Managed Security Services, MSSP, MSP, Breach and attack simulation, Breach

Right of Boom: Day 1, Live Blog

  • Opening Keynote: Embrace the Suck and Leadership with Brent Gleeson
  • Right of Boom: Threat Actor Initial Access Techniques
  • Right of Boom: Secure Onboarding
  • Right of Boom: Vulnerabilities
  • Right of Boom: Performance and Alignment

Day 2 coverage can be found here.

Welcome to our semi-live blog coverage of Right of Boom in Las Vegas.

This is the third annual event with an all star lineup of speakers addressing the challenges MSSPs and cybersecurity-centric MSPs as they defend against threats.

Andrew Morgan is the owner and visionary behind this event. MSP Robert Cioffi is the masters of ceremonies for this year's event.

We'll be updating this blog post throughout the day, so check back often.

Opening Keynote: Embrace the Suck and Leadership with Brent Gleeson

Brent Gleeson, CEO of Taking Point Leadership, a management consulting firm, and author of Embrace the Suck (a book that inspired Right of Boom show owner and organizer Andrew Morgan), opened the conference with a keynote address.

His talk on leadership, culture and teams embodied the principles he lived and learned during his time in Navy seals training and his Iraq deployment. He talked about mindset, behavior, adherence to values. How we prepare ourselves to show up every day, trust and accountability are two most important pillars of highest performing teams in the world, he said. Organizations must iterate and capitalize on growth.  A continuous state of discomfort is important to continuous improvement and growth.  

True champions do not obsess over the goal, he said. True champions focus on having the right systems, processes, methodologies to get them to the achievement of those goals. The question to ask is do we have the right systems in place?

To determine the trajectory, ask yourself, five years from now, if our company was on the front page of a magazine, what would that article say? Then figure out how to grow and scale.

Right of Boom: Threat Actor Initial Access Techniques

Aaron Goldstein, incident response leader at Todyl is talking about the initial access techniques used by threat actors. Here are some of them, and phishing continues to be big.

Phishing as a service. Goldstein says you give them email addresses and they will do the rest. One of these providers even offers a one-day free trial so you can check out their threat services before you buy.

MFA fatigue attacks. Sometimes called MFA bombing, this attack is when the threat actor already has the stolen user credentials and they spam the victim continuously with MFA requests. You keep hitting no over and over, but you are getting annoyed. Then you get a phone call from your company’s IT and they say, just accept the next MFA request and we’ll take care of it for you. But it wasn’t your IT department. It was the threat actor. Goldstein reminds us, almost any organization can fall victim to a cyberattack.

Pirated, Illegitimate software. Maybe you wanted to download the Grand Theft Auto VI preview, but that preview is not legit. If you are getting something for free, you are probably going to be compromised.

Social engineering and fraud. Sometimes this comes in the form of a phone call from “tech support,” or even “Microsoft tech support” and most people want to help out the “technician.” There’s also been a spike in fraud around fake employer and employee scams. “Hey would you like a job? fill out this form, and I’ll get you in with this very large company.”

Data Dumps and leaks. This includes password dumps sold on the dark web.

The attackers’ point of view. From the attacker’s point of view the easiest targets are those that don’t have MFA enabled. Other easy attacks include credential stuffing attacks, standard phishing attacks, and brute force attacks.

Moderate difficulty attacks include those when users have MFA enabled, MFA fatigue attacks, those based on single sign-on misconfigurations.

High difficulty level attacks include social engineering attacks and SIM swaps.

To protect the technology estate, Goldstein recommends MSSPs focus on the following:

  1. Logging and visibility
  2. MFA enforcement and conditional access
  3. Endpoint protection and response
  4. Privileged account management
  5. Password auditing

Right of Boom: Secure Onboarding

Karl Bickmore is presenting a business session about Secure Onboarding. He is CEO and one of the founders of MSP Snap Tech IT and one of the founders of Raven Automation. He’s an advisory board member for Sophos and a Connectwise advisory board member alum.

