It’s no secret that cybersecurity threats are rising for organizations of all sizes and industries. U.S. cybersecurity authorities like the CISA, NSA, and the FBI are aware of recent reports of increased malicious cyber activity targeting Managed Service Providers (MSPs) and expect this trend to continue. Organizations face security gaps and weaknesses from a patchwork of IT products and tools with little visibility and a false sense of security. In addition to IT staff shortages, expanding attack surfaces like cloud computing and work-from-anywhere enable threat actors to expand their reach and damage. Cyber attackers have noticed these challenges and are vigilant to exploit them. A deeper understanding of attackers can help better detect and respond to these persistent threats.
What are Cyber Threat Groups
Cyber threat groups are attackers who operate in a coordinated and synchronized manner. These adversary groups continue to morph their behavior and Tactics, Techniques, and Procedures (TTPs) to evade detection. Threat group characteristics include organization, synchronization, well-trained and well-funded, patience to achieve their nefarious goals, and being part of a criminal ecosystem. As threat groups seemingly disappear or are taken down by global law enforcement, new groups with similar TTPs and ransomware tools reappear quickly.
Types of Threat Groups
Cyber crime groups behave like legitimate businesses with training, incentives, promotions, and customer support. Many threat groups have existed for years, honing their exploitation skills over time. There are three primary types of threat groups:
1. Financially motivated attackers (FINs): These groups use threat vectors like phishing emails, ransomware, and click fraud to monetize their work. Cyber crime is extremely lucrative and relatively low risk. These financial attackers are patient, use “low and slow” techniques, and prey on human nature and social engineering to exploit victims. EXAMPLE: theft on the SWIFT financial network and Bank of Bangladesh has been attributed to REvil, also known as Sodinokibi and GandCrab.
2. Nation-state adversaries (APTs): These well-funded attackers use espionage and cyber theft to exfiltrate sensitive information like intellectual property to advance the country’s goals and political agenda. If not actually a part of the government, they may garner complicit support in a permissive environment. Nation-state adversaries use Advanced Persistent Threats (APTs) for their nefarious activities, and they are known to lurk for many months to achieve their objectives. EXAMPLE: the Nobelium gang known as APT 29 is believed responsible for the SolarWinds attack aimed at disrupting thousands of unsuspecting victims.
3. Hacktivists: While less frequent than financially motivated actors and nation-state adversaries, they nonetheless wreak havoc on businesses and governments. Hacktivists are motivated by political and social ideology and to promote unrest or public change. EXAMPLE: the attack on Sony Pictures as retribution to stop the release of a film unflattering to North Korea.
Tradecraft and motivations across financially minded adversaries and nation-state criminals are blurring. State governments use e-crime to fund government operations and bypass economic sanctions.
Threat Group Identification
It is challenging to identify an entity, organization, or country responsible for a specific adversary attack. Awareness and insight into threat group TTPs is helpful in better defending your infrastructure and end customers. Threat groups are often called by differing names across vendors, industry, and law enforcement, making it even more complicated to understand their motivations and tactics. APT 41, with its alleged ties to the Chinese Ministry of State (MSS), is also known as BARIUM and Wicked Spider. MITRE ATT&CK® is a knowledge base of adversary tactics based on real-world observations. The database also outlines threat groups and criminal gangs for practical security analysis and insight.
MSPs are Attractive Targets
You provide services that involve trusted network connectivity and privileged access to end-customer systems and data. A cyber criminal who compromises an MSP creates a domino effect that infects thousands of end-customers. Adversaries often use legitimate tools and services that evade detection, as our Security Operations Center uncovered. Attackers know that MSPs focused on protecting their brand reputation may be more likely to pay a cyber ransom. Stealthy and sophisticated attacks against service providers enable criminals to scale and achieve a larger ROI for their effort. So how can service providers understand well-funded threat groups and effectively protect themselves and their end customers?
How MSPs can Defend Against Adversaries and Stealthy Attacks
Here are some mitigation steps recommended by CISA to prevent, detect, and respond to suspicious security activity or possible incidents:
- Prevent what you can by implementing a social engineering awareness program within your organization
- Use different passwords for business and personal accounts
- Segregate internal networks
- Apply the principle of least privilege
- Disable or block unnecessary remote services and applications
- Secure and monitor the use of Remote Desktop Protocol (RDP)
- Promptly applying software patches and updates to prevent exploitation
- Enable or improve monitoring and logging processes
- Deploy robust cybersecurity solutions to reduce your attack surface
Threat Intelligence Reduces Your Attack Surface and Risk
Cyber criminals have a broad range of motives and methods, and their risks cannot be ignored. Knowledge of these threat groups and their tradecraft reduces your likelihood of becoming a victim of a costly security incident. With cyber resiliency, MSPs can better predict, prevent, detect, and respond to dynamic threats. Netsurion helps MSPs predict, prevent, detect, and respond to adversary attacks with a managed open XDR solution. Comprehensive visibility and proactive threat hunting help shield you against stealthy threat actors.
Author Paula Rhea is product marketing manager, Netsurion, which develops the Managed Threat Protection platform for MSSP and MSP partners. Read more Netsurion guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
