We produced a series of blogs reporting from the SolarWinds MSP Empower event in Amsterdam… Here’s Tim Brown took a look at the threat landscape from the MSP’s perspective.
Tim Brown, VP of security at SolarWinds MSP, started his session by looking at how things currently stand in the threat landscape. “We’ve seen a number of different things in 2017, but there are a couple of things that really stand out,” said Tim. “For a start, 58% of victims are categorized as small business; 68% of breaches took a month or longer to discover; healthcare, accommodations and public sector make up a large percentage of victims, with mail still a leading route to compromise; and 76% of breaches were financially motivated1.”
“As managed service providers,” he said, “you need to understand you are coming into a new environment and it’s important to understand that as you take on a new client, there is a good chance that they will either have been compromised or will be compromised—and you will have to clean them up.”
Tim went on to look at the different monetization models that cybercriminals are currently using. “People aren’t giving up on financial Trojans or malware,” he said, “and both ransomware and coin-mining have gone through a shift.”
“Ransomware was very big in 2016, and things changed in 2017, resulting in fewer new families and more variants within the same families. This is an indicator that a less sophisticated attacker has joined the ransomware game,” said Tim. Coin mining, on the other hand, followed the price of crypto-currency. The moment crypto-currency spiked, so did the number of activities associated with crypto-mining.
Tim went on to talk in general about what crypto-mining is. “It’s not as malicious as ransomware,” he said. “It’s just stealing the processing power of the machine. If done well, people won’t even notice—it’s just another monetization model. The point here is that the bad guys morph quickly to take advantage of new opportunities and business models.”
Who is being targeted most
According to Infoguard Cyber Security, the most targeted industries are:
- Financial services
According to Cyberedge Group, the most targeted industries are:
- Telecom & technology
“The main motivation for attack is data,” said Tim. “Why is healthcare targeted more than anywhere else? Because healthcare records are valuable on the outside. Also, the bad guys know targeting healthcare with ransomware is good because they will pay to get their infrastructure back. Healthcare is a perfect storm of opportunity for bad guys to take advantage of, and it’s also not always as protected as it could be.”
Tim went on to explain how different industries are targeted for different reasons, but a lot of the time, it’s a broad-brush attack—spraying out an attack and seeing who it hits and who gets taken advantage of.
However, one of the key things Tim pointed out was the ability of the bad guys to move quickly. Drawing on the Vault 7 leak as an example, he said, “Within one month of the leak, we saw the Eternal Blue exploits being used in the WannaCry attack. It really didn’t take them long to recognize and create ransomware that spread really quickly.
“However, Eternal Blue had a patch that became available in March. What didn’t happen was enough people in companies realizing they needed to take this patch really seriously and update quickly. Unpatched machines are still out there getting compromised because people didn’t have the right processes in place.”
Some of the different methods of attack being used
1. Financial Trojans
“Financial Trojans are still a major concern,” said Tim. “Focused on fraud and stealing credentials, they are quieter and stealthier now. They are still growing and there are a few different categories of them. We saw a lull last year before a huge spike in September to December. This usually occurs when one group finds an effective Trojan and decides to use it en masse. Threat actors work well together, and this would very quickly spread.”
“Ransomware continues to be a popular method of attack as it offers a different way to monetize. Financial Trojans get into a machine to exfiltrate data and then sell that data on. Ransomware removes the exfiltration step,” said Tim. “What has changed is that ransomware attackers are looking beyond just attacking end user PCs and instead focusing on the company or even city level. This model of exploitation is not going to go away, as it’s effective and proven to work.
There is also another level to ransomware attacks in that they are often used to cover a different type of attack, where attackers have stolen IP and then instituted a ransomware attack to cover their tracks.”
3. Coin mining or crypto-mining
“There was a huge increase in crypto-mining in December 2017 coinciding with a spike in the value of crypto currency,” said Tim. “Instead of setting up a bank of processors to mine crypto-currency, the bad guys looked for another way to make money by ‘stealing’ other people’s processing power. It’s legitimate business using illegitimate processors. Attackers are getting access to these machines as part of a spray attack—these are unsophisticated attacks run by unsophisticated threat actors. The important thing to remember is that the attacker community is ready to move when they see a new opportunity and is always looking for ways to increase revenue.”
What this all means
What MSPs need to understand is that all this means that attacks are not going to go away and are going to keep shifting. But there is a problem, warns Tim. “The good guys sometimes are inadvertently the bad guys. There is a big move to make code safer by improving code quality and testing; there has also been a huge upswing in ‘white-hat hacking’. Overall, this has had a great effecting in having vendors creating updates, but it does mean that vulnerabilities get announced before people can action them appropriately—sometimes the good guys are actually helping the bad guys. As an MSP, you need to be aware of this and have a patch program in place that can quickly apply patches and safeguards.”
