<img alt="" src="https://secure.badb5refl.com/165368.png" style="display:none;">
 

Kaseya Breach: Key Takeaways for Managed Service Providers

By Cyber Insights Team on September 15, 2021

Get Free Insights

Kaseya Breach: Key Takeaways for Managed Service Providers

September 15, 2021 | BY Cyber Insights Team

This is a transcript of the Kaseya Webinar: Key Takeaways for Managed Service Providers webinar broadcast on July 29, 2021.This transcript was generated primarily by automated voice recognition with edits for readability. Although highly accurate, you may note minor differences between the audio recording and this transcript.

Panelists

  • Andrew Edstrom - CEO & VCISO, Assessivate
  • Brandon McCrillis - Independent Cybersecurity Consultant

Joelle Palmer:

Hello everyone, and welcome to our broadcast. With the recent Kaseya and SolarWinds breaches, many of us are feeling the impact. Your clients are beginning to scrutinize their relationships with you to understand your cybersecurity initiatives. Our experts will provide a breakdown of what went wrong with Kaseya and discuss how you can prevent future attacks at your organization, all while building clients' confidence in your cybersecurity program.

Now, before we get started, for those of you that may not be familiar with your hosts of today's webinar, I'd like to provide a brief intro. At Apptega, we're helping organizations of all sizes, including MSPs, MSSPs, and Consultants, as they manage cybersecurity and compliance both internally and with their clients. Our software platform provides easy-to-use questionnaire-based assessments, along with task management and automated workflows for managing the remediation of gaps. Dashboards provide instant visibility into audit readiness and automated reports for your stakeholders.

For our discussion today, I'd like to welcome our guest speakers. We've got Andrew Edstrom, the Founder and CEO of Assessivate, and Brandon McCrillis, Independent Cybersecurity Consultant, and SANS instructor. Thanks for joining us today. So, Andrew, would you like to introduce yourself and Assessivate?

Andrew Edstrom:

Yeah, absolutely. First of all, thank you for having me⏤I'm thrilled to be part of this conversation. Unfortunately, we keep having to have these conversations. I started Assessivate about three years ago, not to support infrastructure, technical operations, or security, but to help businesses make good choices in their cybersecurity direction through review of their current status. We offer compliance services, security services, and analytics. We also provide technology advisory services to help manage MSP engagements or MSSP engagements. Additionally, we run RFPs for businesses and are always trying to make sure that people are doing the right things along the way.

Joelle Palmer:

Great. Thanks, Andrew. Brandon, can you introduce yourself and give your background?

Brandon McCrillis:

Yeah, definitely. Thanks for having me today. My name is Brandon McCrillis, and I'm an Independent Cybersecurity Consultant. My journey began when my mom took my computer away at 12 years old because AOL wondered how I had an administrator account. Initially, I went the cooking route and was a Hollywood chef for a little while. Then I came full circle, joining the Navy as a cryptologic technician network. What does that really mean? I banged on a keyboard for freedom in a dark room for a number of years.

When I finished that, I started helping the U.S. Cyber Command as we started standing up our cyber mission forces and doing military cyber tasks for cyber mission directives. In 2015, I made the jump to the private sector and really started enjoying thousands of global engagements. I started doing offensive testing, training, and internet incident response. So, that was my career until I recently sold my company. Now I'm in the sweet spot for consulting, where I don't have to care about the money anymore. I can simply care about providing value, and that's why I'm here today. Thank you.

Joelle Palmer:

Okay, everyone, to get started, we have a couple of polling questions to help set the stage for our panelists. So, let's get started. Which best describes your role in your organization? And you can select all that applies. 

Screen Shot 2021-08-19 at 11.47.01 AM

Any comments on that?

Andrew Edstrom:

I think we have a pretty diverse group, and it's pretty exciting to see business leaders on here because they make the ultimate decisions. I would like to see that number a lot higher, but I'll take 14%.

Joelle Palmer:

Great. Let's hop into our next question. Which types of breaches are you most concerned about? And again, you can select all that apply. 

Screen Shot 2021-08-19 at 11.48.10 AM

So, guys, do you have any comments on that before we get into the next topic?

Brandon McCrillis:

Yeah. Phishing/Social Engineering definitely makes sense. I like that we are seeing Ransomware/Malware as well. How are we delivering that? Ransomware/Malware is often delivered through Phishing/Social Engineering. So, I think definitely the audience is right on with this.

Andrew Edstrom:

Also, I think Insider Threat is becoming a bigger, more prevalent problem. Employees are beginning to figure out that they can sell some information by placing a device on a network and make some money. They can possibly get out without consequence, knowing their technology department isn't investigating things very well. So, it's really hard for them to determine who actually did it. I think it's important people are aware that 'Insider Threat' is becoming a much bigger deal.

