Advanced Persistent Threat Activity Exploiting Managed Service Providers

The National Cybersecurity and Communications Integration Center has been tracking attacks on global Managed Service Providers (MSP) from Advanced Persistent Threat actors since 2016. Targets of these attacks spread across Information Technology (IT), Energy, Healthcare, Public Health, Communications, and Manufacturing industries.

Managed Service Providers offer remote management of their customer’s IT and Networked Infrastructure. Due to the scalability and cost savings of using an MSP, many companies have adopted this form of service. To provide effective management of their network, MSPs are often given complete access to the customer’s network, and potentially have access to customer data.

By nature, MSPs will have more than one customer. If a security breach occurs in the MSP, this will potentially place multiple organizations at risk. MSPs also need to create additional accounts on the customer’s network with elevated privileges. These additional accounts increase the number of avenues available for attack. In addition, the elevated access of these accounts can expose both the MSP and client company, which requires security measures to be proactively taken on both sides.

Advanced Persistent Threat attackers will target legitimate management resources to make the attack look as close to normal day-to-day operations as possible. Since logs are created for most actions made on a network, using expected operations in a malicious way becomes harder to detect. If the attacker can gain access to administrative level user credentials, they can access features and services of various equipment and system tools. For example, if the servers being used contain penetration testing tools, these tools can be used in a malicious way to find additional weaknesses in the network. Additional legitimate, built-in services can then be used to extract data out of the network without raising any red flags to administrators.

Addressing Attacks on a Managed Service Provider

A successful network intrusion will likely result in severe impacts to the organization, including loss of proprietary information, disruption to regular business operations, financial losses, and harm to the organization’s reputation. Additionally, certain industries must comply with various levels of regulations (HIPAA, PCI, GDPR). If a breach occurs, there are often substantial fines levied against the company depending on the damage to customer information.

Detection

A solution starts with detection of the incident. Centralized log collection appliances should be deployed in the organization. With a centralized log solution, the log is kept in a separate location than the compromised appliance which prevents alterations being made to the local log file. Centralization of logs and using an appliance like a SIEM allows a baseline of normal log activity to be created across the entire network. If a breach occurs, this increases the chances of an alert being created when a legitimate service starts acting in an unexpected way.

Response

An organization’s ability to rapidly respond to and recover from an incident starts with the creation of an incident response program. An incident response plan should include the order of steps to take so that regardless of the issues that could arise, everyone is working on the same important issues instead of scrambling and working on smaller, low-priority tasks.

Committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident.  Proactively place security measures and monitoring in place. This is best accomplished with the use of a Network TAP sending data to both security and network monitoring tools.

Recommendations to Mitigate Risk
MSP customers should be aware of the risks that are generated by using an MSP. The customers should be aware of exactly what the MSP needs access to and address these accessibility needs in a manner that gives only the control required.

• Ensure MSP accounts are not assigned to administrator groups. MSP accounts should be limited to what they need access to manage.  If the account gets compromised, this greatly limits the areas that can be affected.

• Ensure MSP account passwords adhere to organizational policies and password policies for complexity, expiration dates, and how many new passwords must be used before an old one can be used again.

• Restrict MSP accounts by time and/or date. This way, if the customer no longer wishes to use the MSP, the account will be locked out in the event it was forgotten about.

• Centralize system logs to prevent alterations being made to the local file in case of a breach. If a breach occurs, this increases the chances of an alert being created when a legitimate service starts acting in an unexpected way.

• Configure these central logs to store over one year of log data and establish a log review process.

• Install and configure a Security Information and Event Management (SIEM) tool to take in logs and network flows for analysis.

• Create a baseline for system and network behavior by using TAPs and aggregation devices at key points in the network.

• The best way to monitor traffic is by using a TAP. Let the security appliance focus on security instead of generating SPAN/Mirrored traffic. TAPs will grab 100% of both directions of traffic and send it to a security monitoring tool.

• Ensure internal and external DNS queries are performed by dedicated servers. Keep DNS locked down and internal, which helps prevent an attacker from intercepting the DNS request and redirecting internet traffic.

• Restrict access to unauthorized public file shares. DLP appliances will help recognize and stop unapproved exporting of data. Bypass TAPs can ease the implementation of DLP systems into a network.

• Periodically review network device environments and configurations.

• Review privileged account groups and disable inactive groups.

There is no single solution to protecting and defending a network. By closely following industry best practices and standards for your security and monitoring stack, you can increase the odds of successfully identifying an intrusion, stopping the attack, and disrupting malicious activity. The ultimate goal is to make it as difficult as possible for an attacker to successfully breach your network, while forcing them to use methods that are easier to detect.

[Want to dig deeper into how to gain full visibility during an instant response data breach? Check out our use case with the Cyber Defense Group.]