Bickmore evolved from a less structured approach for asessments and onboarding to an approach incorporating frameworks and best practices including using NIST CFS questions.

Bickmore is an advocate of charging for assessments before onboarding. He arrived at that approach after a project that he initially scoped and priced to take 60 hours ended up taking 450 hours.

Initial assessments consist of the following:

  • Vulnerability scanner, network discovery tool, internal/external
  • Office 365 security assessment tool
  • Custom assessment tool that leads to QBR (quarterly business review) success in the future
  • In-person interviews and photos and observations. He recommends very basic questions such as "how do you make money?” and “What are you getting or not getting from IT now?”

Following an assessment he creates an MSA (master service agreement) and an assessment document and presents them to the client as separate modules.

When he arrives at the actual onboarding portion he has the following:

  1. An executed MSA
  2. Details from the paid assessment
  3. Onboarding project PLA (project labor agreement) form template adjusted for the specific client.

Here’s Bickmore’s math for pricing onboarding and assessment:

  • $100k salary per employee is equal to $48.08 per hour.
  • The cost of overhead takes it to $62.50 per hour.
  • The cost of tools used in assessment and onboarding is $25 an hour.
  • Total COGS (cost of goods sold) is $87.50 an hour; the minimum bill rate needs to be $175/hour and the company normally goes with $195 to $225.
  • Onboarding process template starts at around 43 hours, so onboarding usually starts between $8385 and $9,675.

Bickmore said his philosophy on the business side of this is to maintain 40% labor gross margin at minimum on assessments, onboarding, offboarding and remediation projects.

When onboarding, Bickmore said it’s a good practice to assume the client is infected.

Bickmore’s company tells clients the stack of services they are getting, unless they opt out. Hardly anyone opts out, “so stack alignment is great. The problem before was me thinking that the customer didn’t want to pay for this.”

Who runs Bickmore’s onboarding:

  • The project team does overall management (project manager and engineers).
  • vCIO does delegated documentation and standard operating procedure authorship.
  • Account managers do a customer training/introduction event.
  • Back office team does paperwork, billing setup, agreement setup, routine ticket template setup (a lot of this stuff is becoming automated).

How do we improve on our project templates? Document, write it down, and then have a constant improvement process.

Right of Boom: Vulnerabilities

Christopher Henderson, senior director of threat operations at Huntress, and previously senior director of information security at Datto, presented on Vulnerabilities.

Vulnerability is defined as a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.

Vulnerability types:

  • Zero day. A vulnerability that is unknown to the manufacturer and user. Henderson said it’s really a vulnerability that we haven’t seen before.
  • N-day. A vulnerability known to the manufacturer and user.

Zero days are terrible because there is no patch, Henderson said. N-days are where cybersecurity pros can manage vulnerability and can be preventable through updates and patching. Organizations manage N-days and prepare for zero days. Conducting regular inventories is how organizations prepare for zero days.

Henderson noted that the Citrix Bleed Zero Day had a 14-day timeline, and the ConnectWise ScreenConnect a few months later was much shorter.

“The timelines you have will shrink," he said. "You have days to hear about these and patch. There’s not always patches available. Sometimes you will need to take a critical business system offline.”

Tom Millar a CISA vulnerability management branch chief, joined Henderson on stage and discussed the work his group has done creating checklists and other tools for organizations. For instance, his team manages cybersecurity performance goals and offers a checklist of 38 practices that it recommends everyone applies to their systems and organizations, including operational technologies and applications in industrial control environments.

He discussed Secure by Design, which is designed to move cybersecurity responsibility from the end user up to the vendor... “the end user is the least clued in.” Millar also discussed the new initiative from the White House encouraging the industry to use memory safe languages.

He said MSPs should look for Secure by Design vendors by asking for a Software Bill of Materials (SBOM). Once they get an SBOM, look at the OS version. If it’s 10 years out of date, don’t buy that product, he advised.