Joelle Palmer:

Right. Hopefully, that gives us some context as we hop into our first topic of discussion for today. So, for the first topic, we'll be providing an overview of the Kaseya Breach. So, can you share with us what happened there?

Screen Shot 2021-08-19 at 12.01.21 PM

Brandon McCrillis:

We'll definitely do that. On July 2nd, most of us were preparing to celebrate Independence Day. Yet, Friday afternoon, there's a unique supply chain-based incident. While everyone was getting ready in the states to do their Independence Day weekend, Kaseya sent out updates to its VSA.

What is VSA? It's their Virtual System Administrator, which is used for remote monitoring and management. MSPs and anyone that has to administer a very large distributed organization is going to use this type of technology because it helps them scale precious human resources.

So, the attack starts on July 2nd, and Kaseya said, “Hey, we're going to shut down our cloud service-based offering. Anyone that's using VSA on-premise, shut that thing down now.” Again, this is Friday afternoon, so most people have actually gone for the holiday or possibly been off that whole day. So, the timing is strategic, right?

Part of the attack was shutting down the Kaseya cloud. Kaseya says, "Hey, customers, shut down this stuff." So of course, many U.S.-based MSPs are already hugely infected or impacted by this. The attack goes on over the weekend, and Kaseya comes out on July 6th and says, “We're going restart our VSA cloud service.” 

However, they halted the restart and said, “Oh, wait a minute. We're not quite ready. Now it's going to be up and running again, July 11th.” So another huge impact to MSP operations. MSPs thought they had a patch and they were going to be all set, but it's delayed even further. So MSPs, whether you or your clients were impacted, begin playing the waiting game. There was little guidance given for most cases.

Brandon McCrillis (cont.):

So, fast-forwarding a little bit, REvil group (REvil stands for "Ransomware Evil", you might also know these folks as the "Sodinokibi") has been an issue for a long time.  Kind of before that there was Gandcrab, which might be a group that you remember, and then there were a lot of similarities as well between REvil and the Dark Side Group, which hit Colonial Pipeline. We'll talk about that more later.

So, this attack was leveraging a series of vulnerabilities, chained together on those Kaseya VSA type servers. It included an authentication bypass, arbitrary file upload, requests forgery token bypass, and local file inclusion. Pretty much the nastiest things that could have happened.

You would think that the attackers would get to this point, so they could kick back, relax, and profit. No, after the attack they deleted some of the forensic evidence that's useful to us as forensic investigators of the attack. On July 7th, they went and attacked the U.S. Department of Defense weapon launch technology contractor. The Kaseya breach isn't a government entity, but you hit a DoD weapons contractor and all eyes are on you. This may actually have helped a lot of the Kaseya breach get resolved, or at least, those MSPs get back online.

So, July 7th, REvil attacks a computer company in Florida called HX Five. They specialize in weapons launch technology. What do you know, July 9th, POTUS, President Joe Biden has a conversation with Vladimir Putin over in Russia and says, “Hey, we're not going to stand for this stuff. We know it's coming from your country. Something's going on here.”

Brandon McCrillis (cont.):

Fast forward, July 11th, Kaseya rolls out restoring services. By July 12th, 10 days after the initial attack, a hundred percent of the impacted MSPs were back online. So, what do you know, July 13th, REvil goes offline. They vanish. All of their infrastructure is taken down. What's important about that is they also took down the payment portal. So, if you were one of those impacted end clients, and paying the ransom was in your disaster recovery plan or business continuity plan, you couldn't even do that.

July 23rd Kaseya announced that they received a decryption tool from a trusted third party. They had it vetted by the software antivirus firm MZ Soft, so impacted clients were able to decrypt some of their data. Currently, Kaseya’s website says their last incident update is on July 26th. So, it's been a couple of days. It seems like things are kind of simmering down a little bit there.

Anyone remember the JBS meatpacking plant? Back in May they were also hit by REvil, except they paid the $11 million ransom in Bitcoin, ahead of this whole attack. It’s a good example of how funding these attackers can definitely propagate further attacks. Yet, REvil targeting Managed Service Providers isn't something new. They've been targeting MSPs since 2019. Andrew, what do you think about that breach?

Andrew Edstrom:

Yeah, I think our listeners need to understand Kaseya is a super tool. These tools are very powerful with what they can do. Human capital is so hard to find these days, so there is cost-effectiveness in an MSP. It's imperative to understand that this is part of their business model and this is how they operate.

