Channel partner events, MSSP, Managed Security Services, Incident Response, IT management

Right of Boom: Day 2, Live Blog

Welcome to Day 2 of our Right of Boom coverage at MSSP Alert. Check out our coverage of Day 1 here.

While the first day of the conference is focused on Left of Boom topics such as Secure Onboarding, Day 2 is where the conference topics focus on the Right of Boom — the response after an event occurs. We’ll be updating this blog as the day goes on, so please check back for more.

Before addressing the Day 2 topics, attendees heard from an industry luminary, Arnie Bellini, founder of ConnectWise and a pioneer in the industry that is managed services. Bellini delivered the Day 2 keynote at Right of Boom.

Bellini sold his company to private equity five years ago and since then has taken on a quieter role as the leader of Bellini Capital, an investment firm. The firm has several missions, including environmental ones such as saving the Florida panther, and educational ones like training a new generation of technology workers to address the industry’s coming challenges. One of those challenges, of course, is cybersecurity.

Keynote: Arnie Bellini — Defending Digital Borders in the Age of AI

ConnectWise founder and current CEO at Bellini Capital Arnie Bellini opened his keynote address at Right of Boom on March 8 saying, “Hello, I am back!”

Bellini’s non-compete expired last week, five years after he completed the sale of ConnectWise to a private equity firm. But his presentation reflected one of his new focuses: defending the digital borders in the age of AI.

He believes that MSPs can double their revenue by providing cybersecurity services to clients. There are six components that MSPs must provide to clients that will protect the attack surface by 80% to 90%, he said. Four of those are services they are already offering as part of their IT managed services stack. They are:

  • Anti virus
  • Backup rotation
  • MFA
  • User awareness training.

They need to add to this:

  • Risk assessment (which includes vulnerability scanning) 
  • Policies and procedures

But MSPs have gotten push-back from clients when they try to sell cybersecurity services. These services don’t increase revenue or impact the bottom line. They aren’t a core part of the business function. It’s hard for customers to justify the expense.

Bellini suggests selling this stack including the two additional service categories as compliance. Of course, not all customers think they need compliance. They aren’t a financial services firm. They aren’t a healthcare firm. But they all do need cybersecurity insurance, and providing this stack of services is a way for these organizations to demonstrate they are a responsible organization and not high risk, which makes it easier to get cybersecurity insurance coverage. It can also lead to lower rates because they are a lower risk business if they have all these boxes checked.

Bellini’s address was a call to action for MSPs, because he not only talked about the potential revenue growth for MSPs by service expansion. He also called on their sense of duty to protect the U.S.’s digital borders against nation states that would attack the country’s infrastructure.

We’ll provide more on the Bellini plan for MSPs and how they can demonstrate the value of cybersecurity to end customers in a separate story coming soon.

Right of Boom: PWNED and OWNED

Mackenzie Brown is vice president of Security at Blackpoint Cyber and previously worked on the incident response team at Microsoft. She is the only woman presenter at Right of Boom, and her presentation was on International Women’s Day, March 8.

Brown covered topics including identity and zero trust and how owning the environment has shifted from predominantly from on-premises IT estates to a combination of on-premises and  the cloud. Her discussion also included information about Living of the Land (LotL), or how attackers use legitimate tools to evade detection.

LotL isn’t new:

  • Adversaries abuse native tools and processes.
  • This allows them to blend in with the noise.
  • Tools are already trusted in the environment.
  • It’s difficult for defenders to discern legitimate behavior from malicious.

Why do they live off the land?

  • Prevalence of untuned EDR
  • Lack of established baselines
  • Needle in the haystack analysis

Brown said that according to Blackpoint Cyber data 56% of all incident responses in the last three months did not involve EDR/antivirus alerts. That means these attacks evaded EDR and antivirus.

“We aren’t able to identify bad activity going on, and that is a smoke signal about to lead to a full on wildfire,” Brown said. “Old tech stacks are not effective at highlighting the risks of LotL and legitimate software being abused.”

Credentials are often used to enable LotL attacks. Adversaries commonly abuse valid credentials to laterally move through networks.

Identity Is the entry point, specifically privileged identity. We should be focusing on zero trust and zero trust implementation. Once bad actors own the identity they are going to own the intrusion. Brown shared some data from the Microsoft Digital Defense Report, 2023.

  • Attempted password attacks have increased more than tenfold
  • 500-plus known VPN vulnerabilities; all it takes is one stolen credential to put an entire network at risk
  • 4000-plus blocked attacks per second
  • 10k-plus alerts per month
  • 99% of targeted applications are Office 365 or Azure powershell
  • 10,000-plus attack attempts per day on 2500 unique accounts
  • For every on-premises attack, we are seeing five more in the cloud.

Identity is the entry point

  • Stolen credentials — MFA bypass, brute force, SEO poisoning
  • Authorized credentials — VPN/Citrix – on-premises access, cloud access

RMM abuse is absolutely the thing we are concerned about.

Once the threat actor has a remote logon session they execute a Powershell in memory, it won’t necessarily be picked up. Many enterprises use RMM tools, too, and they don’t know anything about these vulnerabilities.

Context is king, but with LotL, your tools don’t give you the context they need to detect the intrusion. That’s where threat hunting comes in.

  • In depth threat hunting focused on behavior vs. malware
  • Understanding what binaries can be utilized for LotL

The amount of time between initial access and lateral movement of a threat actor is 83 minutes (source: Blackpoint Data).

Right of Boom: Extortion Tactics

John Strand, owner of BHIS Antisyphon and Wild West Hackin’ Fest, presented this session and sprinkled in many colorful, funny stories which this blogger cannot do justice to in print. But Strand is hilarious, and you should see him present in person sometime.

He told many stories of DDOS attacks and his response to them. Among them was the story of the largest DDOS attack in history, the DynDNS DDOS attack.

DynDNS provides DNS services to some of the U.S.’s largest companies and had paid for Strand’s firm to do some consulting the week before, and suddenly there was an outage.

DynDNS was on the hook for $100,000 per minute of downtime. There was a moment when things seemed under control, so someone taunted the attacker. The attacker came back even harder.

The botnet involved had spread through default passwords on IoT devices and it came through in three waves.

Jessica C. Davis

Jessica C. Davis is Editorial Director of CyberRisk Alliance’s channel brands — MSSP Alert and ChannelE2E. She also oversees content and programming for the MSSP Alert Live event. She has spent a career as a journalist covering the business of technology including chips, software, the cloud, AI, and cybersecurity. She previously served as Editor in Chief of Channel Insider and later of MSP Mentor where she was one of the first editors to oversee the creation and vision of the MSP 501 list.