Recent years have seen ransomware attacks double. According to IDC, more than a third of all organizations worldwide became victims of ransomware.Managed security service providers (MSSPs) are considered high-value by cybercriminals and are increasingly being targeted. Cybercriminals see MSSPs as a pathway to spread ransomware more quickly than targeting individual sites. Once threat actors gain a foothold, they can launch attacks on MSSP's downstream customers from inside the MSSP's security perimeter.As a result, MSSPs are experiencing a significant increase in ransomware threats. One notable incident was the REvil attacks on Kaseya, which provides remote IT management products to managed services providers (MSPs). This attack affected 50 MSPs and 1,500 of Kaseya's customers.It's a disturbing trend. These attacks not only disrupt your operations, but they can cause big problems for your customers, which can hurt your reputation and your bottom line.If you haven't already done so, you should sign up to get alerts on emerging threats from the CISA's national cyber awareness system.
Guest blog courtesy of RedSeal. You can read more RedSeal blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.
Know How Ransomware Attacks Start and Proceed
Despite increased efforts at user education, many ransomware attacks still occur due to human error, such as clicking on a link or opening a malicious attachment in a phishing email. Other attacks occur when users unknowingly visit an infected website, triggering a download and installing malware without the user's knowledge.The most common attacks on MSSPs happen through Remote Desktop Protocol (RDP), used in about half of all ransomware attacks. It's easy to leave RDP exposed unintentionally on a forgotten system, cloud instance, or device. Over the past two years, the increase in remote access has also dramatically increased the attack surface.Cybercriminals have also evolved. Ransomware as a Service (RaaS) makes it easy for attackers to launch and maintain attacks without having to write any code. This lets cybercriminals reach a broad audience and infect as many companies as possible using automation. Others focus on targeting specific organizations to disrupt operations and gain higher ransom amounts. The big trend right now, though, involves supply chain attacks — whether it's on energy companies (like the Colonial Pipeline attack) or MSSPs and MSPs that provide services to customers.Best Practices for Ransomware Protection
A surprising number of attacks also occur because of poor security practices, even for managed service providers. The Cybersecurity Infrastructure and Security Agency's (CISA) National Cyber Investigative Joint Task Force (NCIJTF) reports that organizations could have prevented many ransomware attacks by employing basic best practices, such as:- Backing up data, system images, and configurations
- Keeping backups offline
- Utilizing multi-factor authentication (MFA) for all users
- Updating and patching software and systems
- Deploying automated threat detection and intrusion prevention
Situational Awareness of Network Environments
Beyond the basics, MSSPs and MSPs can help secure their operations by ensuring deep situational awareness of all of their network environments. Using a cloud security solution that maps your entire network and shows how everything is connected can uncover unknown vulnerabilities. It also allows you to validate security policies and prioritize potential exposure points.This comprehensive network visualization allows you to see how data could move through your network and identify security maps. For example, you can identify areas of a network that scanners are missing and determine the best place to deploy additional scanners. You can also quickly locate any compromised devices and determine which assets can be reached.MSSP cybersecurity needs to validate and manage network segmentation to prevent lateral movement. This requires understanding the topology and hierarchy of your infrastructure and cloud connectivity between all resources, such as:- Subnets and instances deemed critical based on tags, VPCs, and subnets
- Specific resources that may be exposed, such as HTTPS (443), SSH/TCP (22), SMTP/TCP (25).
- Policy checkpoints in exact locations
- How traffic can enter or exit a policy checkpoint
- What control enables traffic to enter or exist