So, as we look at the tools that they're using, what other tools are going to be exploited? This is potentially the tip of the iceberg of what's going to continue to happen. The supply chain is such a valuable commodity for the cybercrime syndicates right now. They have the ability to get in at kind of a low level, then go downstream and hit many devices with very little effort. It can be a phishing email or some kind of RDP exploit. However they do it, instead of getting one customer and not a lot of money, they can hit an MSP who has Fortune 500 companies under them. This makes MSPs a huge target. We're going to talk some more about this and what we can do, but from a context perspective, this is only going to continue to happen. There are going to be other targets that carry this similar kind of information. 

Joelle Palmer:

Right. Thanks, guys. I actually had no idea that REvil was behind the meatpacking plant attack that happened a couple of months ago. Wow, they've been very active, it seems.

Brandon McCrillis:

Well, when you have a million dollars or 11 million in your pocket, you get to hire some new staff and redo your ransomware, right?

Joelle Palmer:

Yeah. Great point. It's funny how some of these ransomware groups behave like a formal company. It definitely makes things very interesting.

Brandon McCrillis:

A cool fact about these groups as well is Gandcrab, Sodinokibi, Darkside, and REvil actually have code to look at your keyboard layout. They don't actually want to attack anybody that's in the Commonwealth of Independent States. So yes, absolutely like a business. That's a good point.

Andrew Edstrom:

We're talking about Managed Service Providers, yet they're providing Ransomware as a Service. So, it's a similar model. The difference is that it is criminal business--taking and extorting.

Joelle Palmer:

Yeah. Very interesting. Well, let's go ahead and hop into the second topic for today, which is what did Kaseya do wrong? Andrew, you want to kick us off here?

Screen Shot 2021-08-19 at 12.01.45 PM

Andrew Edstrom:

So, without any insider connections, I will recount based off of my readings. I was with an MSP a few years ago and Kaseya had another breach where they were infected with crypto-miner software. So, there has also been some other minor Kaseya breaches that have happened. I think what Kaseya did wrong was they didn't actually learn from their mistakes. I'm not sure how the VSA product survives after this latest event because of the magnitude of it. I think anybody that would stay with VSA would have to either be desperate because their pricing comes down or Kaseya will demonstrate to the world that they've kind of re-engineered the whole product.

I'm not sure that they'll invest capital to demonstrate mitigated risk because there is a lot of risk in this product set. I've read numerous articles about security guys on the Kaseya team that were telling management prior to the breach, "Hey, we better change this. We need to re-engineer it." Other employees and contractors have shown potential breaches and credential stealing that have happened, yet management never reacted to it.

So, I think it's possibly the culture there. A lot of MSPs will say "security is in their DNA" as selling points to customers.  They'll claim to have endpoint, firewalls and IPS and IDs. Possibly, they will throw around buzz words, so the business owner is impressed. So, the business owner says, "Well, I don't know anything he's talking about, but I guess we need it."

That's the way the conversation goes sometimes. With Kaseya, my gut says, they didn't make the changes. Possibly the culture wasn't present to accept cost associated with making the change required and securing the product. What about you Brandon? 

Brandon McCrillis:

I agree with you on a lot of that. Back in April 2021, the Dutch Institute for Vulnerability Disclosure tried to do a limited disclosure with Kaseya and disclosed seven different vulnerabilities that they found. If you're familiar with CVEs, you are probably familiar with CWE, that's Common Weakness Enumeration. You can go to cwe.mitre.org for more information on this. There's a CWE Top 25 list, and some of the vulnerabilities that were leveraged in this particular attack are on that list. Not only are they on that list, but they are in the top 10 on the list of 25.

I think a huge mistake here is Vulnerability Management and knowing there are issues.  Andrew, when you said "How does VSA survive after this?" What scares me, as an incident responder and a hacker, is when everyone has a hammer, everything looks like a nail. You find when you have these types of largely publicized attacks, it starts breaking business processes. The product is going to change even more. I'm sure someone's trying to scrap the entire VSA product and build it from the ground up. How will that impact the business? How will it impact MSPs that rely upon that product to deliver their services to their clients? We're going to see reverberations from this for a while to come. 

Andrew Edstrom:

Yeah. When I think about the supply chain, I like to say that anybody can make software. For example, when I was young, I began coding classes, and I was making software. There was no security to it. So, I think anybody can make software, but not everybody can make secure software. This means VSA has a challenge to really redefine what of their Sales Development Life Cycle (SDLC) looks like. Possibly they had a good process. Possibly they simply weren't following it. I can't tell you how many times we see that when we go and do assessments.

We ask clients about the QA checking, where they are getting source code and how they are validating it. Sometimes you get a deer-in-the-headlights look. I don't believe that if I was using their software, and was aware of that, I'd feel good about it.

