The recent Kaseya breach constitutes one of the largest ransomware attacks on record. But ransomware aside, to me it's interesting that this is the second supply chain attack targeting the service provider community in less than a year following the SolarWinds attacks.
Nation-state attackers and criminal cyber gangs are understandably targeting service providers as a conduit to a larger customer base they serve:
- Supply chain attacks targeting service providers are on the rise
- Signature-based technologies not sufficient to stop ransomware
- Service providers should protect their customers and themselves with behavioral detection and response technologies
This invokes the John Dillinger quote: when asked why he robbed banks, his response was “because that's where the money is.” Ransomware represents a revenue stream that doesn’t require the physical risk associated with robbing banks, nor the risk of apprehension by the authorities and businesses that want to continue to do business are likely to pay the ransom.
These new attacks indicate, not only that service providers are now targets, but that traditional NGAV and mainstream EDR technologies, are not sufficient to successfully stop these breaches. That’s because these sophisticated attackers are leveraging legitimate business applications and supply chain attacks to get around traditional defenses. A new kind of defense, one that can correlate behavior across the attack surface into a malicious operation is needed to stop this new breed of attacker.
MSPs and MSSPs should be thinking about technologies that include protections based on Indicators of Behavior. While many focus on Indicators of Compromise or signature based defense, these tools should be used alongside a technology that focuses on behavior, and MSPs should be eating their own dog food so to speak. Leveraging the same level of defense they are delivering to their customers.
Service providers often espouse security measures for their customers, but can often overlook how effective of a conduit to their underlying customers they actually are. Not only do service providers need to continuously assess how well they are defending their customers against new threats, but how well they are protecting themselves from being a springboard into hundreds of their own customers.
Stephan Tallent, CISSP is the VP for MSSP North America at Cybereason. Read more Cybereason guest blogs here.
