Zero Trust: The Best Defense Against Attacks on MSPs

Three digital bugs in red moving towards blue cubes representing a company network. The first cube has a shield with a checkmark on it. The image text reads, "Preventing Cyber Attacks on MSPs"

In light of the COVID-19 pandemic and the digital transformation it brought about in the workplace, IT managed service providers (MSPs) are faced with a lot of challenges. They are often responsible for ensuring their customers can continue to operate under uncertain and constantly changing business conditions.

Attacks on MSPs on the rise

Cybercriminals see the pandemic as an opportunity and MSPs as a ripe target since they often lack sufficient resources to protect themselves from sophisticated cyber attacks. A recent alert from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) indicated a rise in malicious activity targeting MSPs over the last year. That’s backed up by a third-party report that says almost all MSPs have suffered a successful cyberattack in the last 18 months–over 90% of respondents noticed an increase in attacks since the pandemic began.

It’s easy to see why MSPs would be targeted. Their role involves managing client IT systems such as servers, desktops, laptops, and software. With access to locally installed agents, they can control the IT operations of their clients without having to set foot on site. MSPs also house the unique identifiers of their clients, such as usernames and passwords, that can be used to access internal networks and systems.

Simply put MSPs are a convenient entry point in the supply chain to gain access to sensitive data and systems. Rather than infecting one organization with ransomware, why not target their service provider and gain access to hundreds or thousands of other organizations?

Attackers who gain access to an MSP’s remote monitoring and management (RMM) software can then carry out a variety of attacks such as business email compromises or ransomware. A good example of this was the Kaseya attack, where victims were infected via automated software update.

How can MSPs protect themselves?

Segregate internal networks

It’s important for MSPs to understand their environment and segment their networks. A good start is to apply appropriate network security controls to critical business systems: identify, group, and isolate these systems to reduce the impact of a compromise.

All connections between internal systems, customer systems, and other networks should be reviewed and verified by MSPs. Separate customer data sets from each other (and services, where applicable) as well as from the MSP’s internal networks to limit the impact of a single attack vector. Admin credentials also should not be reused across multiple customers.

Use the principle of least privilege

The principle of least privilege should be applied throughout an MSP’s network environment and privileges should be updated immediately when administrative roles are changed. Ensure administrative accounts do not have unnecessary access or privileges by using a tiering model. 

Make use of time and location-based privileges to further restrict the use of full privilege accounts across an enterprise when necessary. Finally, reduce access to high-risk devices, services, and users. This principle should be applied to both internal and customer environments by MSPs.

Enforce multi-factor authentication (MFA) 

In order to harden the infrastructure that enables access to networks and systems, organizations should secure remote access applications and enforce multi-factor authentication wherever possible. Customers should be advised to adopt MFA across all services and products provided by MSPs. Additionally, MSPs should implement MFA on all accounts that have access to customer environments and treat those accounts as privileged.

Improve monitoring and logging processes 

Implement and maintain a separate logging regime to detect network threats, whether through a SIEM solution or discrete logging tools. The activities involved in delivering services to customers should be logged by MSPs. Depending on the contractual agreement, MSPs should log both internal and customer network activity.

Furthermore, MSP client organizations should implement endpoint detection and network defense monitoring capabilities along with application allow/deny lists, whether through contractual arrangements with an MSP or independently.

Implement a Zero-Trust security solution

By adopting a Zero Trust security solution, MSPs are better able to protect sensitive data, systems, and services across increasingly dispersed and complex enterprise networks.

The Zero Trust security model removes implicit trust in any element, node, or service by acknowledging threats inside and outside traditional network boundaries, requiring continuous real-time monitoring of information from multiple sources to determine access and other system responses.

Assuming a breach is inevitable, Zero Trust constantly limits access to only what is needed and monitors for anomalous or malicious behavior.

To protect critical assets and data in real-time within a dynamic threat environment, a good Zero Trust solution should include comprehensive security monitoring; granular risk-based access controls; and system security automation. In addition, it should provide a single point of control and visibility across the network so that IT and security staff see what is happening wherever the users are, whether at home, at work, or on the go.

With this user-centric security model, the least-privileged access principle can be applied to access decisions thereby allowing or denying access to resources based on several contextual factors.

Network environments are becoming increasingly complex and adversaries are able to compromise them more easily than ever before. Therefore, the defensive focus must change. Using technologies such as ZTNA, critical networks and access paths are protected by eliminating implicit trust as much as possible, while re-verifying every access request regularly.

A properly implemented Zero Trust strategy allows for significant improvements in detection, prevention and containment of intrusions compared to less integrated legacy cybersecurity approaches and architectures.