In this industry, I think we see a lot of things that make us pause and say, “I'm not sure I want to do business there. I'm not sure I want to buy a product from them. I'm definitely not going to install that app on my phone.” Those moments continue to happen for whatever reason—possibly it's a lack of knowledge, understanding or cost. I run a business, so I understand what cost looks like, but it's got to change.

Brandon McCrillis:

I feel strongly about this. I believe companies like Kaseya (making and delivering the product that they deliver, and the responsibility across customers) are obligated to have a better Software Development Life Cycle and a secure Software Development Life Cycle. You have to bolt on security. The fact that a lot of the vulnerabilities leveraged here were previously reported, and are common or base type weaknesses, is inexcusable.

I mean, it's one thing to say, "hey, we're moving at the speed of business and we're trying to knock out this product", but companies should be fuzzing their stuff. What is "fuzzing"? Fuzzing is a fault testing technique. You have to make sure you are testing correctly no matter if you're delivering a product, making an application, a client portal, client software or whatever.

A lot of folks test from a third party, so you introduce some other third-party risk there, which we could talk all on and on about. I've had clients contact me and say, “Hey, we have this product, this new security product." One time I even had a client say, "it's a 100% un-hackable." I told them to please sign my statement of work. I asked them, "It was written in C code. Have you fuzzed this?" And they said, “No, we haven't heard about fuzzing.”

There are free and open-source techniques, so fuzz your stuff. Find those low hanging fruit vulnerabilities and get those things remediated (before you pay a contractor to find those same weaknesses) by running an open-source tool. Andrew, I completely agree with you on that.

Andrew Edstrom:

Most of the time testing is on operational functionality, not on security. Every time I go into a software development organization, we look at their testing to make sure they're validating their code. Then we start asking security questions. “What exploits? What are you doing in security? What tokens do you use? How are you protecting this?” Again, it's the deer-in-the-headlights look. There's no multi-factor authentication, and their password stayed in clear text to another database. Sometimes it's not encrypted. It doesn't sound really secure. We can talk about this obviously all day because we see it throughout the world. 

Joelle Palmer:

Yeah. It sounds like Kaseya made a lot of different mistakes. So, I'm curious with the audience, if you guys are seeing an increase or a pickup with cyber security being integrated into your culture as an organization? So, let's hop to the third poll question, which is, “Has Cybersecurity become an increased topic of interest either at your organization or with your clients and prospects?” So again, please click all that applies. 

Screen Shot 2021-08-19 at 11.48.10 AM

 So, Andrew, Brandon, does this surprise you at all?

Andrew Edstrom:

I think D has always been a concern, but what are we doing about it? Whether you're a business leader, the actual MSP, the customer of an MSP, how do you trust and verify that the things are getting done? MSPs we partner with typically do it right, so I am not speaking solely on what I see. Usually, the ones that don't want to partner with us are doing it wrong. A lot of them are afraid because we're going to kind of expose what they're not doing. We're going to tell them, "Hey, you better fix this or I'm telling our mutual customer."

That's a big thing. How are we doing to validate what's going on? We've got the Filthy Fifteen coming up. These are things people have got to start asking questions about and do the Jerry McGuire, right? “Show me the money.” Show me what is going on here and what it's supposed to look like. If you're not equipped to understand whether the MSP is acting securely, get some help. Get somebody to look at it. I don't mind answering someone's questions because I want to help people.

Brandon McCrillis:

Yeah, I agree with that. I come from running a Managed Security Service Provider company and dealing with a lot of MSPs and hundreds of breaches. You want the customer to come to you when they need something, provide the service and the value, and move at the speed of business. Yet, the practicality is completely separate from the security of that data. I find some breaches we go and respond to, who have an MSP (hopefully not offensive to any MSPs), are bolting on security.

That's fine. Offer security services and offer security products. At the same time, regardless of how much you know, this industry is massive. When we're talking about cybersecurity, there are so many idiosyncrasies. It's always good to have a "break glass in case of emergency" type of contact. Partner with a firm that is specialized in whatever you're not. I can't tell you how many times I have gone into an incident where the MSP is trying to keep the customer safe, and not able to do it--either through scalability issues or not really understanding the problem.

So, cybersecurity goes hand-in-hand with service providers. I feel like a lot of service providers really need to make sure they are doing what they can in the best interest of the client. If you don't have folks on board that are cybersecurity ninjas, I would definitely suggest partnering with a firm that can give you that kind of support.

Joelle Palmer:

Thanks guys. So, let's hop over to our third topic for today's discussion. How can our MSPs, MSSPs and Consultants that are on the line ensure that they don't fall prey to hackers like REvil? Brandon, do you want to kick us off?

