The global interrelation of the economy and cyber operations has led to a landscape with an increasing risk of cyberthreats leading to supply chain compromise. Each organization and individual user can be connected to scores of others, creating a supply chain that is highly complex and difficult to secure.
Managed service providers (MSPs), as third-party companies that can provide the means to infiltrate other organizations, are an appealing target for cyber supply chain attacks. Ensuring the security of any organization requires due diligence in vetting supply chain partners, and this is especially true when it comes to working with MSPs.
Why Cybercriminals Target MSPs
Bad actors see managed service providers as a prime target for attacks due to their prevalence worldwide and their elevated access to their partners’ networks. Many cybercriminals plan their attacks for the highest possible payout, and gaining access to many targets via one attack on an MSP is a large payout for the amount of effort it requires.
Whether their goal is financial gain, data theft, or supply chain disruption, threat actors often find it easier and more lucrative to attack MSPs. These attacks grant them access to other organizations without the need to launch individual attacks on each partner.
Recent Supply Chain Attacks on MSPs
In recent years, cybercriminals have demonstrated their focus on MSPs, with a few high-profile software supply chain attacks affecting MSPs and the software products they use with their customers.
- SolarWinds: In 2020, hackers were able to deploy malicious code via SolarWinds’ monitoring and management software, affecting nearly 18,000 organizations worldwide.
- Kaseya: A vulnerability in Kaseya’s VSA software in 2021 enabled the ransomware group REvil to push an update to many of Kaseya’s customers, including 60 MSPs and over 1,000 companies.
- ConnectWise: Following the discovery of flaws in the remote access platform ScreenConnect, cybercriminals began exploiting the vulnerabilities in large numbers, allowing them to implant malware and steal data.
Major Attack Vectors and Vulnerabilities
The main tactic that cybercriminals use to launch attacks on MSPs is to target the tools and applications that they use, as demonstrated by major software supply chain attacks. These tools, from remote monitoring and management (RMM) to remote access, are often used by many different organizations, so compromising the software can provide a way for bad actors to target a large and complex web of MSPs and connected organizations.
Targeting MSPs also allows cybercriminals to maintain a foothold in an organization to exploit it continually. “It’s unlikely that you will find a service provider on a short-term contract,” explains Ashley Leonard, VP of Product for Syxsense, recently acquired by Absolute Security. The long-term relationship and the trust that clients place in MSPs can cause them to be more complacent regarding MSP security practices.
Best Practices for Securing MSP Relationships
To secure MSP relationships and protect against attacks on the cyber supply chain, it is crucial for organizations to be rigorous and do their due diligence not just in forming an MSP partnership, but in maintaining it. Leonard recommends that businesses conduct a thorough examination of an MSP’s security practices, from their security frameworks and incident response plans to security assessments of the tools and applications they use.
As the relationship goes on, organizations should continue to evaluate and enforce their MSP’s security. Using continuous monitoring, compliance reporting, and audit checks, organizations can regularly check that their MSPs are employing sufficient security measures and meeting any applicable regulatory requirements, such as PCI DSS or HIPAA.
Implementing Third-Party Risk Management Strategies
A third-party risk management (TPRM) strategy is a way for an organization to identify and mitigate risks associated with any third-party partners, including MSP relationships. Supply chain risk management (SCRM) is one aspect of TPRM that applies specifically to mitigating threats to the supply chain.
Implementing effective TPRM/SCRM measures and policies in an organization includes a range of responsibilities and considerations. Organizations may benefit from using a TPRM framework like NIST SP 800-161 or the Shared Assessments framework to direct their efforts and ensure they are addressing all of the necessary areas. These frameworks outline the process of implementing TPRM strategies, from the fundamentals of third-party risks to the details of contract management and monitoring.
