Five Eyes on MSPs

The Five Eyes is a group of nations, focused on mutual security concerns. Right now, they're concerned about MSPs and their clients.

Five Eyes is comprised of the US, UK, Australia, New Zealand and Canada.

For starters, if you think your government can't get much done, you have to recognize the importance when FIVE governments can come together on a common message.

In their efforts to compromise MSPs, malicious cyber actors exploit vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques.

The Five Eyes issued an advisory that they are "aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue."

When the Five Eyes talk, we find it wise to listen.

So here are some highlights from their guidance (for the entire report, go here)...

Prevent initial compromise

The advisory notes that hackers will target "vulnerable devices and internet-facing services, conduct brute force attacks, and use phishing techniques."

The CISA has excellent resources on hardening VPN solutions, defending against brute force attacks and avoiding phishing attacks.

From CISA's Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services (link here):

"Focus on awareness and training. Make employees aware of the threats—such as phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities."

Enable/improve monitoring and logging processes

This one is easier said than done, so here are is some guidance:

• Store logs for at least 6 months
• Here’s what to be logging (from NCSC-UK)
• Log internal and external activity at client networks, as appropriate

Enforce multifactor authentication (MFA)

This is massive, and every MSP knows it. The problem isn't that the MSP doesn't know it. It's that the customer doesn't want the headache. Here's a little more reinforcement from the Five Eyes:

• Recommend MFA adoption across all services and products to all clients
• Implement MFA on all internal MSP accounts (particularly those that access client environments)
• Ensure client clarity on the purpose and security of MFA

Manage internal architecture risks and segregate internal networks

First, MSPs should make sure they understand their own environment. Next, here are some points to consider:

• Review and verify all internal and external network connections
• Identify, group and isolate critical business systems
• Segregate customer data sets where appropriate
• Do not reuse admin credentials across clients

Apply the principle of least privilege

Only provide the lowest level of access or privilege that's necessary, internally and externally.

• Implement least privilege internally and in client networks
• Add/update processes for revoking privilege when roles/needs change
• Consider time-based privileges when able

Deprecate obsolete accounts and infrastructure

Ensure you have processes in place to remove unneeded or obsolete accounts. This helps limit your attack surface.

• Periodically review attack surface for exposed vectors
• Disable accounts when no longer necessary
• Implement an off-boarding process when clients or users leave

Apply updates

Patch! This is one that will be screamed over and over. And as always, it's easier said than done.

• Prioritize known vulnerabilities
• Push updates on internal accounts as quickly as possible
• Create/update process for client patching and communication

Backup systems and data

With near certainty, you've already got a backup provider. Some of the tips from Five Eyes:

• Regularly backup internal and customer date (where appropriate)
• Isolate backups from the network where ransomware could spread
• Practice backup recovery procedures

Develop and exercise incident response and recovery plans

As Mike Tyson said, "everyone has a plan until they get punched in the mouth." So let's plan for what we do after we take that punch.

• Include incident response roles for all individuals in an organization
• Maintain hard copies of the plan
• Practice and review incident response plans with clients

Understand and proactively manage supply chain risk

This stands to remain a hot topic in coming years. We all have supply chains to be aware of and mitigate when able.

• Review internal supply chain risks - across products and providers
• Mitigate risks at every step
• Include risk tolerances and liabilities in client agreements

Promote transparency

It's much better to have clarity on risks, responsibilities and liabilities ahead of any security incident.

• Include MSP and client responsibilities in contracts
• Explain included and excluded services
• Ensure contract and coverage scope is clear

Manage account authentication and authorization

Compromised credentials are like gold to cybercriminals. Let's avoid those intrusions.

• Develop and implement password management policies
• Review failed authentication attempts
• Ensure clients restrict MSP access to only those areas in scope

Ok, that was a lot!

It's critical that your MSP's contracts and SLAs match the risks and expectations of the client.

With INFIMA, you'll make your Security Awareness Training easy to implement and touch-free to manage.

Rest assured knowing that users are phished, re-targeted and taught safe behaviors. This keeps your clients safe and your MSP protected.

If you're an MSP and want to learn more, go check out how we work with Partners here. If you like what you see, book a time to chat!

Photo by Doun Rain AKA Tomas Gaspar on Unsplash