Screen Shot 2021-08-19 at 12.02.02 PM

Brandon McCrillis:

Yeah, definitely the Filthy fifteen. I can't wait for that. There are a couple of things for minimizing future risk on that list. Listen, no MSP was anticipating Kaseya and the VSA functionality would be impacted in this way. It could have been a lot worse though. We're looking at only 60 total clients out of about 3,500 were hit. This could have been significantly amplified.

I always tell my clients, keep backups of your encrypted data. In this case, we had a decryptor that was released weeks later. Decryptors are released for all sorts of reasons, either through independent security research, security vendors or governments. We've even seen times where the criminal syndicates themselves will have an internal riff, so one of the developers will release the decryptor to hurt the others in the organization. So, always back up that critical encrypted data. I'm not saying leave it connected to your network or anything like that. If a year or two down the road, the decryptor is released, you're going to want to have that encrypted data to be able to do that.

The other thing here is Kaseya runs on an underlying operating system. In most cases it was installed overlay on Microsoft windows server. So, that opens up the discussion of patching and vulnerability management, not only in that third-party software, but within your environment.

Make sure that you have ISS patches installed, and you have patches installed to SQL server. I like to jokingly say that anything Microsoft default is bad. If it's a default configuration of Microsoft, I will bet you the money in my pocket it's probably not secure. 

So, make sure you properly configure those things. Make sure you have a hardened operating system that you're running these services and software on. Also, always conduct a third-party risk assessment (it doesn't have to be super involved) and engage a trusted partner to help you conduct that third-party risk assessment. It's important to understand what technology you're using inside your environments, and if something goes wrong there, how it can impact your clients downstream. At the end of the day your client is probably less angry at Kaseya and more angry with you because you're the managed service provider.

Brandon McCrillis (cont.):

I know your hands are tied because there's nothing managed service providers could really do in this case. This is definitely a supply chain-based attack. Make sure that you have the ability to regain confidence with your clients. The last thing is to have a disaster recovery plan, have a business continuity plan, and review them annually or semi-annually. Understand what to you need do to keep your business afloat. Make sure you understand the minimum requirements to keep your business making money.

When you have a business impacting event like this, you don't want to be in the case where you're relying upon a third-party vendor or some ransomware group to release a decrypt. It's your business and brand reputation, so always make sure that you have a plan when things go wrong.

My final point is on newly implemented security controls. I know everyone's going to go back to work and start adding more security controls. I'm sure this Kaseya breach has caused all kinds of interesting new security configurations. Please, always test those with business function. Business and security: they have to go hand in hand, but they also compete with each other a little bit.

Find synergy between business productivity, making money and having proper mitigating controls to insulate against risk. Synergy between this and aligning with business organizational risk appetite is huge. I see far too many clients going back, turning on all the security features they possibly can and breaking business functionality. What happens? They start breaking business functionality, so security goes out the door because you're concerned about business again. Your business starts weakening the environment. Andrew, what else do you think we can do to minimize some risks?

 

     
 

"Business and security. They have to go hand in hand, but they also compete with each other a little bit, right? Finding that synergy between I can get my business done, my business can make that money, and I have proper mitigating controls to insulate myself against risk, aligned with my business organizational risk appetite, is huge."

 
     

 

Andrew Edstrom:

I really love what you said about the backup’s disaster recovery. My team always lead with that on security. I don't care what your endpoint is and your firewall approach is. I want to know that you can recover in a timely fashion.

I think from an MSP perspective, a couple of things come to mind. First, make sure you have your unique username and passwords for each of your customers. I've seen instances where a company has one password, and everybody shares it because it's too difficult to login again. That's lazy and won't help anyone. It's going to really exploit what you're not doing.

Second, have Vendor Management and do the due diligence. Make vendors provide you with information so when you're signing a contract with the Kaseyas of the world, you're covered. Do a due diligence questionnaire, make sure that they're eating their own dog food. So, if they can't provide you with something those should be red flags that go off.

You can possibly have a red flag with all of them on something, and that's fine, but have a risk conversation. You can say, “Hey, we're going to accept this risk, but you have a year to fix this.” You can sign the contract with a clause protecting you if they don't hold up their end of the bargain. If they don't fix it: rip and remove your stuff.

It's possible you don't have multi-factor authentication in your product or something like that. Those have to be conversations that continue to happen. Now here we are, the Filthy Fifteen is up. I can't wait to talk about these.

These are the mistakes we see all the time that will break down your security. We think about MSPs and other IT providers or internal IT Departments. Some of these mistakes they possibly never knew they were making, or they don't know better. Possibly, they are lazy and don't care about the risk. Possibly fixing the mistake can break some functionality or they don't know how to address the functionality that it might break. I think about so many ransomware events that can be avoided with fixing some of the mistakes on this list.

