MSPs Are the Technology Company’s Frenemy
July 14th, 2021
Subscribe to our blog and stay up to date
The Good and Bad of MSP Relationships
MSP relationships make technology company leaders’ lives easier in many ways. With the right MSP, there is no need to purchase and maintain costly hardware and software in house. In addition, the technology company does not have to hire and retain full-time employees with areas of expertise that are unrelated to the primary deliverables of the business.
Unfortunately, the same benefits that MSPs provide can also lead to a cybersecurity incident. Relying on the MSPs software systems, which are part of your business delivery, or allowing their team direct access into your IT system, are just two of the many ways your business opens itself up to security risk through the MSP relationship.
The One-to-Many of MSPs
Managed service providers (MSPs) are a popular infection vector for third-party attacks. Chinese cyber espionage groups pioneered this strategy of targeting MSPs and have been among its most prolific practitioners. Indeed, the Chinese APT10, also known as Stone Panda, MenuPass, POTASSIUM, RedLeaves, and Red Apollo, specializes in the use of compromised MSPs as an attack vector against MSP customers in other industries. The group also targeted cloud service providers in its “Cloud Hopper” campaign. The impact of APT10, which has been active since 2006, and its attacks were such that the U.S. Department of Justice indicted APT10 members in 2018.
Compromised MSPs have also become a popular attack vector for ransomware attacks on their enterprise customers. Operators of the GandCrab ransomware family became early adopters of this strategy in early 2019, and operators of other ransomware families subsequently followed suit. Third-party attacks via MSPs or other technology companies are especially productive for ransomware operators because the success of their business model depends in part on the number of victims that they infect. Only a fraction of ransomware victims pay ransoms, so increasing the number of infected victims increases the number of ransom payments that ransom operators can collect. Ransomware operators typically infect the customers of compromised MSPs via specialized tools that provide the trusted access to customer networks that they use in order to provide their services.
How to Undergird Your MSP Relationship
Businesses should consider the risks of outsourcing when deciding whether or not to use MSPs. If they do decide that outsourcing to MSPs is worth the additional layer of third-party risk, they should establish defenses to prevent attackers that have compromised their MSPs from infecting them through the software or tools the MSP uses to maintain or administer their infrastructure. “Zero-trust” security models can serve as useful references in developing such defenses.
MSPs and other technology companies with trusted or highly privileged access to their enterprise customers' networks should also provide additional layers of defense to prevent attackers from compromising whatever software or tools they use to access customer networks. Additional layers of defense for these key assets can include encryption, network segmentation, or supplementary authentication.
Learn more about how your technology company can navigate its cyber threat landscape. Read the 2021 Technology Industry Cyber Threat Landscape Report.
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Prior to that Paul covered cyber issues as a contractor in the US Intelligence Community. Paul specializes in the coverage of state-sponsored cyber threats, particularly those from Iran. He originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. Paul has a Master’s degree in History from Georgetown University. He is also a certified scuba diver and an award-winning amateur underwater photographer.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.