprise and SMB worlds, where most MSSPs specialize, cybercriminals have no regard for the information they steal. (This is not the case when it comes to government espionage.)
“Part of the problem is people think, ‘Why would anybody want my data?’” Farajun said. “They couldn’t care less about your data. All they know is you care. And once you care, you will pay.”
The effects of the SolarWinds breach still ripple throughout the industry. MSSPs cannot afford to grow complacent. Now is the time to make environments unappealing to attackers.
Start by not allowing your company or your customers to put all information in one place.
“Keep backup separate from the monitoring and management platform,” Farajun said.
After that, employ step-up multifactor authentication. This really applies to sensitive data, not so much the everyday. In this scenario, the deeper a user goes into files and folders, the more verification he or she has to provide to open the next level.
“It’s like you have locks on your front door, and on specific doors and windows, so [criminals] need different keys and ways to get in,” Farajun said.
The SolarWinds platform lacked those controls.
“Can you imagine how much harder it would have been for the Russians if there was step-up MFA on the RMM tool and they had to figure out approvers?” Farajun said. “That all becomes more expensive.”
Next, with authentication in place, appoint those aforementioned approvers. The MSSP itself should choose someone outside of the company. This could be a cyber insurance broker, for example. Your customers, though, should opt for you and/or their own cyber insurance provider. On that note, ask clients who gives the go-ahead for accesses and processes.
“It’s not good enough that it’s the CIO,” Farajun said. “You want to have multiple people outside the organization, like an MSSP, an auditor, an insurance firm — not just someone within the company.”
On top of that, use separate platforms. Do not just rely on one, or all the tools contained in one.
“McDonald’s sells the most food, but not the best food,” Farajun said. “Do you always and only want to be using the market leader? The biggest vendor has the biggest target on them.”
Finally, if the worst happens, despite precautions, consider using a ransomware negotiator.
“Just because you’re an MSSP, don’t think you know how to negotiate correctly,” Farajun cautioned.
Rather, he said, turn to a …
… negotiator who knows ransomware and all the hundreds of bitcoins now circulating as payment.
Aviad Hasnis, CTO at breach protection vendor Cynet, has other advice.
Begin by increasing awareness across the organization. The goal is to prevent spear phishing attacks (they use both links and attachments) from infecting endpoints with malware and ransomware. Be aware that spear phishing is “targeted and personalized.” That’s according to Barracuda Networks.
“Victims are researched by cybercriminals, who sometimes impersonate a coworker or trusted business,” Barracuda wrote on Channel Futures last year. “In either case, the attackers are generally trying to obtain login credentials or financial information.”
As such, spear phishing represents the typical entry point for RMM attacks, Cynet’s Hasnis said.
One of the best ways to increase awareness is to turn social engineering on its head. Typically, cyberattackers use this ploy. Social engineering imitates known and trusted users, and relies on enticing hooks, to trick employees into giving up information. MSSPs can disguise themselves as potential bad guys and go fishing via email to test employees. Then, when someone clicks the link, a webpage pops up that educates (emphasis on educates — not berates!) the user about what happened and why.
In addition to boosting awareness, make the most of technology (even though technology will not serve as the ultimate deterrent). Deploy an extended detection response product that will detect –and even prevent – spear phishing. Such software “is also advisable to mitigate credential-dumping techniques as well as to detect ransomware which will attempt to use the RMM software to infiltrate customers’ environments while also deleting any existing backups,” Hasnis said.
Traditional, signature-based platforms don’t work so well against modern cybercriminals, he added.
And like Farajun, Hasnis lobbies for installing multifactor authentication on RMM tools. In fact, he said, MFA usually is just an option in the RMM software. It really ought to be required. MSSPs must enable this capability. This make life harder for potential hackers and eases IT’s worries.
Last, Hasnis suggests auditing RMM accounts. This, he said, will “ensure all enabled users truly require access to minimize the attack surface. Pay particular attention to high-privileged RMM users as compromise of these accounts will certainly lead to damage.”
That goes back to Farajun’s point about assigning someone to oversee permissions as users dig deeper into the organization’s data. It also makes sense to conduct these RMM audits on a regular basis. People come and go; keep up with personnel changes to reduce the risk of insider hacks.
Remember, the goal is not to install every piece of possible technology to avoid a breach. That’s not realistic. However, MSSPs can, for themselves and their clients, set up undesirable obstacles that will spur cyber criminals to look elsewhere.
“We’ll never root out every hacker or spy in the supply chain,” said Phil Straw, CEO of hardware storage vendor SoftIron. “Instead, we need to rethink each layer of the IT stack to deliver greater transparency, enabling security analysts to shine a light into each and every corner where a hacker may hide.”
Read more about:MSPs
Contributing Editor, Channel Futures
Kelly Teal has more than 20 years’ experience as a journalist, editor and analyst, with longtime expertise in the indirect channel. She worked on the Channel Partners magazine staff for 11 years. Kelly now is principal of Kreativ Energy LLC.
You May Also Like
Mobile World Congress: VMware Talks SASE, 5G, SD-WANFeb 27, 2024
Zero Trust World: ThreatLocker Providing an Action Plan for Preventing AttacksFeb 26, 2024
The Gately Report: Trellix Partners Shielding SMBs from RansomwareFeb 26, 2024
Cloud Computing News: AWS Loses Another Key Exec to Azure; Canalys, Vega Cloud, Hyve NewsFeb 23, 2024