3rd Party Risk Management , Governance & Risk Management , Managed Security Service Provider (MSSP)
Five Eyes Alliance Warns MSPs About Targeted Cyberattacks
Advisory From US, UK, New Zealand, Australia and Canada Offers RecommendationsThe Five Eyes alliance of cybersecurity authorities from the United States, the United Kingdom, Australia, New Zealand and Canada has issued a warning to managed service providers about cyberattacks that may have "globally cascading effects."
See Also: Road Map to Cybersecurity Sophistication
It advises customers of MSPs in the member countries on how to protect sensitive information and reassess security posture and contractual agreements with their service providers based on individual risk tolerance.
Cybersecurity law enforcement authorities in the Five Eyes alliance include the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation in the U.S.; the National Cyber Security Centers in the United Kingdom and New Zealand; the Australian Cyber Security Center; and the Canadian Center for Cyber Security.
"[We] are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers and expect this trend to continue," says the advisory, which aims to provide actionable, preventive cybersecurity measures to both MSPs and their customers.
Another timely & collaborative effort w/our industry, international, & US cyber partners: joint advisory from @CISAgov, @CyberGovAU, @NCSC, @FBI, @NSACyber, @cybercentre_ca, & NCSC-NZ helps #MSPs & their customers protect against cyber threats: https://t.co/O5QVpYDY8C pic.twitter.com/rFoSotlpSD
— Jen EasterlyEasterly Shields Up! (@CISAJen) May 11, 2022
MSPs 'Make Attractive Targets'
NCSC-UK, CCCS in Canada and CISA in the U.S. have all offered cyber hygiene guidance for MSPs previously, and some cybersecurity experts have commented on why the countries have issued a joint advisory specifically for the MSPs at this time.
Rob Joyce, director of cybersecurity at the NSA, says: "This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data. Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization."
In a tweet, Joyce describes why the focus is now on MSPs and the importance of this advisory.
Managed service providers make attractive targets for malicious actors to scale their attacks. MSPs and their customers should use these recommendations for handling the shared responsibilities of securing sensitive data. https://t.co/pZPluNVLQr
— Rob Joyce (@NSA_CSDirector) May 11, 2022
Abigail Bradshaw, head of the ACSC, says that "MSPs are vital to many businesses and as a result, a major target for malicious cyber actors."
And Jen Easterly, director of CISA, says, "We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organizations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain."
Lindy Cameron, CEO of the NCSC-UK, says, "Our joint advisory with international partners is aimed at raising organizations' awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk."
Lisa Fong, director of NCSC-NZ, says that cyberthreats in the supply chain are increasingly becoming the weakest point for organizations so there's a need for effective controls to mitigate the risk of cybersecurity vulnerabilities that are being introduced into systems via technology suppliers such as MSPs.
'Globally Cascading Effects'
According to the advisory, whether the customer's network is hosted on-premises or externally, threat actors can use a vulnerable MSP to gain initial access into multiple victim networks.
The Five Eyes cybersecurity authorities expect malicious cyber actors, including state-sponsored advanced persistent threat groups, to target MSPs to exploit provider-customer network trust relationships. "For example, threat actors successfully compromising an MSP could enable follow-on activity - such as ransomware and cyber espionage - against the MSP as well as across the MSP's customer base," the advisory says.
Chris Clements, vice president of solutions architecture at Cerberus Sentinel, says MSPs often have complete control over their customer's environments in order to do their job, and that, he tells Information Security Media Group, is why they are a "compelling target."
"Unfortunately, many do not have robust internal security programs themselves and can be soft targets for cybercriminals, who, in turn, can leverage the MSPs elevated access to compromise dozens or hundreds of downstream organizations," Clements says. "After all, why work to compromise dozens of organizations one at a time when you can instead focus efforts on a single MSP that can give the same results in a single attack?"
Recommendations to MSP Customers
In the advisory, the government cybersecurity authorities recommend that MSP customers ensure that their MSPs implement the following measures and controls and specify them in their contractual arrangements:
- To prevent initial compromise, improve security of vulnerable devices, protect internet-facing services and defend against brute-force and phishing attack.
- Improve monitoring and logging processes for the delivery infrastructure activities used to provide services to the customer.
- Adopt multifactor authentication across all customer services and products.
- Manage internal architectural risks and segregate internal networks from customer networks, including their data.
- Adopt least privilege principles throughout the network environment and time-based privileges, to further restrict unwarranted access to critical accounts.
- Periodically remove obsolete accounts and infrastructure and apply updates to the infrastructure whenever available and necessary.
- Develop incident response and recovery plans.
- Understand and proactively manage supply chain risk.
- Adopt transparent processes and, at the same time, manage account authentication and authorization.
In April 2022, the Five Eyes issued an advisory that warned about Russian government hackers and cybercrime groups that were reportedly teaming up to launch cyberattacks against critical infrastructures in the West, in retaliation for its support of Ukraine (see: Five Eyes Warns of Russian Hacks on Critical Infrastructure).