The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate.
According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers.
The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects."
"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships."
The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice.
The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.
Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."