The agencies responsible for cybersecurity from the United States, United Kingdom, Australia, and Canada have issued a second alert this week, stating that attacks on managed service providers (MSP) are expected to increase.
The advisory states that if an attacker is able to compromise a service provider, then ransomware or espionage activity could be conducted throughout a provider’s infrastructure, and attack its customers.
“Whether the customer’s network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects,” the nations advised.
“NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors — including state-sponsored advanced persistent threat groups — to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.”
For the purposes of this advice, the MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services.
In pretty obvious advice, the initial recommendation is to not get compromised in the first place. Beyond that, users are advised to adopt familiar set of advice such as: Improve monitoring and logging, update software, have backups, use multi-factor authentication, segregate internal networks, use a least privilege approach, and remove old user accounts.
It is advised that users check contracts contain clauses to ensure MSPs have sufficient security controls in place.
“Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer’s environment,” the advisory states.
“MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery.”