RSA 2020: 10 Ways MSPs Can Improve Ransomware Protection
CRN asks security CEOs, channel chiefs and technical leaders attending RSA 2020 what tools, technologies and strategies MSPs can use to protect themselves from ransomware attacks.
MSPs Under Siege
Cybercriminals have gone after MSPs with a vengeance in recent months and seized upon the tools they use to manage customer IT systems as vehicles to attack those same customers.
Wipro said in April 2019 that employee accounts had been compromised in a phishing campaign, allowing adversaries to use their systems to launch attacks against at least a dozen of its customers. Then in August, the ConnectWise Control remote access tool was used in a ransomware attack that resulted in portions of 22 Texas town and county networks being locked behind encryption keys.
Now MSPs are looking for ways fight back, keep their names out of the headlines, and avoid putting their customers in jeopardy. CRN spoke with 10 cybersecurity experts at RSA 2020 about how MSPs and MSSPs can leverage everything from threat hunting and multifactor authentication to rapid triage work and the expertise of former CISOs and CTOs as part of their ransomware protection efforts.
Quickly Assess Damage
MSSPs must quickly triage incidents that impact their own systems and communicate to customers within hours about the scope of the incident, what was or wasn’t impacted, the steps taken to remediate the risk, and advise customers on what they should do to manage their own risk, according to Israel Barak, chief information security officer at Boston-based Cybereason.
MSSPs should be able to scope and quickly communicate any impact from a ransomware attack to customers, Barak said, and get backup and training on their recovery services in case many of their customers are hit simultaneously. They also should be able to analyze data and correlate and scope the attack timeline within minutes so that they can communicate their findings to customers within hours.
MSSPs should be able to take data from a variety of heterogenous environments, make sense of it through data analytics, and respond quickly across different platforms, according to Barak. Quickly determining the extent of compromise and damage will help inform how customers should most appropriately respond, Barak said.
Hunt For Threats
MSPs must have incident response teams doing threat hunting missions and should build threat hunting packages that identify common tactics used by ransomware actors, according to Allan Liska, intelligence analyst at Somerville, Mass.-based Recorded Future. The packages look for common tactics, techniques and procedures to stop adversaries before they install ransomware on MSPs and their customers.
Ransomware actors typically rely on specific tools like PowerShell, Mimikatz and PSexec, Liska said, so the unexpected presence of those tools in an MSP’s ecosystem or abnormal amounts of activity around those tools could signal the presence of ransomware. MSPs in sensitive, low-cost sectors like state and local government aren’t investing heavily in security due to the high costs associated with new hires.
Threat hunting allows MSPs to offset some of their security costs and be proactive in looking for a particular threat, according to Liska. It also gives the MSP’s threat hunting team something new to do, Liska said, upping job retention rates since the work provides a welcome break from their rote system monitoring responsibilities.
Hire Security Experts
Over the past couple of years, more MSPs have hired former CISOs, CTOs and security professionals, which has served to collectively raise their level of security expertise, according to Jason Eberhardt, vice president of global cloud and MSP at Bucharest, Romania-based Bitdefender.
MSPs with security chops are looking at their endpoint protection, detection and response offerings and testing what’s available in the industry to ensure they’re offering the best possible software, Eberhardt said. Once former CISOs and CTOs are lined up, Eberhardt said vendor evaluation becomes less about checking a box and more about effectiveness rates against ransomware and other types of viruses.
The decision by some MSPs to hire security experts for key roles has helped improve the security posture of the entire industry by forcing competitors to keep up. “They understand how malware works, and they understand how exploits happen,” Eberhardt said.
Ransomware in recent quarters has evolved from solely locking down an organization’s data to exfiltrating data and threatening to leak or expose it if the victim organization doesn’t pay the ransom, according to Erich Kron, security awareness advocate at Clearwater, Fla.-based KnowBe4. Common variants of ransomware like Maze, Snake and Ryuk all have data exfiltrators today, Kron said.
Ransomware also is now targeting the processes and remote desktop tools MSPs use to remotely manage customer machines, Kron said, meaning that MSPs are unable to reach in and respond quickly if a customer has been infected since their tools have been shut off. If nothing else, Kron said MSPs’ inability to remotely manage and repair is buying attackers time for their efforts to spread.
MSPs must have customers embrace multifactor authentication as the cost of not stopping ransomware up front rises and companies can no longer count on a full recovery just because they have good backups, Kron said. Each MSP technician must have its own login credentials rather than sharing the same password across multiple customers, and combine that with a second factor to totally prevent lateral movement.
