In an aggravating but foreseeable turn-of-events, hackers could be using the systems and processes of Managed Services Providers (MSPs) to steal your employees’ credentials, your company’s data, and/or your financial information according to the Dept of Homeland Security (DHS). MSPs are IT providers that help manage, maintain, and develop your company’s computer systems, often faster, more effective, and less expensive than an in-house IT.
How is the threat coming at you, what does it look like? What to do about it? In this article we will answer these questions. We will also provide some more information on how to possibly address the security needs of your company.
The threat is most easily exemplified by explaining the indicators of being compromised and how you’ll probably notice them. As opposed to getting into the system tools that are used, such as Command Line tools and scripts, although it is important to note that these tools are legitimate and are often built into the Microsoft system (and yes, there are similar things for Apple too) making them even more impossible to catch before they compromise your computers.
APT [Advanced Persistent Threat] actors use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials and trusted off-the-shelf applications and pre-installed system tools present in MSP customer networks.
Pre-installed system tools, such as command line scripts, are very common and used by system administrators for legitimate processes. Command line scripts are used to discover accounts and remote systems…
These scripts often cannot be blocked because they are legitimate tools, so APT actors can use them and remain undetected on victim networks. Although network defenders can generate log files, APT actors’ use of legitimate scripts makes it difficult to identify system anomalies and other malicious activity. –DHS
Now on to what you want to know, you will most readily notice a breach by finding phishing emails and/or scam emails coming from your own email addresses or company’s email addresses. This is especially worrisome if your email server is hosted locally. Further, if employees are finding their information changed, logins and passwords not working, then you should immediately report this to your MSP.
Are there ways of noticing and preventing these attacks from occurring at all? Mostly yes, there are ways to mitigate the dangers before things get compromised. We will talk about these steps next and break them up into what you can do and what your MSP should be doing.
Some things you can immediately do to secure yourself and your company is to use multi-factor authentication, unique passwords, password changes every months, a security policy that you actually enforce, enable local admin and limit your profile to a standard user, and to not get in your own way. To cover some of these points generally, it is important for you secure your password but if you don’t add layers to that password protection it is easy enough for hackers to break that one layer of security. Good habits, awareness/knowledge of the dangers, and simple layers of security are more important than the strongest firewall.
Some things you should expect your MSP to be doing, or if they aren’t you might want to ensure it happens. Your MSP should’ve installed a firewall, be pressing you for advanced endpoint security and security awareness training, they should’ve installed a firewall and an antivirus, and should be following their own security policies in-house. Moreover, they should be scanning your systems and network periodically for threats. They should also have ensured a unique password for your wireless network. For instance, if you ask if they follow the same protocols they are suggesting to you and their answer is anything less than “yes” that is a red flag. Further, how well protected is your MSP? Do they have advanced endpoint security, a firewall, password protected network, and have they been trained for best security awareness practices? Once again, this answer needs to be “yes.”
According to the alert, which analyzed a phishing attack on MSPs, there are three key details that service providers should be aware of:
- The attack capitalized on stolen credentials, making multi-factor authentication critical to securing end-clients.
- Signature-based malware detection is not enough to protect against the initial infection.
- Once the attackers were inside the service provider network, they used common admin tools to move laterally to end-customer networks. This highlights the need for layering additional security onto Remote Desktop Protocol (RDP), such as strong authentication for remote connections, and heightens the need for more tightly-controlled remote management tools.
This DHS alert reminds us that this issue is something that concerns everyone. Not just the CEO or the IT Company, but everyone who uses the web and a computer. It also further illustrates that it is not a simple task for IT providers to secure a company. If they are doing EVERYTHING they can to protect you there is still some chance that you will be compromised, which can exponentially increase if you are actively working against them by not following best practices. Lastly, cyber security up to this point has been thought only as an expenditure that needed to be checked for compliance purposes. Now, cyber security is an essential part of everyday life and many companies are still not making the purchases they need to to secure themselves and their data.
Queen Consulting and Technologies is a trusted MSP, which does offer advanced endpoint security. This security service/program is interlaced with behavioral analytics and backed by human monitoring through its Security Operations Center (SOC) and actively scans and repels attacks.