Five Eyes Intelligence Alliance Warns of Increase in Cyberattacks Targeting Managed Service Providers
The Five Eyes intelligence alliance, which consists of cybersecurity agencies from the United States, United Kingdom, Australia, New Zealand, and Canada, has issued a joint alert warning about the increasing number of cyberattacks targeting managed service providers (MSPs).
MSPs are attractive targets for cybercriminals and nation-state threat actors. Many businesses rely on MSPs to provide information and communication technology (ICT) and IT infrastructure services, as it is often easier and more cost-effective than developing the capabilities to handle those functions internally.
In order to provide those services, MSPs require trusted connectivity and privileged access to the networks of their clients. Cyber threat actors target vulnerable MSPs and use them as the initial access vector to gain access to the networks of all businesses and organizations that they support. It is far easier to conduct a cyberattack on a vulnerable MSP and gain access to the networks of dozens of businesses than to target those businesses directly.
When MSP systems are compromised, it may take several months before the intrusion is detected, during which time threat actors may conduct cyber espionage on the MSP and its customers or prepare for other follow-on activities such as ransomware attacks.
The Five Eyes agencies provide recommendations for baseline security measures that MSPs and their customers should implement and also recommend customers review their contracts with MSPs to ensure that the contracts specify that their MSPs must implement the recommended measures and controls.
Steps need to be taken to improve defenses to prevent the initial compromise. Cyber threat actors commonly exploit vulnerable devices and Internet-facing services and conduct phishing and brute force attacks to gain a foothold in MSP networks. The Five Eyes agencies recommend MSPs and their customers:
- Improve the security of vulnerable devices
- Protect internet-facing services
- Defend against brute force and password spraying
- Defend against phishing
It is vital to enable or improve monitoring and logging processes to allow intrusions to be rapidly detected. Since threat actors may compromise networks for months, all organizations should store their most important logs for at least six months. “Whether through a comprehensive security information and event management (SIEM) solution or discrete logging tools, implement and maintain a segregated logging regime to detect threats to networks,” suggest the agencies in the alert.
It is important to secure remote access applications and enforce multi-factor authentication as far as possible, and ensure MFA is implemented on all accounts that allow access to customer environments. Customers of MSPs should ensure that their contracts state that MFA must be used on accounts that are used to access their systems.
The Five Eyes agencies also suggest
- Managing internal architecture risks and segregating internal networks
- Applying the principle of least privilege
- Deprecating obsolete accounts and infrastructure
- Applying software updates and patches promptly
- Backing up systems and data regularly and testing backups
- Developing and exercising incident response and recovery plans
- Understanding and proactively managing supply chain risk
- Promoting transparency
- Managing account authentication and authorization
MSPs and their customers will have unique environments, so the recommendations should be applied as appropriate in accordance with their specific security needs and appropriate regulations.