Monitor The Data
Ransomware, like every other threat, has one huge thing in common—it’s going to be accessing data at a huge rate, according to Nico Popp, chief product officer at Austin, Texas-based Forcepoint. Since there’s no way any user is actually reading that much data, Popp said MSPs that have a model in place of what a normal user is doing on their machine would catch the ransomware in an instant.
Any endpoint can fairly easily track if something is reading data to encrypt it, Popp said, as well as if confidential data is being accessed and at what volume or frequency. Monitoring the data may not stop the ransomware at the beginning, but there is a better chance of spotting the ransomware before the machine is infected than with using either anti-malware or endpoint detection and response tools, Popp said.
Monitoring human behavior around data access activity should improve the early detection rate and decrease the likelihood of the ransomware being encrypted or corrupted, according to Popp.
Segment The Network
MSSPs looking to stop ransomware must look at network usage at an individual level, examining the size and times that traffic is moving out of the network as well as lateral east-west movement of traffic within the network, according to Bill Conner, president and CEO of Milpitas, Calif.-based SonicWall.
Greater segmentation of the network will cause it to function more like a shared private network rather than a public switch network that provides bandwidth for all, Conner said. Segmenting—or at least putting guardrails—between customer endpoints should help ensure that bad stuff isn’t able to jump between customers and networks, according to Conner.
Some of the bigger MSSPs are probably already doing so, but Conner said it’s important for more MSSPs to enhance their segmentation. Consolidation in the MSP and MSSP industries means that solution providers are frequently acquiring peers with holes in their network or database, Conner said, meaning that MSSPs will need to step up and raise their visibility, inspection and policies.
Inspect Encrypted Traffic
Nearly all ransomware comes encrypted over SSL, but many companies don’t inspect traffic if it’s SSL-encrypted, which would be akin airport security workers not inspecting luggage if it came in a hard shell rather than a soft shell, according to Jay Chaudhry, CEO of San Jose, Calif.-based Zscaler. MSPs must inspect traffic with SSL in order to find and catch ransomware threats, Chaudhry said.
SSL was only between 15 percent and 20 percent of overall traffic as recently as a decade ago, and Chaudhry said the growth of encrypted traffic has quadrupled the number of boxes that need to be inspected. Most MSPs lack the money to do SSL inspection in an on-premises world, Chaudhry said, meaning that if they’re looking at SSL traffic, they’re only doing so very selectively.
MSPs need to make sure employees are protected when they’re on the road, Chaudhry said. Otherwise, an infected employee can end up infecting others once they return to the office. Doing VPN while on the road tends not to be useful or practical for employees given the amount of time it takes to connect, according to Chaudhry.
Minimize Dwell Time
Security hygiene is vital to MSPs’ ability to detect ransomware quickly and protect their customers by minimizing dwell time, according to Wendy Thomas, chief product officer at Atlanta-based Secureworks.
The more time adversaries have in the network of the MSP or its customers, the more they can figure out the lay of the land and identify assets to exfiltrate, Thomas said. And once an MSP or customer has been compromised once, Thomas said they’re far more likely to be compromised again since the adversary has gotten to sit inside their network and see how things actually work.
Security hygiene and early detection are the best ways MSPs can reduce their vulnerability to future attacks and stop adversaries from being able to get a lay of the land, according to Thomas.
Leverage Threat Intelligence
MSSPs have become increasingly interested in licensing threat intelligence to get better insight into what adversaries are after, the assets they’re targeting, and the tactics, techniques and procedures they’re using, according to Matthew Polly, vice president of worldwide alliances, channels and business development for Sunnyvale, Calif.-based CrowdStrike.
The threat intelligence can span MSPs’ internal and customer-managed environments to generate a richer data set and help them determine how they can best protect themselves and use that ability to better protect their customers. MSPs can have threat intelligence structured for their use only, as part of a managed detection and response offering, or given directly to customers, Polly said.
Threat intelligence is most helpful when dealing with adversaries that are living off the land since it allows MSPs to compare the indicators of compromise and vulnerabilities that the threat actor is trying to exploit and exfiltrate, according to Polly.
Identify Malicious Connections
MSPs can best avoid ransomware by bringing in security at the start and looking at the initial connection to determine whether or not it’s malicious, according to Samantha Madrid, vice president of security business strategy for Sunnyvale, Calif.-based Juniper Networks.
If the MSP can tell from the initial connection that it’s a known bad actor on the other side, Madrid said the server can terminate the connection before payloads are passed. By stopping the connection at the onset, Madrid said users can be better safeguarded and social engineering can be minimized.
Having a full stack of security capabilities is important in being able to intervene before the damage is done, Madrid said.