To start, the privilege on regular accounts is my pet peeve. So, you're the I.T. Director or CEO of your company, and you think you have to have domain admin on your account. It's introducing risks all the time. Only one event needs to happen that can blow up your stuff. So, a quick win is addressing privileged access on regular accounts. I've helped people change this simply by creating unique accounts that have the privileged access.

Your email is where phishing emails come in. You don't want to be having a bad day and click on something from a fancy social engineer. They use methods to comb through your social media. They found out you loved to bass fish and sent you a Bass Pro Shop gift card. You might click on it because the gift card seems great. That is how this kind of phishing works. 

Another one that drives me crazy is not having a plan on whether or not to pay ransom. Don't get into the heat of the battle when the event happens, and have to come up with a plan of whether to pay. My rule of thumb is you never pay. Your backups will recover you from any event and get you back online. If you don't have a good backup solution, then find one immediately. I recently saw what I consider a respectable CSO online saying that payments should be an option. Do you know what that tells me if I were a hacker? I just have to make your pain great enough, and you're going to pay me. Don't announce that payment is part of your plan. Test your organization's backups. Test your full system recoveries. Finally, know how long your full system recovery takes.

The last one we'll talk about (I'm going to let Brandon pick his next three) is security by obscurity. If anybody ever tells you to change a port on something on your firewall and claims that's security, you need to run for your life. You need to hire a new technical person. Anyone that changes your RDP port to something else because there's 65,000+ ports available, thinking it's somehow makes you secure, is selling you snake oil. What about you, Brandon? 

Brandon McCrillis:

There's so many, Andrew. Definitely have a plan. I think that overarching statement goes well with what Andrew was saying there. Am I going to pay, am I not going to pay? Don't advertise your plan to everybody but have a plan.

I have had conversations with Chief Financial Officers that went like this:

“I need you to go down to the grocery store and buy $5,000 of Visa gift cards in cash.” What is your procurement process for handling something like that?  Because this CFO looked like he didn't know what I was talking about. Definitely have that plan.

I think also allow listings. I see all the time:

"We were RDP brute forced from the internet."

"Well, where do they come from?"

"Russia."

"Well, do you do business in Russia?"

"No."

Then why is it allowed on your firewall? Geo-blocking is not the end all be all to anything. We can get around this stuff, but it helps. 

Number two from the list is improper logging. It goes back to what I say about everything Microsoft-default is probably bad: SQL server, Microsoft 365, Windows. Default logging is not sufficient. I want to have some backups. I would love to have 90 days of backups, but really if I can have 180 days, it's even better. Remember to maintain compliance and regulations, HIPAA hi-tech, PCI, all of those might have their own stipulations.

Number one on the list is principle of least privilege. I had an attack one time because the administrative secretary had admin privileges on the domain. Why? Well, she was the admin secretary in executive office, so why not? She ended up executing ransomware. The company had no plan.

Her computer started acting funny and she went home for the day. It took 14-and-a-half hours for the ransomware to blast through the network encrypting over 60% of those resources. Yet, because she was the admin secretary and had admin privileges on the domain, she also had right access to the backups that were happening nightly. So, guess what? You're doing all of that other preventative stuff, but then one control breaks the whole link. So, definitely lots to talk about here, but I agree with Andrew for sure.

Joelle Palmer:

Let's hop to our fourth topic before we get into the Q&A. What can people on the call do to make sure their customers know that they are prioritizing cybersecurity at their organization? Andrew, do you want to kick us off here?

Screen Shot 2021-08-19 at 12.02.15 PM

Andrew Edstrom:

Yeah, I think there are a couple of things. The important fundamental thing is do the basics and do them right. What I've seen in my experience with MSPs around the world is they operate at a very high speed. There's a lot of pushing and pulling, and competing forces. Our team has to make sure they have an agreement to patch everything in a timely fashion, and that they're actually getting those things done. When they notice or when they see something that sets up a configuration of their endpoint protection for their customer, they have set all the right settings to set quarantines.

An organization can't expect to turn things on incorrectly and still be secure. If it isn't working, you aren't secure, and your organization can be hacked. Brandon mentioned Microsoft and security earlier, and those two aren't something I would say go hand-in-hand. They've made strides. There's no doubt about that.

I think at the end of the day, it's really establishing what you can do, demonstrating the basics and bringing your due diligence package to your customers. When you hand over your tax information and your certificate of insurance, show them an enhanced access cyber policy with additional coverages to protect them. Show them SOC 2 attestation letters or something along those lines that demonstrates you have a process in place. Show them a guarantee that you're going to protect them from breaches if they follow your security stack.

I've seen this in businesses, and it works. Promise that when you do what we tell you to do, you don't have a breach. I mean, that's the bottom line. Brandon and I had a conversation about this. The hackers are like us, and we want to do the easy work.

