ConnectWise Security Exec On MSP Threat Report: ‘It’s An Arms Race’

‘The [cyberciiminals are] not slowing down. This is here to stay, that’s not anything new,’ says Patrick Beggs, CISO at ConnectWise. ‘I would also say the adaptability of the groups that are behind the exploits [are evolving]. We’re using AI, they’re using AI, so it’s an arms race.’


ConnectWise last week released its 2023 MSP Threat Report with top insight into various ransomware variants, cybersecurity predictions and what MSPs can do to further mitigate risks.

“Start exploring zero trust and implementing zero trust,” Patrick Beggs, CISO at ConnectWise, told CRN. “It is not the most difficult concept to understand and undertake.”

Analyzing more than 440,000 incidents across the IT industry, the report, which is open to the public to view, helps MSPs identify trends seen over the past 12 months as well as prevention and mitigation strategies going forward.

Sponsored post

“They’re not slowing down,” Beggs said of cyberattackers. “This is here to stay, that’s not anything new. I would also say the adaptability of the groups that are behind the exploits [are evolving]. We’re using AI, they’re using AI, so it’s an arms race.”

MSPs can further protect their mission-critical infrastructure and services by “adopting a zero trust network architecture, leveraging threat intelligence research and investing in specialized cybersecurity training,” he said.

Key findings in the report predict that MSPs will remain the target of supply chain and critical infrastructure attacks going forward, zero trust network architecture is and will be critical for MSPs, threat intelligence research will be crucial for MSPs to better understand the threat landscape and specialized cybersecurity training will increase across the industry.

The report, which breaks down the top ransomware groups and techniques, was created by the ConnectWise Cyber Research Unit, which identifies and researches new vulnerabilities and publicly shares its annual findings.

CRN spoke with Beggs about the report, the ever-changing threat landscape and how MSPs can further protect against cyberattacks.

What surprised you most about the report?

What surprised me the most is, honestly, is it’s the same challenges. We’re not seeing a lot of shift. For some of the Russian cyberthreat actors, they’re exploiting the same things. We’re not seeing any big paradigm shifts. But the drop in LockBit ransomware … that was a big surprise. They told folks not to mess with hospitals and late last year a hospital got whacked with that. They actually issued a decryption key and put an apology out for it. So that’s a new dynamic. I think with the attention on the ransomware task force and CISA [Cybersecurity and Infrastructure Security Agency] with the government, they’re trying to stay off the radar of more sensitive critical infrastructure attacks. No one’s probably going to complain as much if somebody takes down a chain of gas stations, or maybe a chain of convenience stores, [as opposed to] a children’s hospital.

So they're like, ‘We’ll hit you, but we won't hit below the belt’?

I believe it. This is my opinion back from 2021 after JBS and after Colonial Pipeline. They [angered] the government, so I think they’re trying to navigate that fine line. Making money but doing it ethically.

So an ethical terrorist.

You just hit the nail on the head. They don’t want that moniker. They’re OK with [being] cybercriminals but they don’t want to make the terrorist watchlist.

The report found the rise of a new phishing technique where attackers exploit changes in the default behavior of Visual Basic Application macros handled in Microsoft Office documents downloaded online. What can MSPs do to better to protect themselves and clients from those types of phishing attacks?

Better intelligence at your perimeter. If folks aren’t using SIEM [security information and event management] they need to have that. It’s the basic blocking and tackling capability for filtering out. A lot of times, we’re so focused on influence, user awareness, training and ‘don’t click on this,’ but the new frontier that we are seeing now is some of the stuff is going to be able to execute with just an opening of an email, not clicking on the document. There’s got to be more protection all the way out to the endpoint.

The report also predicted that more MSPs will look for outside partners with cybersecurity expertise and leverage threat research organizations to better combat the threat landscape. Can you double down on that?

Those jobs are hard to find in-house. They really are. The talent gap is widening and widening so it’s tougher and tougher. How I structure my organizations, I have tactical threat intelligence and I have strategic threat intelligence. The technical folks wear many hats. They’re extremely hard to find, to be able to have somebody come in and formalize and set up a platform to effectively, in real time, be able to protect environments. It’s not something that can completely be automated.

Those folks are garnering a high dollar, but also they’re just harder to find. That position is usually developed through somebody else, like through an incident response analyst or SOC analyst that has some good chops, then they get interviewed. That’s a journeyman type of role versus somebody you’re going to hire right out of college.

Specialized cybersecurity training is also predicted to increase, so talk to me about that.

We have to get away from annual cybersecurity training. We have to get away from just doing it once a year. We try to assess on a continuous basis. I’ve looked at some tools where it’s behavioral-based, so it helps identify end-user risk behavior and applies the appropriate training to them versus one size fits all. It’s more hands-on than anything else. We have to get more sandbox training from a modernized standpoint.

If MSPs could take one thing away from this report, what would you want it to be?

It’s that [the cybercriminals are] not slowing down. This is here to stay, that’s not anything new. I would also say the adaptability of the groups that are behind the exploits. We’re using AI, they’re using AI, so it’s an arms race. We see them pulling back and doing lessons learned. They do after-action reviews on their capabilities, so we need to take [this] in and address this just as seriously.