December 30, 2020
How MSPs Can Manage Cyber Risk in 2021
As 2020 comes to a close, we look back on another year of increased attacks on managed service providers (MSPs), their small and medium business (SMB) clients, and the ecosystem of tools used within the community. In the face of these events, the MSP community showed the desire to tackle the underlying challenges with increased engagement, new peer forums, and attention in hardening their services. As we look forward to what 2021 might bring, now is a great time to develop or update your plan for managing cyber risk.
As a practitioner of risk management at Datto, I look at where we can best spend our time and what areas are the most important to address when it comes to cybersecurity. This is an important concept for MSPs to master in 2021 — it’s a continuous process, and requires adaptability as new threats emerge. While we care about knowing about the possible actors we may face, for example, cybercriminal organizations and loss scenarios such as ransomware within internal systems, it’s how these unfold that is one of the most important pieces to analyze. In this blog, we’ll focus on applying a process to a handful of techniques used by threat actors, surface mitigations, and provide a few tips on prioritization.
Let’s start with three key techniques threat actors have successfully utilized over the last few years as the starting point for our 2021 planning. In stepping through this process you can apply the same thinking to any number of techniques that you uniquely identify.
Through the use of various sub-techniques such as malicious attachments and links, these are highly effective for actors in meeting their objectives. The weakness to understand here is the end user and being able to create a situation where they take an action that leads to credential or host compromise.
Often in conjunction with phishing or compromising of a third party, the actor utilizes valid credentials to access websites and services, or to escalate privileges internally. The weakness here is identity and access management.
External Remote Services
MITRE’s ATT&CK framework states, “Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations.” There are two potential weaknesses we will focus on for this exercise, user accounts, and vulnerabilities within the exposed services.
Defining Risk Mitigations
Now that we have a better understanding of the techniques used by bad actors and the underlying weaknesses, the next step is to populate a list of mitigations to help reduce the likelihood of these techniques being successful. The list of examples is not exhaustive and in practice should focus on the top ways to reduce risk based on deficiencies in your environment.
- Email Security Services - provides additional security capabilities on top of email services above what Exchange and Gmail provide as a part of their base service.
- Security Awareness Training - provided in many forms of content, and phishing simulations.
- Endpoint Controls - if a malicious attachment or link is successful, ensuring the device is patched, services and configuration hardened and has a quality AV/EDR/MDR solution adds layers of security (and resilience!).
- Multi-factor Authentication - ensuring all systems that support it have it enabled, even if you are on network.
- Password Manager - a number of mature solutions exist with the goals of not reusing passwords and having a secure means of generating them for use.
- Notifications - a fairly novel use of the built-in mechanism, and free, alert the user of new logins and device registrations. It’s understood that this is how FireEye detected the most recent breach.
External Remote Services
- Multi-factor Authentication - ensuring all systems that support it have it enabled, worth repeating twice as it is still a major driver of successful attacks on External Remote Services.
- Baseline configurations - expose the bare minimum number of services required, ensure they are vulnerability free, and that they are designed for external connectivity. It’s 2021 and we still have a large number of attacks attributed to Microsoft’s Remote Desktop Protocol being made externally available without a gateway.
- Vulnerability scanning - Whether it is a new vulnerability or a tech mistakenly opening up a vulnerable web service, regular perimeter scans serve as a continuous monitoring source that helps reduce the window that vulnerabilities are exposed to the internet.
Prioritizing the Action Plan
Arguably the hardest part of this exercise is the prioritization of activities in an action plan and finding the time to work through them. As we mentioned in this case study from 2019, don’t tackle the entire list but do put some thought into the activities and their value. While traditional risk management practices take into account financial loss in prioritization, below are a few less structured ways of approaching this problem.
- Attack Frequency - How many times have the techniques on your list been successfully used against your tech stack and user base? The more times something has occurred in the past is a good signal of future likelihood.
- Costs - Is the suggested mitigation a new tool, or is it using what you already have in new ways? Endpoint patching and configuration hardening, and enabling multi-factor authentication are still areas of improvement for MSPs. Even creative use of notifications can lead to more resilient outcomes.
- Business advantage - Determining if the required investment would be a business advantage in marketing and quality of managed services is a useful dimension. (Note: this should almost always be the case, some will just be more visible than others).
As we look at the steps we laid out above, you should walk away with the foundations to build a process that can be used and reused to harden your IT infrastructure. It’s best to set a goal of quarterly assessments at a minimum that review your program’s cyber risk in the face of trending attacks and focus on any new techniques being used.
Business continuity and disaster recovery (BCDR) solutions should serve as a foundational component in every partner’s technology stack. It’s imperative that in 2021, the MSP community’s trend of building in security practices continues. It’s through continuously assessing and improving cyber resiliency that the BCDR solutions will become the last card played rather than the only card.