The cyber risk threat landscape to MSPs and SMEs

Q1: Why do effective threat-informed and risk-based security programmes that ensure cyber resilience require businesses to know their “enemy”, “battlefield” and “themselves”? What does this mean to an MSP?

Companies, both large and small, have made great strides in digitising the majority of their data and processes. However, those digital assets now present a concentrated risk that has a larger attack surface than we’ve ever seen. Endpoints are becoming even more diverse and distributed, prompting security experts to send clear warnings that what we believed to be secure, such as insulin pumps, connected cars, HVAC solutions, pacemakers, smart watches, cameras, speakers and so on are now potential targets.

The ransomware threat is now of epidemic proportions and when you include the increase in cryptocurrencies, which has provided cyber criminals with the means to strike anonymously, risk from an attack can be catastrophic. Today’s cyber threat landscape has made it an imperative for MSPs to have a comprehensive cyber resilience strategy for themselves and their SME clients. Being able to identify, protect, detect, respond and recover from threats has not only become essential, but these are the building blocks of a comprehensive cyber resilience strategy.

However, cyber resilience is also about reducing risk. This means knowing which cyber security events would have the most profound impact on a business and prioritising defence measures accordingly. Doing this requires MSPs to have intimate knowledge of their “enemy”, the “battlefield” and “themselves”.

To start, MSPs need to evaluate which assets have the highest probability of being attacked and determine how valuable those assets are. It is only then that MSPs will be able to completely realise the exploitable surface, and the likelihood of being attacked via a particular vector. Fundamental to a risk-based approach is knowing everything possible about potential adversaries and how they operate; carefully examining their own or their clients’ data, systems and people; and the battlefield (the network). Out of the three components, knowing potential attackers is by far the most difficult.

Q2: Why is having an understanding of threat actors in a business’s threat profile essential to building an effective threat-informed and risk-based security programme that ensures cyber resilience? What is a threat profile? Who are the threat actors that every MSP should have in their threat profile? How are cyber criminals attacking businesses? How does thinking like a hacker better equip MSPs to protect their SME clients?

It is no longer a matter of “if”, but “when” an attack will take place. Today’s cyber threat landscape has made it critical for MSPs to have an in-depth understanding of where potential attacks may come from and the effects they could have on a company, making a threat profile an essential component of an MSP’s cyber resilience strategy.

First, MSPs need to know the enemy – who are the threat actors who are taking an interest in the company and why do they view the business as a viable target? Second, what are their motivations and objectives? Third, how do they work – what tactics, techniques, and procedures (TTPs) do they use and how are these relevant to their clients’ environment? And finally, where would they most likely attack and how could they compromise the business or its customers? Only by gaining these insights will MSPs be able to think like a hacker and be able to put an effective threat-informed and risk-based security programme in place.

Identifying and analysing potential adversaries isn’t easy. Studying cyber criminals’ TTPs needs to be a proactive and targeted process. To help MSPs understand how threat actors operate, there are several open-source resources available. The MITRE ATT&CK database provides a library of known adversary tactics and techniques, information on adversaries’ behaviour reflecting the various phases of an attack lifecycle and the platforms they are known to target, and provides a framework that is widely used by threat hunters, red teamers and defenders to classify and assess attacks.

The ThaiCERT provides an encyclopaedia of threat actors. For the most up-to-date insights, security vendors regularly monitor and publish information on cyber criminals. As an example, Datto’s Threat Management Cyber Forum provides threat profiles, signatures and information on threats that target the MSP community and their SME clients. Recently, this forum added profiles on Russian state-sponsored hacker group APT29 (aka Cozy Bear) and Dark Halo; the LockBit family of ransomware; and the notorious cyber crime group Wizard Spider. Each profile contains an overview of the actor, their motives, TTPs, possible mitigations or defences, detection opportunities, and additional resources.

Q3: What are the best ways to implement a best-of-breed application security programme that defends against adversaries and keeps businesses safe?

With cyber attacks becoming increasingly difficult to recover from and posing greater repercussions, investment in protection technologies is no longer enough. MSPs and the clients they serve are now taking an “assume breach” position and developing incident response, crisis management and disaster recovery strategies alongside traditional cyber security programmes.

Once MSPs have a solid threat profile, simulating their methods will help them to determine where the greatest risk exposure resides and what they need to do to mitigate risk. By reverse-engineering past breaches, MSPs are able to prioritise and implement the most effective security controls against specific actors. To help test the configurations, there are a number of open source tools that emulate specific adversaries, such as Caldera or Red Canary’s Atomic Red Team.

It is important for MSPs to examine technology, processes and people in order to fully understand how the defences work in unison. This process needs to be repeated until the MSP is confident that it will win the battle against this specific adversary.

Frequency of adversary emulation varies, so SMEs should conduct this process once a year or whenever there is a major new threat and MSPs should do it quarterly. Also, at a minimum, all businesses should follow the CIS Critical Security Controls with a fair amount of time devoted to Implementation Group 1 controls for essential cyber hygiene.