10 Things IT Solution Providers Must Do To Avoid Becoming The Next Wipro

From triaging and threat hunting to behavioral analytics and breach simulation exercises, here's a look at 10 technology- and intelligence-based safeguards the channel should adopt to defend against nation-state hackers.

Fending Off Nation-State Threats

Following the 2018 indictment of Chinese nationals Zhu Hua and Zhang Shilong for allegedly targeting and compromising MSPs and other IT firms, solution providers have become more serious about putting technology and intelligence-based safeguards in place to defend against foreign-government-sponsored hackers.

Any doubt that the channel risk is real was put to bed Tuesday when IT outsourcing giant Wipro confirmed a report that "a few" of its employee accounts had been breached by an advanced phishing attack. The admission came less than a day after KrebsOnSecurity reported that Wipro had fallen prey to a multi-month intrusion from an "assumed state-sponsored attacker."

After being hacked, Wipro's systems were used for attacks targeting at least a dozen of the IT outsourcing giant's customers, according to the KrebsOnSecurity report. Wipro said that breached employee accounts have been isolated, and the "handful" of Wipro customers found to be at risk have been notified.

From triaging and threat hunting to behavioral analytics and breach simulation exercises, here's a look at 10 things IT solution providers need to do avoid suffering the same fate as Wipro.

10. Partner With The Public Sector

MSPs shouldn't be shy about partnering with government agencies and law enforcement to turn up the heat on nation-state actors, said Greg Conti, senior security strategist at IronNet Cybersecurity.

These entities have access to diplomatic and economic sanctions as well as other types of unique offensive capabilities that can be deployed to protect solution providers and their customers, Conti said.

9. Have Proper Incentives In Place

Customers often measure an MSP's effectiveness by looking at the number of threats they've caught or the time taken to detect and repair an issue. That rewards MSPs going after high volume, low impact items like clicking on a bad Twitter link, said Steve Grobman, chief technology officer for platform security provider McAfee.

Customers need to make sure the proper incentives are in place to reward MSPs for focusing on the low frequency, high impact threat posed by nation-states.

8. Monitor Short-Term Contracts

Third-party risk management needs to account for shorter-term engagements such as a consultant with a two-to-four-month engagement to help design a company's R&D, engineering or IT ecosystem, said Andrew Morrison, cyber risk services principal at Deloitte, No. 15 on the CRN SP 500.

In these scenarios, Morrison said it becomes more difficult to determine who's supposed to have access when.

"The identity management challenge of that is harder for those shorter-term relationships," Morrison said. "The adversary knows it's a less-scrutinized world, and it's easier to operate at time with impunity than in the more monitored space of IT security."

7. Geofencing

When Chinese threat actors go after IT service providers, they're typically searching for the most target-rich environments, said William Tsing, Malwarebytes's head of threat operations. For this reason, Tsing said MSPs and other service providers in the Washington D.C. area are at greater risk since they're more likely to have clients in possession of technical intelligence that's of interest to nation-state groups.

Geofencing can help organizations filter out noise from actual targets of interest, Tsing said. Specifically, Tsing mentioned that limiting attacks to a certain geographic scope increases the odds of finding a target-rich environment.

6. Behavioral Analytics

Instead of just making sure the network is running, MSPs should be watching for patterns of anomalous behavior in their own environment or their customer's environment, said Jack Danahy, senior vice president of security for threat management vendor Alert Logic.

The nature of the traffic associated with a nation-state attack is different than what they'd ordinarily see in their environment, Danahy said, which should signal to the MSP that its individual systems have been corrupted.

Behavioral analytics allow MSPs to quickly recognize that something unusual is happening in terms of how credentials are being used to access data or the prompts coming from a particular machine, Danahy said.

5. Breach Simulation Exercises

MSPs should walk customers through a simulation that details what constitutes a security event, how it's defined and reported, and what information is presented to the client, said Mark Sangster, vice president and industry security strategist at managed detection and response provider eSentire.

Both the customer and MSP must ensure they're on the same page regarding whether relevance is being measured by the extent of the damage, the presence of a breach, or an industry-specific regulation, Sangster said.

"As the client, you have to select the MSSP that is complementary to you," Sangster said. "You've got your own internal skillsets, you have the things that matter to you, that are critical to your business, so go find the MSSP that aligns to that."

4. Threat Hunting

Customers need to carefully evaluate an MSP's operational procedures in order to protect themselves, said McAfee's Grobman. Those operational procedures include in what context human intervention is incorporated rather than just relying on a 'scripted playbook' response.

MSPs are most successful at protecting themselves and their customers from nation-state threats when they have adequate visibility across their entire IT environment, said Adam Meyers, vice president of intelligence for CrowdStrike. In addition, Meyers said MSPs should be proactively hunting for threat activity and conducting adversary-based penetration testing.

"At this stage of the game, you have to better understand the adversary to protect yourself," Meyers said.

3. Multi-Factor Authentication And Single Sign-On

Large enterprises often have dozens or even hundreds of employees using easily-guessable passwords or the same password as they used for another site or account, said Charles Carmakal, vice president for FireEye’s Mandiant Consulting unit.

This increases the total surface area nation-state groups have to carry out credential stuffing attacks, which can test already-breached passwords from a target's social media pages against their corporate accounts.

Multi-factor authentication can be an effective technical tool to mitigate the risk associated with credential stuffing attacks, Carmakal said. Effective multi-factor authentication deployments reduce excessive privileges available to users while not impeding their ability to get work done, said Chris Betz, chief security officer for telecom powerhouse CenturyLink.

Implementing both multi-factor authentication and single sign-on should help MSPs minimize disruption and speed up the user experience while still strengthening security across the company, Betz said.

2. Triage And Prioritize Effectively

Internal IT departments have a high degree of sensitivity to the role and responsibilities of individuals in a business beyond what's knowledge from an org chart. MSPs should strive for the same level of understanding, said McAfee's Grobman.

This will help MSPs make the most appropriate triage decisions in terms of which events need closer inspection and which can be handled by the automated system, Grobman said.

For instance, Grobman said an MSP that finds malware on an individual user's PC could either reimage the PC, wipe it clean and move on or take the computer and do a deep forensic investigation, Grobman said.

However, Grobman said MSPs lack the resources to do an in-depth forensic evaluation of every event. So they must have insight into the context to determine whether the malware requires more scrutiny.

1. Segmentation

Well-defined segmentation can help MSPs prevent, minimize the scope of, or recover more quickly from nation-state attacks, said Fortinet CISO Philip Quade. Companies must balance the desire to maximize protection by segmenting off everything with the operational challenges excessive segmentation introduces into the IT ecosystem, Quade said.

Effective segmentation policies generate alerts or altogether prevent devices that have no reason for communicating with one another from doing so – such as a company's computers and a smart refrigerator or thermostat, said Craig Williams, director of outreach for Cisco's Talos threat intelligence unit. Segmentation ensures defenses are in place should the worse-case scenario ever happen to an MSP, he said.

Williams recommended that MSPs focus their segmentation around the customer's crown jewels like their source code, engineering documents, design documents, or law firm records.