Managed service providers, the new target for cybercriminals

During 2017/2018 I noticed a common thread of discussion among  my peers in the IT and Security industry in which third-party organisations are the targets of malicious cybercriminals. Once these targets have been breached they are used to gain access to larger and more valuable targets.

So why are they targeting third-party organisations instead of the primary targets?, This is simple really, it’s because these companies are generally small businesses who don't have the budget or means to implement sophisticated cyber security systems and procedures making them an easier target than a cashed-up enterprise that has a well-established cybersecurity team.

This method for a malicious actor can be considered extremely fruitful but when we consider the third-party organisation as a managed service provider or managed security service provider, these organisations have the “keys to the kingdom” in many organisations with full administrator privileges and unlimited access to all systems with minimal checks or procedures to minimise the actual access. If a cybercriminal gains access to the managed service providers/IT service providers systems and can remain undetected for even a short period of time that malicious actor could, in fact, gain access to hundreds or even thousands of other organisations in which the service provider supports.

Let’s just consider this fact for a moment longer using the attacker’s perspective, one possibly difficult target by pursuing an MSSP/MSP that could take quite a bit of resources to breach,  but if access is gained with an unrestricted account, we could gain access to every organisation that that business supports. Just imagine the potential for the malicious actor and the potential value this type of access could provide. It literally blows my mind the damage this type of breach could reap, it would almost certainly cause the MSSP/MSP to go out of business as it would be quite difficult to recover from an incident of this magnitude, once it becomes public knowledge which is inevitable especially with an Australian organisation due to the recently implemented “mandatory breach notification laws.”

This topic was brought up in an open forum/panel discussion at the ACSC cybersecurity conference in Canberra (April 2018) and it was stated that the issues had been raised in the previous year’s conference. However, I was very surprised at how the issue was widely acknowledged but nothing further had been done as an industry to try and reduce these risks. I am employed by an MSP/MSSP and the thought of a breach like this occurring at our organisation quite literally terrifies me. I immediately started to put together plans to sure up our protections, to ensure that we as an organisation do better with all aspects of security  I feel we have made some great improvements.

I was also surprised to find that our organisation was only one of a very limited number who had sent any staff to this conference which brings forward another problem, we have a known high risk of attack for MSP/MSSP’s but very few organisations saw a benefit of sending staff to an event like the ACSC that could help us as an industry to come together and work out this problem together. Many of the attendees of the conference were government employees from various organisations as well as large enterprise, no major real showing of our industry.

We need to come together on this initiative as an industry to share information on best practices, lessons learned from both successes and failures. If we can share information more freely on threats or suspicious activity taking place through our own systems or our clients we may be able to as an industry achieve a measure of success against a constantly climbing level of threat. I understand this article is a little strange asking competitors to forget they are in competition with each other and share information to help each other be more successful at protecting themselves but it is about much more than just each individual business. Yes, it is about our clients and Australia, the better we all get at protecting ourselves from these types of threats the better off we will all be, whether it is the private sector or public sector we are all in this fight together.

Let’s make this happen.