Chip Buck, co-founder and CTO of SaaS Alerts, presented on business email compromise (BEC): how to spot it and mitigate it

BEC is an unauthorized entity gaining access to a business email account and use that access to impersonate the legitimate owner of the account.

What is BEC?

  1. Credential capture, using any method, most prevalent recently, token harvest, using phishing as a service.
  2. Sell the credentials (account takeover occurs at step 1 and 2).
  3. Establish email rules/forwarding.
  4. Live off the land, identify fraud targets.
  5. Execute fraud scam(s), the next BEC.
  6. Identify new targets for step 1, repeat endlessly.

What’s the scale of a BEC?

  • In 2022 the FBI received 19369 BEC complaints.
  • SaaS alerts blocked 7096 BEC events in 2023 while monitoring 1.6 accounts that year.
  • There are about 200 million business email accounts in U.S.

Data breach facts:

  • According to IBM xForce, it took 212 days to detect a breach in 2023.
  • Varonis says it took 197 days.
  • That’s about 200 days of dwell time.

Common BEC scams:

  • CEO fraud. Somebody’s CEO was hacked, tells controller to transfer money (ai generated video)
  • Privilege escalation – get in, live off the land, ask for more privileges
  • Vendor, customer invoice scams
  • Document theft/ransom request

Who is the attacker?

  • Most commonly the initial attacker is an external threat actor (hacker) who specializes in executing the initial phase of the attack, harvesting credentials.
  • The initial attacker sells the credentials to a specialist for later phases of the attack.
  • The attacker may also be an insider within the same business domain.
  • An otherwise trusted partner, vendor or customer is likely already compromised as part of another attack cycle.

TTPs — how are accounts attacked:

  • Password spray
  • Brute force
  • Dark web credentials
  • Token harvest

What’s at stake?

  • Impersonate someone the next victim trusts.
  • Send urgent emails requesting a specific action.
  • Carefully craft emails to look legit.
  • Reputational destroying event for the party whose account used to perpetrate fraud.
  • Possible civil liability for losses of third parties.

“Microsoft will not be liable for any loss that you may incur as a result of someone else using your password or account, either with or without your knowledge. However, you could be held liable for losses incurred by Microsoft or another party due to someone else using your account or password. You may not use anyone else’s account at this time without the permission of the account holder.”

Protecting against BEC

  • Employee awareness training
  • Email security tools (phishing detection)
  • Verifying requests for account changes
  • Continuous monitoring of account behavior
  • Automated account blocking on compromise detection
  • Daily or less session/ access token expiration.

Right of Boom: Performance and Alignment

Gary Pica, former owner of two MSPs, founder of TruMethods and leader of the TruMethods peer groups, presented on Performance and Alignment.

Pica recommends setting clear expectations with customers around responsibilities. The MSA is a piece of it, but conversations are important too. Conversations were always important, but they are way more important now that security and risk have become a central part of the mission.

A big question about cybersecurity services is always, How do you show the customers ongoing value of services?

Here's how:

  • Quantifiable metrics
  • How is success defined
  • Tools, alerts, process alignment, compliance

Packaging and pricing has become more complex today.

If you can’t get the right commercial relationship with your customers, you won’t be able to deliver. You’ll have a math problem.

Core stack offering:

  • All the things you need to have
  • Tools and process to deliver to every customer
  • Bundled into your MSP service offering
  • Using “seat cost” as your unit of measure to detrend price

Premium offering:

  • Some customers have additional security requirements (business risk and compliance).
  • A premium offering can also add perceived value to your standard.

The average MSP has 40 tools, there are some that have 60. You have to understand all the costs that come off them.

Jessica C. Davis

Jessica C. Davis is Editorial Director of CyberRisk Alliance’s channel brands — MSSP Alert and ChannelE2E. She also oversees content and programming for the MSSP Alert Live event. She has spent a career as a journalist covering the business of technology including chips, software, the cloud, AI, and cybersecurity. She previously served as Editor in Chief of Channel Insider and later of MSP Mentor where she was one of the first editors to oversee the creation and vision of the MSP 501 list.