CISA Releases Advisory on Intensifying Cyber Threats Targeting MSPs

On May 11,  the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the United Kingdom’s National Cyber Security Centre (NCSC-UK), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) announced via a press release that it released an advisory regarding cybersecurity best practices for information and communications technology (ICT), concentrating on clear discussions between managed service providers (MSPs) and their customers on securing sensitive data.

The agencies expect state-sponsored advanced persistent threat (APT) groups and other bad actors to intensify targeting MSPs against both provider and customer networks.

The release states that “The advisory provides several actions that organizations can take to reduce their risk of becoming a victim to malicious cyber activity. Additionally, MSP customers should ensure their contractual arrangements specify that their MSP implements the measures and controls in this advisory, such as:

• Prevent initial compromise by implementing mitigation resources to protect initial compromise attack methods from vulnerable devices, internet-facing services, brute force and password spraying, and phishing. 
• Enable monitoring and logging, including storage of most important logs for at least six months, and implement endpoint detection and network defense monitoring capabilities in addition to using application allowlisting/denylisting. 
• Secure remote access applications and enforce multifactor authentication (MFA) where possible to harden the infrastructure that enables access to networks and systems.
• Develop and exercise incident response and recovery plans, which should include roles and responsibilities for all organizational stakeholders, including executives, technical leads, and procurement officers.
• Understand and proactively manage supply chain risk across security, legal, and procurement groups, using risk assessments to identify and prioritize the allocation of resources.”

Jen Easterly, CISA Director, was quoted in the release saying that “As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support—why it’s critical that MSPs and their customers take action to protect their networks. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

The full advisory can be accessed here.