CISOs, MSPs and “buffalo jumps”

CISOs, MSPs and “buffalo jumps”

Speculation has surfaced in the tech industry [1] that government and/or insurance providers are considering the regulation of MSPs (Managed Service Providers), prompted by the rising concern that vulnerable MSPs are becoming prime targets for cyber criminals. Using a tactic known as “buffalo jumps”, attackers are holding service providers and their customers to ransom in one hard-hitting, sustained attack.

We spoke to our Head of CyberGuard, Sean Tickle, about how CISOs (Chief Information Security Officers) can securely utilise the services of an MSP and what to consider when selecting one.

How can CISOs protect their infrastructure that is looked after by MSPs?

“The goal for CISOs is to ensure their MSPs have a good standard of cyber security in place, as their first port of call. They should have something as basic as Cyber Essentials Plus in place without fail. Realistically, ISO27001 should be the target for service providers. If MSPs are not adhering to security standards themselves, they should not be trusted with your infrastructure and data. It sounds obvious but you’d be surprised at the number of risks being taken out there.

“If you’re satisfied with the level of their cyber security, and choose to engage them, there’s some key aspects to look out for in the scoping and implementation of the cloud infrastructure: namely an efficient device & application patching cycle, segregate subnets, ‘principle of least privilege’ adopted, limited externally facing servers and a ‘defence in depth’ approach when designing the network is evident.

“Thirdly, CISOs must demand regular reporting on key activity such as patching of devices and applications within the infrastructure and periodic reviews of user access for starters.

“Ultimately, a standard needs to be adhered to by all MSPs in order to ensure a sufficient amount of protection, including server hardening and privileged access management, and it is the MSP’s responsibility to ensure that this standard is met.”


What can MSPs do to protect their clients?

“They absolutely must ensure that their cloud infrastructure is set up to adhere to security best practice. For example, does the MSP adhere to the principle of ‘zero trust’? Access for users, devices and resources should be conditional, and only permitted to perform specific functions. A question to ask would be, should an external facing server be able to access every device within the infrastructure, or should the network in question be segregated to minimise lateral movement?

“It is also encouraged that event logs are correlated in a centralised platform to investigate and alert suspicious or anomalous behaviour; however, this solution is generally administrated and serviced by an MSSP (Managed Security Service Provider).”
 

How is extortion hindering breach recovery and what can be done to speed things up and stop costs spiralling out of control?

“There are two main situations that generate direct costs for an organisation; the organisation’s inability to function efficiently without their infrastructure / data and the ransom itself if the organisation feels they have no other option but to pay. Indirect costs include the reputational damage that the organisation would suffer if their data were to be publicly exposed.

“The direct costs can be protected against to some extent by offsite backups that would ensure a secondary infrastructure could be spun up in the event of a full infrastructure compromise. Using this device and data backups in the interim until a production environment can be constructed would ensure that loss of service is kept to a minimum.

 “However, the restoration of services and data internally does not stop the threat of the breach being publicly exposed and / or the stolen data being made available for malicious download / publication. The only method to stop this would be to pay the ransom and trust the cyber criminals to not disclose the information regardless. It is not a recommended response as by their nature they are criminals: but threat actors understand this and are now threatening to email journalists and media representatives when disclosing a victim’s data. Such tactics are used to pressure payment of the ransom even if recovery of the data through backups is achievable and unfortunately this tactic has been seen to work for ransoms ranging from £120,000 to £1.4 million.

“In summary, the most effective defence to stop such costs becoming a reality is a proactive approach to security using the best practice guidance mentioned so that such an attack has a low likelihood of succeeding in the first place. However due to project requirements sometimes this is simply not feasible and as such the use of Offsite Backups, Incident Response & Disaster Recovery Retainers, Disaster Recovery Infrastructure and Disaster Recovery and Business Continuity policies and procedures will ensure that the organisation is as prepared as they can be for when a threat actor targets their organisation.”

Concerns about your MSP?

Contact our CyberGuard team to discuss how we can help you ensure you are not exposing your business to risk due to your MSP’s practices.

References:

[1] https://www.connectwise.com/company/press/releases/2021-04-08-perch-security-announces-2021-msp-threat-report-predicts-beginning-of-regulation-of-msp-industry