So, if you give a hacker an opportunity to send one phishing email to make $70 million of work or a six-month project to break into Coca-Cola, he's going to send the one email. That's the bottom line. He's going to take the low hanging fruit. Who wouldn't send one email to make $70 million? I mean, without going to jail, obviously. Brandon, what are your thoughts on that?

Brandon McCrillis:

Again, I think it comes back to leveraging your business-to-business relationships. Nothing says confidence to that end client like saying “Hey, listen, we're really good at what we do, but we also acknowledge there are things that we aren't so great at, or could be better at. So, we have this partner or this relationship that you are able to leverage through your partnership with us."

     
 

"Again, I think it comes back to leveraging your business-to-business relationships. Nothing says confidence to that end client like saying 'Hey, listen, we're really good at what we do, but we also acknowledge there are things that we aren't so great at, or could be better at. So, we have this partner or this relationship that you are able to leverage through your partnership with us.' "

 
     

 

This provides value to that client by developing a trusting relationship. I think it definitely helps to rebuild confidence. For those MSPs that are still continuing with Kaseya, Kaseya already started making some improvements there. For instance, Kaseya has provided FireEye's service 24/7 monitoring to all of their clients.

You have to install the FireEye Agent, so it's a free credit monitoring of breaches now. They are getting FireEye to give them free service, so that's definitely a big confidence builder. Again, in the remote monitoring and management, Kaseya did a reasonable job of what it's supposed to do, security aside. I think you're going to have plenty of MSPs out there that are so tied to that technology, they're going to stay with it. The fact that they're offering that FireEye support is definitely a good thing. Kaseya has also added some web application filtering to circumvent some  of the vulnerabilities that were chained together that lead to this.

At the same time, VSA is changing. It used to be able to provide a download link to the client so they'd be able to install the agent. That went away for now because that's the exact kind of thing that created this issue to begin with. I think when building confidence, it is all about communication.

Have a plan for building those trusted relationships. If you don't have a "break glass in case of emergency" type contact for something like this, I definitely suggest you do. That can be a business unit that you're developing in house, or simply leveraging those partner relationships.

Joelle Palmer:

Great. Well, let's get started with Q&A. “What are some of the main entry points for hackers trying to employ ransomware?” Brandon, do you want to kick us off on this one?

Brandon McCrillis:

There are ICs that are most prevalent.

The first are remote services accessible to the internet, RDP, remote administration, virtual web apps, etc. In truth, they are often unauthenticated or easily guessable passwords with no MFA services exposed to internet and phishing. What is RDP brute force? It’s guessing the password over and over again. If you don't have something security monitoring, you're probably going to miss those kinds of things.

The second one is phishing because it continues to work. A lot of the security assessments I do don't even allow me to do phishing because they know it's going to work. Train your employees and have a good employee awareness program in place. I would say that was definitely my top two. Andrew, what do you think?

Andrew Edstrom:

I can't help but laugh when you say they won't let you try phishing because they know it'll work. I’m big on the email phishing. I agree with the remote access as well. It continues to happen. People say, "Oh, we've been already RDP," or I'll ask, "How do you get to this system from home?" They claim to bring up a remote desktop connection and connect right to it. There's no VPN. They have to change it and turn it off. That's how the conversation we have goes. They may go, "Oh, we can't do accounting from home." That's probably a good thing because you're not going to be able to if your computer gets breached.

Joelle Palmer:

This next question kind of goes along with that one. “What is the best way to mitigate the spread of ransomware to my customers if we are infected?” Andrew, do you want to kick us off on that one?

Andrew Edstrom:

Obviously, there are a couple of things. Wherever the disconnect is, possibly you have to disable the connectivity via agent. So, I'll use that as an example here. Password resets are huge. If you're using a single username and password, you should change that immediately. Hopefully you don't have to turn it off because that allows propagation. Sometimes, that is the only answer though. You may have to stop pushing out updates or other actions of that nature. What do you think, Brandon?

Brandon McCrillis:

I mean, it's similar—you come into the emergency room and say, “Hey, I'm infected. I'm contagious.” They're going to put you in a room by yourself, and everyone that goes in there is going to have scrubs and personal protective equipment. So, definitely create network segmentation and isolation of that network if you can. Know that when you start, incident response has to move at the speed of business. You'll get instant response providers that want 14 days to do forensics. You're not making money during that time. So, isolate that network so you can start gathering those indicators of the compromise. Is that a service they're using? Is that an IP they're coming from? Start searching through your environment for those sorts of things where possible. Don't reboot those machines.

