Sergey Nivens - Fotolia
It's an uncomfortable reality that as MSPs are busy helping thwart cyberthreats targeting their end customers, they are also targets themselves.
Since October 2018, when the US-CERT issued a warning to managed service providers that advanced persistent threat actors were attempting to breach their networks, several MSP-linked incidents involving ransomware have been publicized. Incidents included ransomware attacks in February 2019 where hackers exploited a flaw in a ConnectWise/Kaseya plug-in, as well attacks that surfaced in June, where hackers had hijacked MSPs' internal remote monitoring and management (RMM) software to spread ransomware. Hackers have clearly recognized the role that MSPs play in corporate supply chains and view MSPs as potential access points to their end customers' data.
To mount a cohesive defense, MSPs and their partners need to join forces and take proactive security measures, said Ryan Weeks, chief information security officer at MSP software provider Datto Inc. Datto provides RMM and professional service automation tools among other products.
Datto has mainly seen vulnerabilities emerge in how MSPs configure and use their services, Weeks said. While many vendors understand the importance of having two-factor authentication and other security controls in place, Datto is taking a more aggressive stance. Not only does the company communicate to MSPs what security best practices they should follow, but "we're working to enforce them and help the MSPs help themselves," he said.
For example, Datto is one of the first MSP software vendors to require that its MSP users implement two-factor authentication by the end of the year, Weeks said. "It's what all RMM vendors need to do to protect all users," he maintained, "and MSPs have been overwhelmingly supportive."
While cybersecurity threats "have the ability to fracture the relationships between MSPs and their vendors, we're trying to demonstrate to our MSPs that we want to be a partner with them and limit their exposure to these threats," Weeks added.
Authentication key to protecting MSPs
When an MSP falls victim to a cyberattack, the underlying issue is the vendors MSPs use, according to Stanley Louissaint, principal and founder of IT managed services firm Fluid Designs Inc., based in Union, N.J. "There are lots of vendors like [those] with RMM platforms getting compromised, and there are vendors that provide pretty critical infrastructure for us that don't have things like two-factor authentication."
Louissaint said certain software tools he uses to deliver products and services to his end clients don't provide a mechanism to protect his firm. For example, the email spam filtering platform he uses does not let the administrator enable two-factor authentication.
"[Authentication] is obviously something that's critical," Louissaint said. "So, MSPs have to demand that our vendors fully provide us with the ability to properly secure our accounts through them, as well."
Louissaint said that now some vendors are requiring two-factor authentication; going forward, more will.
MSPs helping other MSPs
There are different motivations for these attacks on MSPs. A cybercriminal may be targeting a specific end user, as has been seen with certain attacks on municipalities, Weeks said. Regardless of the hacker's intentions, there are several things an MSP can do.
Weeks said Datto is seeing a lot more MSPs bringing in third parties to analyze the MSP's own risks and hold them accountable for increasing the security of their systems. Additionally, he said, "we will see more [threat intelligence sharing] programs among the MSPs and vendors themselves. There's a few organic efforts underway."
Weeks has predicted much more collaboration within the MSP community to help one another. He added that he is seeing more partnerships between MSPs and managed security service providers, as well as a "sharpened attention to risk."
Ryan WeeksCISO, Datto
For its part, Datto has started an MSP information sharing and analysis center (ISAC) focused on the threats MSPs are facing. "As we identify other vendors supporting MSPs through these types of attacks they're seeing, we invite them to this Slack channel we developed to collaborate and share [information] in a safe way," Weeks said. Datto uses "standard threat intelligence sharing processes to get better situational awareness on what's going on across the industry.''
Other MSP software vendors, such as ConnectWise, have launched similar initiatives.
Datto's ISAC is an informal group, but Weeks' hope is to grow it into something that will eventually be led by MSPs for MSPs. He noted, however, that he thinks MSP software vendors are going to have to get the initiative off the ground. "Currently, we are focused on growing the sharing community, but in the future, we hope to expand into MSP membership or [find] an outlet where we can take curated intelligence from the vendor community and share it in real time with MSPs."
"We've actually identified some MSPs [who are targets] preattack, as information is being disseminated in the dark web, and have notified them before they see it," Weeks added.
"I think this will be a huge effort, because the only way we're going to get through [cyberattacks on MSPs] is together," Weeks said. "Materially and measurably, we will have to increase the security bar MSPs have to [meet to] protect themselves. Now that the business model is being proven by the attackers, I don't think this is a fad. This will be a thing MSPs will be dealing with for a while."
There is not a lot of transparency on the scope of an MSP-targeted attack. Because MSPs are not required to make them public, many don't, since an MSP security breach can cause significant reputational harm. Sometimes, MSP software vendors will communicate openly about settings changes they're making due to attack patterns they're seeing, Weeks said. Overall, however, more effort needs to be made to disseminate information in real time to the MSP community on how attacks are occurring, he noted.
"It starts with vendors, and we're working on breaking down some walls. Some of my best relationships are with traditional [MSP software] competitors,'' he said. "We can go out and compete for sales, but when it comes to security, we're on the same team."
Small vs. large MSP shops
Louissaint said he believes larger MSPs are at greater risk for cyberattacks than smaller ones because there is the potential for more attack vectors. In his case, he said he doesn't have to worry as much about the human element, which is often a big risk factor in breaches, because he is a solo services provider.
"One of the advantages I have is that I don't have to open things up to 25 employees working for me where each of them can potentially be … a source of attack," Louissaint said. Phishing attacks are often successful because a person is duped by a social engineering tactic, he said. "So, in a smaller shop, the attack vector is minimized more than at a larger MSP, because more people need access to sensitive information in those environments."
Datto has been studying whether the size of the MSP plays a role in a cyberattack. Weeks said they have looked at the security posture of several MSPs of different sizes to understand why one class of MSP might be targeted over another.
"What we've found is there is no distinction," Weeks said. "What it comes down to is their business model. MSPs focus a lot of time and energy on supporting their customers and that's why attackers have moved up the supply chain." Since MSPs have done a great job securing their customers, now they are turning to the MSPs themselves as the next logical target, he explained.