Huntress Labs On Responding To A Cyberattack: 5 Key Steps For MSPs

‘Oftentimes your counsel or your insurance will be the ones that bring in an incident response team. Usually they do that under attorney-client privileges. And what this does is it gives you an independent, verifiable third-party player that’s going to do these things with you, not on your behalf,’ says Huntress Labs CEO Kyle Hanslovan.

MSPs Need To Be Prepared

The Kaseya ransomware attack that struck over the July 4 weekend was devastating to many companies facing the prospect of paying the ransom to notorious ransomware operator REvil or risk losing access to their data.

However, no matter how bad the situation seems at first, there are several steps MSPs can take to help mitigate the fallout, said Kyle Hanslovan, co-founder and CEO of Huntress Labs, an Ellicott City, Md.-based provider of MSP-focused cybersecurity technology.

In a Tuesday webinar that looked at the origin of the Kaseya ransomware attack and its aftermath so far, Hanslovan said the cyberattack against Kaseya’s MSPs generated a lot of fear, uncertainty and doubt.

“Yes, it’s bad,” he said. “Yes, in one day I don’t believe there’s ever been a time where 1,500-plus companies were encrypted. Is this the worst incident? Yes, the worst incident until tomorrow, until something else. The CCleaner back door, that could have been worse than this. [The March] Exchange [attack] could have been worse than this. It just happened to be these attackers were crazy efficient.”

The key for MSPs is needing to know what to do—and equally as important what not to do—in response to the attack. Hanslovan, along with Huntress Labs Senior Security Researcher John Hammond, Huntress Security Researcher Caleb Stewart and Tom Lawrence, president of Lawrence Technology Services, a Southgate, Mich.-based MSP, gave attendees of the webinar several tips to help them quickly respond to the incident and to be prepared for the next.

Work With Your Peers

MSPs involved in peer groups such as Gary Pica’s Winner Circle or IT Nation’s Evolve will find those groups are a good place to call for help, Hanslovan said.

“Those are the folks that you can leverage when stuff hits the fan, and we already saw it happen,” he said. ”Big kudos.”

Huntress saw offers of help for MSPs coming from peers as far away as New Zealand within a short time of the cyberattack starting, Hanslovan said.

Alert Your Legal Counsel

Hanslovan said that in situations like the cyberattack that hit Kaseya, most people don’t know who to call first.

“Who you gonna call? It’s not ‘Ghost Busters,’” he said. “It’s you call your legal counsel. Oftentimes, your legal counsel will put you in contact with your insurance provider. If you don’t have solid in-house counsel with a breach coach in-house, oftentimes you’re calling your insurance provider who is going to get you a breach coach and make sure as much as possible is protected from a litigation standpoint.”

Hanslovan said that an MSP or IT service provider with 50 customers has a lot of room for litigation.

“And it’s not just your customers,” he said. ”Imagine if one of your customers, for instance, was a tax accountant and this happened on April 15. They’d be pretty upset with you, and there might be other companies suing the accountant for not filing taxes, which could then propagate up to you.”

Lawrence said he walked into a “chaos situation” with an MSP that had not engaged with legal counsel.

“They started with, ’I think we can restore things,’” he said. “I said, ’Stop! Stop! Preserve! And call legal counsel. They’re going to pick an incident response team.’ The good thing is, they had insurance. They just didn’t think to tell them right away.”

It is also important to formulate plans ahead of time to prepare for a response if a security incident actually happens, Lawrence said.

The marketing team is not the right team to craft the response, Lawrence said.

“Every word will be picked apart,” he said. ”So your messaging has to be clear and concise, and then blessed by the legal counsel before you put it out there, as you don’t want to give the wrong impression and open yourself up to further liability on this incident or create any further misunderstandings.”

Wording is so important, especially with downstream customers that were impacted on the MSP’s watch, Lawrence said.

“You just have to be so careful how you word it because you’re also at the same time putting liability somewhere,” he said. ”And you have to be careful where that liability is put and how it’s managed.”

Prioritize Your Customers

When an incident impacts hundreds of customers, MSPs don’t have the capacity to do everything at once, Hanslovan said.

“It’s really a good technique to draw a Venn diagram,” he said. ”One side of it is which customers are encrypted. The other side of the Venn diagram is which customers or their customers’ customers are most likely to litigate because at the end of the day, you have to prioritize where to start.”

Rehearse Potential Scenarios

It is important to rehearse potential cyberattack scenarios to prepare to meet one in the future, Hanslovan said.

“Rehearse these,” he said. ”Test these. Do things in advance.”

Lawrence said that in one case, the customer was using computers that were not affected but were connected to the network to start documenting what was going on.

“I right away said, ‘Grab pen and paper and write all that down,’” he said. ”And they said, ‘Why?’ And I said, ‘You don’t know how they got here yet.’” One person’s doing restores, another person’s over here, and it’s chaos. Table-talk the whole thing out. Think about what the process is.”

Engage An Incident Response Team

Responding to ransomware doesn’t mean the MSP has to be the one handling the response, Hanslovan said.

“Oftentimes your counsel or your insurance will be the ones that bring in an incident response team. Usually they do that under attorney-client privileges. And what this does is it gives you an independent, verifiable third-party player that’s going to do these things with you, not on your behalf. And the reason I say ’with you’ is they aren’t going to send a small army. They’re going to send an expensive army out to help you. But it’s not going to be enough to be able to get you up and running. And so, what I’m saying is, that independent voice [is for] when you have litigation, and when it kicks off, you’re able to say, ‘Look, we realize that we’re partially to blame for the encryption.’ You wouldn’t say those works for litigation purposes. But you can say, ‘This is why we brought in an independent firm.’”

There are arguments why you should not do your own incident response, Hanslovan said.

“Keep in mind, some response is recovery,” he said. ”Some response is just forensic timeline. I know that sounds crazy, but these are important things that you have to tell people. We say midmarket and below. I think a lot of the audience sometimes forgets how small the ‘S’ in ’SMB’ can really get, or how silly some decisions can be made.”