Chinese Threat Actors Attack MSPs: Why Were TRUE’s Customers Not Affected?
On December 20, the United States Computer Emergency Readiness Team (US-CERT) issued an alert that Chinese threat actors were attacking Managed IT Service Providers (MSPs), then launching attacks through those MSPs on their clients. This was an extremely effective strategy because as the alert warns, “These threat actors are actively exploiting trust relationships between information technology (IT) service providers—such as managed service providers and cloud service providers—and their customers.”After all, who is going to question what’s being done in their network when it’s coming from the very people entrusted to manage that network? In this installment, Heath Gieson, VP of Operations at TRUE, walks us through a few key considerations in different approaches to how MSPs manage their client networks, and how we were able to protect our customers during this rash of attacks.
Questions we’ll ask ourselves include:
- How do most MSPs approach IT design?
- How does traditional MSP network management leave customers vulnerable to attack?
- How can IT networks be better managed from a security standpoint?
The Problem With Traditional MSPs
Simply put, traditional approaches to designing and managing IT networks leave companies vulnerable, and the best way to get into a host of environments at one time is through their managed IT services provider. Historically, MSPs have prioritized business efficiencies in network architecture, relegating security measures to an afterthought, instead of incorporating security as an integral part of the design process. In this way of thinking, one will look at the business requirements, research technology, vet for highest uptime and availability, make sure everything works the way they want it to, (hopefully) test for security gaps, then add security controls in order of priority. Vulnerabilities are generally remediated over time, as budget allows, according to the security mentality of the organization’s leadership, and by any number of different vendors. Since budgets are first-come, first-serve, some vulnerabilities are likely to go un-remediated. In fact, that is most often the case, and attackers are well aware.
Meet Our Expert
Heath Gieson is the Vice President of Operations at True Digital Security and serves as our expert for this blog. With experience not just as an IT Director, but also an extensive security background as a Certified Information Security Services Provider (CISSP), he has designed networks for both function and security account. In fact, Gieson has been foundational for TRUE in building out our TRUE IT Services from that same IT-IT Security, unified perspective – a concept we refer to as holistic security at TRUE. Though not the only one to have discovered this concept, Heath was certainly ahead of his time with this vision, embracing holistic security over a decade ago. So why were TRUE’s MSP, managed IT customers not affected by the recent Chinese attacks? We like to think it’s due to the foundational secure IT practices we have incorporated from the beginning.
A Different Approach to MSP
The way TRUE IT accesses our clients’ managed networks to perform maintenance, patching, updates, and any other rollouts, is quite different. We are not actually connecting directly to their environments. “Rather than pulling data from them,” Gieson points out. He continues,
The clients are pushing data to us. This distinction is important because it means we are not keeping any sort of VPN up and running that can be accessed at any time, like a number of MSPs may do for ease of functionality on their side. We utilize an intermediary ‘client’, or connection-only technology, where we are initiating a request for them to connect to us. Those requests are all logged, correlated, and monitored 24/7/365, and any unusual activity would stand out and be investigated. In fact, we have logs enabled at every layer and store those, just for situations where we need to go back and look into an event or incident.
We also follow a strict least privilege model for access and use best practices with multi-factor authentication and password management. Those measures alone will stop a great number of attacks.
Additionally, no VPN to the client is ever simply left open. Our Guaranteed Network Operations Center (GNOC) has very rigid policy, or ways of doing things, to the point that scripts are analyzed and evaluated any time something as simple as a file name change occurs. This can be sign of a threat actor, so it would be investigated. At this initial layer of monitoring, we would be alerted, as well, to something like files that are being encrypted, as happens in malware or ransomware such as crypto-locker.
So what does this look like in real life, when an actual threat presents itself? Gieson detailed an instance where, a few years ago, Crypto Locker was found on a particular network and began attempting to encrypt files. Incidents such as these, where an attacker can’t get to customers through our channels, but finds another way in–perhaps through social engineering, malicious attachments, or some other means, are still going to be flagged in our GNOC (Guaranteed Network Operations Center, home of our managed IT services) monitoring. In the case Heath described, a file name change was noticed. Upon investigation, it was found to be encrypted, with another file being altered at the same time. Immediately, the event was escalated, our team shut the network down completely on the system that was compromised, and TRUE’s NOC Director Tim Meuter initiated TRUE’s Guaranteed Networks Restore system, a disaster recovery oriented backup service, restoring the affected files. Immediately everything was returned to the last known good state. The event was caught, escalated, and remediated completely in just under half an hour. In fact, it was all back up and running again before end users even realized anything had happened.
Additional Layers of Security Monitoring
Beyond the GNOC and GN Restore layer, TRUE also offers SIEM (Security Incident and Event Management), Managed SIEM, Network System Monitoring, and Incident Response through our TRUE Labs Security Operations Center (SOC). All of these safeguards are deployed on the TRUE service delivery system and adds even more powerful monitoring tools, threat detection, event correlation, and an additional layer of trained security analysts. The way we have designed our platform allows us to filter alerts, capture and inspect data packets, then escalate only what needs attention for the client’s immediate attention, still allowing them visibility into those alerts at any time through our proprietary TRUE Labs portal. Further, our analysts walk those clients through each step of remediation necessary. Combined with secure network design and management, that means we have the ability to protect our clients at every layer, through our own best practices and secure network design, as well as through monitoring services that ensure eyes are on our customers’ networks at all times, working hand-in-hand with their staff.
If you’d like to talk with someone about challenges you may be facing in your own network or security program, please reach out to us at firstname.lastname@example.org.