What’s important from an MSP’s perspective is who the attackers are and what they are doing. “Most attacks are not zero days,” added Tim. “They are against misconfigured systems or applications. This is happening every day. If you put up a Windows Server with an unpatched SQL Server, it will last minutes on an open internet before it gets scanned. Systems that use default password, aren’t patched, or are misconfigured, get compromised quickly. Good cyberhygiene is the most effective method to prevent most of these attacks.”
Tim concluded saying that your customers need help even if they think they don’t.
In the next section, Tim went on to look at the key objection companies raise to investing in security—and how MSPs can help them get around this.
1. I don’t understand, I’m not target, I don’t have anything people would want
“I’ve heard this from many organizations,” said Tim. “The first thing people need to realise is that it doesn’t matter what they think. If they have unpatched systems or weak passwords, they will very likely be infected—regardless of who they are. The bad guys may just want your processor for a denial of service attack and they will take advantage, simply because they’re scanning the whole world and you’re there.”
2. I’m running some security tools; isn’t that enough?
“Tools alone don’t make a secure environment,” said Tim. “You need to have an understanding of the level of risk you face and how your program is working. Also, are your tools updated, are they well-managed, are you looking at what’s coming from your tools? Just putting AV onto endpoints doesn’t mean you’re protected. Doing that and then keeping it updated and monitoring what’s going on will help. Companies need to understand that there is no silver bullet. A lot of security comes down to hard work.”
3. My budget is maxed out, am I spending enough already?
“This is a valid question and you have to work with them on this,” said Tim. “Sometimes the answer to this may be ‘yes’; it depends on where they sit between meeting basic and needing more. It’s a question of risk versus value. That’s the conversation to have with those worried about their budget. Are they in fact wasting money being too secure?”
4. Security is not a priority for us
“Sometimes, this is not said exactly this way, but it’s definitely a feeling people will have,” said Tim. “The bottom line is you really need to help your customers get to the minimum level of requirement. It’s inappropriate for you to allow them to fall victim to a simple drive-by, allow them to have open Internet access, unprotected machines, or use default passwords. There is a minimum set of things everyone must do. The grey area is how much you go beyond that—to know that you need to understand the business risk. If they won’t meet the basics, you have to consider whether the liability outweighs the benefits of having them as a client.”
Regulated industries and other opportunities
Tim also pointed out that regulated industries are always an opportunity for MSPs as meeting regulatory compliance will pretty much always have a security element. This means that companies will need to meet this in order to do business. While it’s not the job of the MSP to take on the role of the auditor, they do have a big opportunity to help companies understand what regulations they face and how to get them on the road to meeting the compliance burden.
“Remember, a good security program will get you through an audit and make you more secure,” said Tim. “But a program that just focuses on passing the audit will not necessarily make you more secure. Look at Target; they had just gone through the PCI audit when they were compromised.”
“Beyond heavily regulated industries, any service provider with sensitive data or sensitive access faces risks and that means opportunities for MSPs,” explained Tim.
Some of the types of businesses covered here include:
- Data-centric service providers
- Marketing agencies
- Any company that collects personal data
- Service-centric service providers
These businesses often virtually connect to their business partners, leaving them open to potential attack—think HVAC vendor and Target. Furthermore, users may not be particularly tech-savvy in many of these industries and malicious insider attacks can be a real problem, such as a disgruntled ex-paralegal stealing privileged documents.
“One important thing to know is that we do also have another class of attacker out there,” warned Tim. “These are really targeted attacks by paid groups. Right now, we have around 140 targeted attack groups. While they are using a small number of zero day attacks, they are also using a large number of good hygiene attacks. The primary focus of these attacks is information gathering and control, which means you’re unlikely to see them doing noisy attacks like ransomware. They are quiet, patient, organized and hard to stop. If you have customers that fit into this bracket, it’s import to understand they need to have good hygiene in place and then some extra controls around identity and edge space to ensure attacks cannot spread to critical infrastructure.”
Another critical thing to think about here is IoT—sensors, etc., can open up holes in the environment.
Tim finished off reminding everyone that our community is our responsibility.
“Regulations and cyberthreats means that cybersecurity is big business for MSPs,” concluded Tim. “As trusted advisors to our clients, cybersecurity isn’t just our opportunity—it’s our responsibility.”
1. Semantec Internet Security Threat Report – https://www.symantec.com/security-center/threat-report
This blog was written by three-sixty for SolarWinds MSP and published on their blog