Managed service providers (MSPs) provide extremely important and valuable services by assisting organizations with information technology related tasks such as provisioning software or Active Directory accounts. Yet despite all of the benefits an MSP can provide, there’s also an inherent risk: if an MSP is breached, its customers may also be. This scenario played out on the world stage July 2 with the REvil ransomware attack that targeted Kaseya — a key software provider to MSPs — and as a result, the MSPs themselves (fewer than 60 Kaseya customers) and just under 1,500 downstream companies, according to Kaseya’s public statement at noon on July 6.

This blog explains what an MSP is, why threat actors target them and what steps MSP customers can take to minimize the risk of being breached if their MSP is. 

What Is a Managed Service Provider (MSP)? 

Typically, MSPs are completely outsourced and remotely perform the following services:

• Managing IT infrastructure (e.g., network routing and rules, web proxy configuration)
• Delivering technical support to staff (e.g., help desk functionality)
• Managing user access accounts on customers’ systems (e.g., Active Directory management)
• Provisioning software (e.g., application installations or upgrades)

Because most MSPs operate remotely from their customers, they use a virtual private network (VPN) or other remote access/administration application (e.g., Kaseya, TeamViewer) to access and perform tasks in customer environments. Further, because of the nature of an MSP’s tasks — specifically, IT administration tasks — their access to customer systems requires heightened levels of privilege. 

Why Do Threat Actors Target MSPs?

MSPs have become preferred targets of threat actors for the following reasons:

• MSPs often use multi-tenant instances of a remote access/administration application to service their customers, enabling threat actors to potentially gain access to multiple organizations with a single attack on the MSP that services them.
• Because MSPs are leveraged by organizations of any size and in almost any vertical, they have very few limits or edge case scenarios where companies may not choose to use them, and therefore are typically “target rich environments” for threat actors. 
• MSPs may be the weakest link to a target highly sought-after by threat actors. For example, if a desirable target has a very mature security posture, a threat actor may more easily access their environment by compromising their MSP, since that MSP already has privileged access to their environment.

As a result of these and other characteristics — particularly the fact that an MSP’s customers might number in the hundreds or even thousands — MSPs have increasingly been targeted by eCrime big game hunting (BGH) ransomware groups that, upon compromising an MSP, find it typically trivial to then access and deploy ransomware to that MSP’s customer environments.

How Can MSP Customers Avoid Being Impacted by an MSP Breach?

MSPs and their customers typically operate under a shared security responsibility model. Unfortunately, there is often a lack of understanding of who is responsible for what in terms of securing the infrastructure, applications, platforms and data.

MSP customers should not assume their MSP is secure. Instead, they should proactively meet with their MSP to review what security solutions the MSP has implemented. A strong argument can be made that during the contract sourcing and procurement process that an MSP should be required to demonstrate their ability to protect the buyers environment and contractual stipulations be considered for testing, auditing, documentation and even financial contingencies for cyber impacts. 

Questions that current or potential MSP customers should ask include:

• What endpoint protection and monitoring solutions do the MSP use? 
• Does the MSP have a vulnerability management program and, if so, how is it executed?
• How does the MSP secure the privileged credentials it uses to access customer environments?
• Does the MSP use multifactor authentication (MFA) for their internal and/or customers’’ external-facing applications, such as VPN or remote access tools?
• Does the MSP conduct regular red-team/adversary emulation testing of their environment to identify weaknesses?
• When was the last time the MSP conducted a tabletop exercise and is their incident response (IR) playbook/plan up to date?
• Does the MSP have an IR retainer in place with a reputable firm who is experienced performing incident response at scale? 

What to Look For in an MSP’s Security Stack

When reviewing an MSP’s security stack, current or potential MSP customers should look for an advanced, real-time endpoint protection platform (EPP) that provides:

• Machine learning to identify anomalies and perform heuristic analysis, in addition to conducting antivirus and antimalware activities 
• Detection and automated prevention capabilities
• Remote network containment of assets pending investigation or remediation
• Ability to operate even when assets are not connected to the corporate network

In addition, for maximum benefit from such an EPP, the MSP should have a dedicated internal team, or a managed IR provider on retainer, who can proactively hunt and monitor for threats, and take remediation actions on systems through the agent to include the removal of malicious files and persistence mechanisms identified by the EPP.

Additional Steps MSPs and Their Customers Should Take

Conduct annual pen tests or red team and adversary emulation exercises to test for vulnerabilities in MSP solutions. MSPs should perform red team assessments of their environment to determine if and how a threat actor could access their environment, what paths the threat actor could take to access sensitive data, and if the threat actor could also access customer environments using any credentials captured during the assessment.

Perform table top or live fire exercises to simulate an attack stemming from an MSP compromise. MSP customers should proactively perform such tests in their own environments, and practice the detection, response, containment and remediation steps that should be taken. The exercises can also identify any visibility or action gaps the customer may have, and recommendations to improve those items.

Additional Resources

• Read How CrowdStrike Falcon® Stops REvil Ransomware Used in the Kaseya Attack in the CrowdStrike blog.
• Learn about and request a Cybersecurity Maturity Assessment or a Tabletop Exercise from the CrowdStrike Services team.
• Download the CrowdStrike 2021 Global Threat Report for more information about adversaries tracked by CrowdStrike Intelligence in 2020.
• See how the powerful, cloud-native CrowdStrike Falcon® platform protects customers from DarkSide ransomware in this blog: DarkSide Goes Dark: How CrowdStrike Falcon® Customers Were Protected.
• Get a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.
• Read Post: MSP vs MSSP