Five Eyes leaders issue guidance for MSPs to prevent second SolarWinds attack

A joint advisory issued by members of the Five Eyes international alliance has set out the latest practical cyber security recommendations for managed service providers (MSPs) to ensure supply chains remain secure.

Citing the high-profile supply chain attack on SolarWinds in 2020, leaders from the UK’s National Cyber Security Centre (NCSC) and equivalent organisations from the US, Australia, Canada, and New Zealand said the advice applies to MSPs especially now Russia has invaded Ukraine.

The advisory’s release coincides with the second and final day of the NCSC’s annual CYBERUK conference during which on Tuesday, the alliance officially attributed cyber attacks on Ukraine earlier this year to Russia.

Microsoft previously claimed the Russian-linked attack on SolarWinds was the most sophisticated cyber attack in history, executed by more than 1,000 engineers.

The message from Five Eyes’ cyber security officials is that the attack complexity shouldn’t be the focal point. Instead, MSPs should consider the overall impact of the attack which targeted up to 18,000 corporate and governmental networks, although SolarWinds said the number of impacted organisations was closer to 100.

“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk,” said Lindy Cameron, CEO, NCSC.

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today,” said Lisa Fong, director at New Zealand’s NCSC.

“Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”

Security leaders’ recommendations

Prevent initial compromise

Securing against common cyber attacks is an important first step in preventing supply chain attacks and the alliance pointed to resources on how to secure against some of the most common and dangerous.

• Improve vulnerable device security
• Secure internet-facing devices
• Defend against brute force attacks and password spraying
• Prevent phishing

Enable or improve existing logging capabilities

Cyber security professionals have espoused the benefits of keeping comprehensive logs for years and the same advice applies today. The five security agencies said it can be months before a cyber attack or intrusion is detected so the recommendation is to store their most important logs for at least six months.

MSPs are advised to log the delivery infrastructure activities used to provide services to their customers and also log both internal and customer network activity, as contractually agreed upon.

Customers are also encouraged to enable monitoring and logging and should ensure their contract with their MSP mandates it to implement a logging plan and provide visibility into the customer’s network.

Mandatory MFA

Multi-factor authentication (MFA) is considered one of the measures organisations can easily take to drastically improve their cyber security posture and secure remote access to critical systems or infrastructure.

MSPs are advised to recommend the adoption of MFA across all customer services and products, while customers should ensure their MSP contracts mandate MFA across all products and services they receive.

Manage internal architecture risks and segregate internal networks

Where possible, MSPs should ensure they have critical business systems isolated on their networks and verify all connections between internal systems, customer systems, and other networks to limit the impact of a single-vector attack, the advisory said.

Customers are also advised to review and verify network connections, making sure to use a dedicated VPN to connect to MSP’s infrastructure. They should also ensure networks used for trust relationships between them and the MSP are segregated and that the contractual agreement forbids MSPs’ reuse of credentials.

Assign the lowest level of privileges possible

Organisations should ensure that internal and external users receive the correct user privileges and not allow undue access to users who do not need it - the alliance calls this applying the principle of least privilege.

Proactively manage obsolete accounts and infrastructure

MSPs and customers should periodically review their registered user accounts and network infrastructure to remove or deprecate any unused user accounts or disable any unused network systems and services.

Apply updates

Another cyber security rule that is repeatedly re-iterated to organisations is to stay on top of their patch and vulnerability management strategies, ensuring all software is secure against the latest attack methods.

Customers are advised to enquire about their MSP’s patching policies and request updates are applied promptly.

Effective backup strategies

Ransomware victims are often criticised for not having comprehensive backup plans which then lead to the likelihood of paying a ransom, against industry advice.

These backups should be updated regularly and isolated away from the network connections that could be used to spread ransomware throughout an organisation.

Develop incident response and recovery plans

Every individual in an organisation that could feasibly be required to assist in disaster recovery after a cyber attack should be fully aware of their role and responsibilities should an attack strike.

These plans should have both digital and physical copies should staff lose access to systems, and ideally keep the digital versions isolated so potential attackers can’t study them to inform their attacks.

These plans should also be exercised regularly, ensuring all the people involved in the recovery strategy are fully trained in how to respond appropriately.

Understand and manage the supply chain risk

MSPs are advised to be fully aware of their own supply chain risk, and use risk assessments across security, legal, and procurement to prioritise the allocation of resources. Customers should also be aware of their MSP’s risk including with third-party vendors and subcontractors.

Transparent contracts

During the contract negotiation phase, MSPs need to be clear about what service they will be providing to the customer. The customer should also be fully aware of the service they are expected to receive and clarify any misunderstandings or queries before signing.

Account authentication and authorisation

The level of access an MSP is afforded should be clearly defined and restricted where appropriate. Customers should ensure MSP accounts are not added to any company administrator groups and restrict their accounts only to services managed by the MSP. MSPs should ensure that the customer has made these checks.