How to prevent and recover from an APT attack through a managed service provider

Threat actors are compromising their targeted victims through managed service providers (MSPs). These are the steps to take to minimize your exposure and to recover from these attacks if necessary.

What better way to enter a targeted system than through a firm that already has access to the targeted firm. The tactic is not new. In fact, attacking a target through its weakest link is a tried and true method. For this reason, managed service providers (MSPs), companies that are hired to manage the IT infrastructure of other firms, have become a popular point of attack for entry to a targeted company. Attackers use targeted emails to access the control systems of MSPs. Once in the system, attackers use lateral movement or administrative credentials to gain access into other systems.

These attacks through MSPs are often classified as advanced persistent threats (APTs). The FBI recently released a document that warned MSPs of such targeted attacks. As noted in the document, “This group heavily targets managed service providers (MSPs) who provide cloud computing services, commercial and governmental clients of MSPs, as well as defense contractors and governmental entities. APT10 uses various techniques for initial compromise including spear phishing and malware. After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence. This group has also used spear phishing to deliver malicious payloads and compromise victims.”

Take some time to review the document and determine if you are at risk for similar attacks. FireEye has information on APT groups. Their goal is to not disrupt the attacked firm, but to silently infiltrate systems to gain more information.

How to prevent attacks through an MSP

In response to global incidences of compromise through MSPs, the Australian Cyber Security Centre issued guidelines to help prevent such attacks. They include:

  • Patch operating systems and applications.
  • Configure Microsoft Office macro settings to block macros either in trusted locations with limited write access or digitally signed with a trusted certificate.
  • Use it or lose it: Configure web browsers to block Flash (ideally, uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g., OLE), web browsers and PDF viewers.
  • Restrict administrative access on systems and only use domain administrator rights in limited circumstances.
  • Use multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access a critical (sensitive/high-availability) data repository.
  • Do daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.

What to do after an APT attack through an MSP

If you feel you have been compromised via an MSP, do the following actions immediately:

  • Establish out-of-band communications methods for dissemination of intrusion response plans and activities, inform network operations centers (NOCs) and computer emergency response teams (CERTs) according to institutional policy and procedures.
  • Maintain and actively monitor centralized host and network logging solutions after ensuring all devices have logging enabled and their logs are being aggregated to those centralized solutions.
  • Disable all remote access (including remote desktop protocol and virtual private network) until a password change with two-factor authentication (2FA) has been completed.
  • Implement full secure socket layer (SSL) / transport layer security (TLS) inspection capability on perimeter and proxy devices.
  • Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts.
  • Collect forensic images, including memory capture of devices determined to be part of the compromise.

Within 72 hours, implement a network-wide password reset with 2FA (preferably with local host access only, no remote changes allowed) to include:

  • All domain accounts (especially high-privileged administrators)
  • Local accounts
  • Machine and system accounts

Obviously, you then need to recover or rebuild any systems suspected of backdoors, rootkits or any other persistent attack mechanisms.

Sounds simple, right? There’s a great deal that you can do to prevent yourself from being part of the problem.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!