Threat actors are compromising their targeted victims through managed service providers (MSPs). These are the steps to take to minimize your exposure and to recover from these attacks if necessary. Credit: Thinkstock What better way to enter a targeted system than through a firm that already has access to the targeted firm. The tactic is not new. In fact, attacking a target through its weakest link is a tried and true method. For this reason, managed service providers (MSPs), companies that are hired to manage the IT infrastructure of other firms, have become a popular point of attack for entry to a targeted company. Attackers use targeted emails to access the control systems of MSPs. Once in the system, attackers use lateral movement or administrative credentials to gain access into other systems.These attacks through MSPs are often classified as advanced persistent threats (APTs). The FBI recently released a document that warned MSPs of such targeted attacks. As noted in the document, “This group heavily targets managed service providers (MSPs) who provide cloud computing services, commercial and governmental clients of MSPs, as well as defense contractors and governmental entities. APT10 uses various techniques for initial compromise including spear phishing and malware. After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence. This group has also used spear phishing to deliver malicious payloads and compromise victims.”Take some time to review the document and determine if you are at risk for similar attacks. FireEye has information on APT groups. Their goal is to not disrupt the attacked firm, but to silently infiltrate systems to gain more information.How to prevent attacks through an MSPIn response to global incidences of compromise through MSPs, the Australian Cyber Security Centre issued guidelines to help prevent such attacks. They include: Patch operating systems and applications.Configure Microsoft Office macro settings to block macros either in trusted locations with limited write access or digitally signed with a trusted certificate.Use it or lose it: Configure web browsers to block Flash (ideally, uninstall it), ads and Java on the internet. Disable unneeded features in Microsoft Office (e.g., OLE), web browsers and PDF viewers.Restrict administrative access on systems and only use domain administrator rights in limited circumstances.Use multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access a critical (sensitive/high-availability) data repository.Do daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes.What to do after an APT attack through an MSPIf you feel you have been compromised via an MSP, do the following actions immediately:Establish out-of-band communications methods for dissemination of intrusion response plans and activities, inform network operations centers (NOCs) and computer emergency response teams (CERTs) according to institutional policy and procedures.Maintain and actively monitor centralized host and network logging solutions after ensuring all devices have logging enabled and their logs are being aggregated to those centralized solutions.Disable all remote access (including remote desktop protocol and virtual private network) until a password change with two-factor authentication (2FA) has been completed.Implement full secure socket layer (SSL) / transport layer security (TLS) inspection capability on perimeter and proxy devices.Monitor accounts and devices determined to be part of the compromise to prevent reacquisition attempts.Collect forensic images, including memory capture of devices determined to be part of the compromise.Within 72 hours, implement a network-wide password reset with 2FA (preferably with local host access only, no remote changes allowed) to include: All domain accounts (especially high-privileged administrators)Local accountsMachine and system accountsObviously, you then need to recover or rebuild any systems suspected of backdoors, rootkits or any other persistent attack mechanisms.Sounds simple, right? There’s a great deal that you can do to prevent yourself from being part of the problem. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe