How A Little Threat Intelligence Can Go A Long Way For MSPs, Says ConnectWise Exec

‘We don’t have unlimited time and unlimited money, so we’ve got to focus on where our efforts want to have the most effect. That’s where threat intelligence comes into play,’ says Bryson Medlock, ConnectWise’s security researcher and threat intelligence evangelist, at XChange March 2023.

The threat landscape, including cybercriminal motivations, continues to evolve quickly. The good news is that the techniques bad actors are using aren’t, according to ConnectWise.

Bryson Medlock, security researcher and threat intelligence evangelist for ConnectWise, spends his time evaluating the different tactics, techniques and procedures that bad actors use during ransomware attacks.

“For the most part, the actual techniques that threat actors are using year after year, they don’t change much,” he said during a keynote at CRN parent The Channel Company’s XChange March 2023 conference in Orlando, Fla., Monday.

And while that’s good news for MSPs that always must be on the defense, they still need a level of threat intelligence to understand the current cyber risk landscape and help their customers take steps to mitigate those risks, Medlock said.

[Related: Here’s Why MSPs Should Explore Adding vCSO Services: Galactic Advisors]

Threat intelligence is based on evidence-based knowledge, Medlock said. “We’re not talking about somebody’s opinion on what the latest threats are, what trends are happening. We’re talking about actually actual evidence.” It involves gathering information on context, mechanisms, indicators and implications, and it’s an increasingly critical muscle for MSPs to build, he added.

Phishing is still the No. 1 most commonly used method for initial access, according to Medlock.

Initial access brokers are a specific type of threat actor that collects passwords and sells them online. The problem with this stems from the fact that many people are “really bad” at passwords, Medlock said.

“Password hash hygiene is a really, really bad problem. They have one password and use it everywhere,” he added. “We see that time and time again, people reusing passwords is how [bad actors] get into the network pretty regularly.”

Phishing is unfortunately connected to end users and human error, said Heather Simek, vice president of RJ2 Technologies, a ConnectWise partner and MSP in attendance during the keynote.

“I think that everybody at some point in time gets a little lazy. They know they shouldn’t click on that link,” she said. “I think the only thing we can do as MSPs is continue to bring it to the forefront and just have it built into the culture, but also have the customers build it into their culture so that every time an engineer talks to somebody, it just brings it full circle.”

Simek said that bad actors are only getting smarter and finding additional ways to get in.

“I think that’s why layering is so important because you might be blocked now in a lot of different ways, but then something’s going to change. And you’re going to have to take out a part of that layer and maybe re-evaluate it,” she said.

But while the techniques of the bad guys aren’t changing, some of the specific tools and procedures that hackers use, however, are. For example, rather than sending Microsoft Excel documents or Word documents, many threat actors are switching to OneNote documents because nobody’s really done that before, Medlock said. “All the protections and different things that Microsoft has been doing—they’ve been adding a lot of extra layers and making it harder and harder for the bad guys to execute malicious code in Excel and Word—they haven’t done any of that for OneNote. They’ve just forgotten about it,” he said.

There are upward of 400 different techniques that bad actors use, so MSPs realistically can’t be prepared to defend against every one, Medlock said.

“There’s a thing called time. And there’s this other thing called money. And they’re usually a bit restricted. We don’t have unlimited time and unlimited money, so we’ve got to focus on where our efforts want to have the most effect,” he said. “That’s where threat intelligence comes into play.”