Over the years, we have witnessed cybercriminals compromise managed service providers (MSPs) and managed security service providers (MSSPs) as a means to deploy various types of ransomware to hundreds of customer organizations in a single day.
While any type of organization, from a local nail salon to a government contractor, can be a target for a supply chain attack, MSPs and MSSPs are particularly attractive targets for ransomware gangs and nation state adversaries. Hacking a single service provider can give cybercriminals direct access to the networks of many high-profile organizations at the same time, allowing them to charge multiple ransoms or steal massive amounts of data all at once.
Especially in today’s world where remote access is a key aspect of any MSP’s business, there is no excuse to ignore supply chain security risks that could not only impact your own organization, but your customers’ businesses as well. Based on the attacks we’ve witnessed recently, many organizations only want work with service providers that have extensive security protocols in place to ensure they are protected from potential threats that may use partners as a backdoor.
Here are three important areas of supply chain security that MSPs and MSSPs can work on to better protect themselves and their current customers – and even make their services more appealing to new potential customers:
While it may sound like common sense, service provides need to stop sharing passwords. Using a single, shared password for remote access software to manage thousands of customer accounts is not an acceptable security practice, but sadly, this happens more than you may think.
Phishing just one member of an MSP’s support team could potentially be enough to destroy a service provider’s reputation and its whole business in one blow. To prevent this from happening, accounts that have privileged access should only be used when needed, and they should always require multi-factor authentication. All user sessions should also be logged and reviewed frequently.
Logging and reviewing access on a regular basis can also help an IT department detect unusual access behaviors. For example, if a user is accessing an account assigned to a different team or signing in at odd hours, that may be a sign of insider fraud or an external threat actor preparing to launch a ransomware attack.
Setting boundaries so that only the necessary teams have access to the appropriate client accounts can prevent unauthorized access, raise any red flags well in advance of an actual security incident, and help contain risk.
Monitoring for Compromise
Although threat prevention should always be the goal, it isn’t always 100% achievable. This means monitoring for the failure of preventative controls is crucial, but even this is often under resourced and too reactive. Once an attack becomes obvious, it is usually too late. By the time a criminal launches the ransomware, they have already stolen critical data and, typically, have had access to the network for 30 days or more.
More diligent monitoring can help identify the any suspicious use of legitimate accounts and tools, otherwise known as Living Off the Land (LotL). Detecting this requires vigilance and skill. To a trained security operations center analyst, these abnormalities stand out clearly and the attack can be thwarted before the bulk of the damage is done. For an MSP, it’s important to invest in security monitoring training for staff or engage with outside experts to monitor for this type of behavior on their behalf.
Improving Supply Chain Security
By implementing these three important practices into their security strategies, MSPs and MSSPs will significantly reduce supply chain security risks for themselves and their customers, ensuring they are no longer the weakest link in the chain. Prioritizing supply chain security defenses can also be a significant competitive advantage for service providers in acquiring new customers and retaining the ones they already serve.
Staying vigilant and incorporating these security practices into a service provider’s culture is important, but MSPs can’t always achieve perfect supply chain security alone. Sourcing help from external teams like Sophos Managed Threat Response can make monitoring more proactive and effective in identifying those early indicators, further strengthening the MSP’s security posture within the supply chain.
These tips are simply starting points to avoid common pitfalls typical to security incidents we’ve seen in the past. It’s important to remember that security is a journey, and securing the supply chain is just one way MSPs and customers can make it more difficult for cybercriminals to carry out their nefarious attacks.