Managed service providers (MSPs) are facing a heightened threat of cyber attacks and have been urged to re-evaluate security processes and contractual commitments with customers.
A joint report by cyber security authorities in Australia and New Zealand, alongside the United States, United Kingdom and Canada, otherwise known as Five Eyes, has warned of the increased threat to MSPs due to their access to multiple customer networks and sensitive data.
Indeed, a 2020 report by Cylance (now Blackberry), said MSPs were hot property for cyber criminals seeking a larger net of companies to attack. Worryingly, the attackers were found to be choosing ransomware as their attack method of choice.
In the new joint report from Five Eyes, MSPs were alerted to the “cascading” risk of attacks within an IT supply chain, as seen in last year’s attack on Kaseya’s VSA product.
“Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the report claimed.
“The UK, Australian, Canadian, New Zealand and US cyber security authorities expect malicious cyber actors—including state-sponsored advanced persistent threat (APT) groups—to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.”
For example, the report noted, threat actors successfully compromising an MSP could enable follow-on activity—such as ransomware and cyber espionage—against it as well as across its customer base.
Authored alongside the Australian Cyber Security Centre (ACSC) and New Zealand’s National Cyber Security Centre (NCSC), the report issued a new set of guidelines for MSPs for protecting themselves and their customers.
The report recommended that MSPs and their customers implement the baseline security measures and operational controls listed, while customers should ensure their contractual arrangements specify that their MSP implements these measures and controls.
The first of the extensive list of steps to prevent any initial compromise included implementing mitigations against attack methods exploiting vulnerable devices and internet-facing services, brute-force attacks, password spraying and phishing, according to the report.
Enabling monitoring and logging were also recommended, including storage of most important logs for at least six months and implementing endpoint detection and network defence monitoring capabilities in addition to using application allow-listing/deny-listing.
MSPs were also urged to secure remote access applications and enforce multi-factor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
Other measures included developing and exercising incident response and recovery plans, which should include roles and responsibilities for all organisational stakeholders, including executives, technical leads and procurement officers.
Finally, they were advised to understand and proactively manage supply chain risk across security, legal and procurement groups, using risk assessments to identify and prioritise the allocation of resources.
MSP and customer transparency were also highlighted as key issues, with both parties urged to make cyber responsibilities clear in the contracts.
“MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing and all contingencies for incident response and recovery,” the report said.
“Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall out.”