MSSP Best Practices: Ransomware Attack Protection
Managed security service providers (MSSPs) are considered high-value by cybercriminals and are increasingly being targeted. Cybercriminals see MSSPs as a pathway to spread ransomware more quickly than targeting individual sites. Once threat actors gain a foothold, they can launch attacks on MSSP’s downstream customers from inside the MSSP’s security perimeter.
As a result, MSSPs are experiencing a significant increase in ransomware threats. One notable incident was the REvil attacks on Kaseya, which provides remote IT management products to managed services providers (MSPs). This attack affected 50 MSPs and 1,500 of Kaseya’s customers.
It’s a disturbing trend. These attacks not only disrupt your operations, but they can cause big problems for your customers, which can hurt your reputation and your bottom line.
Know How Ransomware Attacks Start and Proceed
Despite increased efforts at user education, many ransomware attacks still occur due to human error, such as clicking on a link or opening a malicious attachment in a phishing email. Other attacks occur when users unknowingly visit an infected website, triggering a download and installing malware without the user’s knowledge.
The most common attacks on MSSPs happen through Remote Desktop Protocol (RDP), used in about half of all ransomware attacks. It’s easy to leave RDP exposed unintentionally on a forgotten system, cloud instance, or device. Over the past two years, the increase in remote access has also dramatically increased the attack surface.
Cybercriminals have also evolved. Ransomware as a Service (RaaS) makes it easy for attackers to launch and maintain attacks without having to write any code. This lets cybercriminals reach a broad audience and infect as many companies as possible using automation. Others focus on targeting specific organizations to disrupt operations and gain higher ransom amounts.
The big trend right now, though, involves supply chain attacks — whether it’s on energy companies (like the Colonial Pipeline attack) or MSSPs and MSPs that provide services to customers.
Best Practices for Ransomware Protection
A surprising number of attacks also occur because of poor security practices, even for managed service providers. The Cybersecurity Infrastructure and Security Agency’s (CISA) National Cyber Investigative Joint Task Force (NCIJTF) reports that organizations could have prevented many ransomware attacks by employing basic best practices, such as:
- Backing up data, system images, and configurations
- Keeping backups offline
- Utilizing multi-factor authentication (MFA) for all users
- Updating and patching software and systems
- Deploying automated threat detection and intrusion prevention
If you haven’t already done so, you should sign up to get alerts on emerging threats from the CISA’s national cyber awareness system.
Situational Awareness of Network Environments
Beyond the basics, MSSPs and MSPs can help secure their operations by ensuring deep situational awareness of all of their network environments. Using a cloud security solution that maps your entire network and shows how everything is connected can uncover unknown vulnerabilities. It also allows you to validate security policies and prioritize potential exposure points.
This comprehensive network visualization allows you to see how data could move through your network and identify security maps. For example, you can identify areas of a network that scanners are missing and determine the best place to deploy additional scanners. You can also quickly locate any compromised devices and determine which assets can be reached.
MSSP cybersecurity needs to validate and manage network segmentation to prevent lateral movement. This requires understanding the topology and hierarchy of your infrastructure and cloud connectivity between all resources, such as:
- Subnets and instances deemed critical based on tags, VPCs, and subnets
- Specific resources that may be exposed, such as HTTPS (443), SSH/TCP (22), SMTP/TCP (25).
- Policy checkpoints in exact locations
- How traffic can enter or exit a policy checkpoint
- What control enables traffic to enter or exist
Best practices include monitoring traffic both inside and outside your security perimeter. While you need to inspect north-south (external) traffic with threat intelligence to detect malicious IPs, domains, and emerging threats, you must also inspect east-west (internal) for authentication and authorization. This includes a way to detect anomalies of certificates when traffic is encrypted.
Identify All Connected Resources
The right cloud security solution can accurately identify all of your resources exposed to the internet, including interpreting access controls across cloud-native or third-party virtual firewalls (service chaining) to provide more control over potential exposure points.
This helps identify vulnerabilities for proactive mitigation and alerts you of any new exposures or threats as changes to the network are made.
Ransomware and Cyber Attacks Continue to Escalate
With ransomware and other cyber attacks continuing to escalate, you must take extra precautions to protect your assets and customers. If you haven’t thoroughly assessed your security policies, procedures, and practices within the past year, it’s past time. And it’s time to update.
Cybercriminals continue to evolve their tactics. New threats emerge every day. Yet, most organizations are still implementing the same security control they did five years ago.
Not only can security risks hurt current customers, but they can also hurt your ability to grow your business. It can also present an opportunity. Gartner predicts that 60% of organizations will use cybersecurity risk as a primary factor in who they do business with. Demonstrating your proactive efforts can be a significant selling point in your favor if you can demonstrate the extraordinary efforts you take to protect your customers.
RedSeal helps you understand your network environment, how everything is connected, and what’s at risk. This helps you secure all your network environments, whether on-premises or connected to public, private, or hybrid cloud environments.
All four branches of the military, the world’s largest financial institutions, power grid companies, and mission-critical government agencies trust RedSeal to evaluate cybersecurity for preventing ransomware attacks and other cyberattacks.
Watch a demo and see how RedSeal cybersecurity solutions to improve your security posture and increase your business, today.