Brandon McCrillis:

A lot of people and a lot of MSPs freak out and start unplugging. For instance, I'll go in day two of the incident, and everything has been unplugged. It looks like someone went in that data room and started cutting cables out of the wall. Have a plan! Disconnect that network from the public internet and isolate those systems that are infected. Don't let those systems back into your production environment. Then you have to rebuild. Far too many people, unfortunately, clean the machine or revert to a known good. They find that they still have that same weakness that exposed them in the first place. So those are my recommendations.

Joelle Palmer:

Thanks, guys. And I think we have time for one more. “What are the biggest cyber threats that you guys foresee in the next five years?” Brandon, do you want to kick us off here?

Brandon McCrillis:

AI and machine learning. Cybersecurity tools taking over the Earth. I think that's going to be the biggest threat. No, I'm joking. I was reminded that Facebook had two AI robots, Alice and Bob, and they develop the language to start speaking to each other because it was more efficient. So, they unplugged those things because it got a little too real. A little too Hollywood there. No, of course, I'm joking.

I still think that phishing, the human of this social engineering, is definitely going to be a thing. The challenge of securing the human still has to be something that organizations are trying to get fixed. I think we're going to see more of those kinds of social engineering and even insider threat type events.

I think that ransomware is still going to be around in five years. However, I do think that with the amount of industry and government buy-off that we're seeing now (I wish it was years and years ago), we are better off. I think that we're going to see networks more positioned to be resilient against this kind of stuff. That's my guess. What do you think, Andrew?

Andrew Edstrom:

I think you're spot on with all of that. As people start businesses, every business becomes a technology business. That is because there's nowhere you can really go without technology being present. I think you're going to see some bigger attacks in the next few years, where things like AWS instances will be exploited. Azure will have a big breach. The Microsoft, GCC and GCCI could be a target. They are all a big target, and these are things that more resources will be thrown at. Then you begin to think about nation-state stuff.

I think that's only going to continue to propagate. The geopolitical atmosphere is really chaotic right now. I believe over the next five years, interruption of services—whether it's power, water, food supplies—will continue to expand. The techniques will continue to evolve, including Ransomware as a Service.

Brandon and I even talked about DDOS, ransomware and things of that nature, are going to really continue to innovate. The mindset of the criminal is to find a new way to steal. If there is another way to steal something, they will come up with a new way to do it. Every software has to have an opening to operate in my mind, so there's going to be continued exploits here and there. We have to continue to try to mitigate those. Hopefully, foundational cybersecurity frameworks (CMMC, SOC, ISO) will help prevent this.

Then there’s the people—the human firewall. People aren't educated enough on cybersecurity generationally. I think I'm in my fifties, and Brandon is younger than me. Our generation gets it because we're in the middle of the battle. I look at my parents who are in their seventies and my children who are teenagers, and I think there's a gap on those two ends of the spectrum. We all have to do as much as we can to educate them about the threats that are coming.

Brandon McCrillis:

How do you feel about extortion? 

Andrew Edstrom:

I haven't personally done it, but I don't want to be extorted.

Brandon McCrillis:

Well, the ransomware groups are doing more extortion actually. REvil started trying to extort Donald Trump, Lady Gaga and even Madonna. This is before these MSP-type attacks. Do you think we're going to see more of that? Do you think it's a good tactic? I stole your information, and I'm going to leak it online?

Andrew Edstrom:

Yeah, I think that's going to continue. Look at swatting, doxing, and all these other things going on. I think people are finding different ways to fight. Instead of a fistfight or an armed assault, they want to shame you to death by exposing secrets. They try to turn another group of people against you. So, I think you're going to see more of that.

Extortion is probably the next wave of ransomware events. You do a ransomware event, exfiltrate the data and then you turn around and you say, “Hey, I'm going leak this, if you don't pay me.” It's going to continue.

Joelle Palmer:

A lot of great insights guys. Thank you both for providing your input today and also thank you to all the attendees for attending the webinar today. I hope you found the information helpful and that we were able to provide some actionable takeaways for you!


 

Looking for more cybersecurity resources? Check out our Resource Center.

More Resources

Kaseya Breach: Key Takeaways for Managed Service Providers

Read webinar transcript, Kaseya Breach: Key Takeaways for Managed Service Providers, where cybersecurity experts discuss ways to avoid ransomware events

Learn More

Wait & See with CMMC? Lessons Learned by Provisional Assessors, Part 2

See how to begin your organization's CMMC certification process and learn takeaways from how other businesses are approaching CMMC compliance.

Learn More

How to Present Cybersecurity to Your Board of Directors

Read our webinar transcript, How to Present Cybersecurity to your Board of Directors. Jay Ferro from ERT and Jason James from NetHealth give best practice.

Learn More

Subscribe to Our Cybersecurity Insights