14 Tips for MSPs to Prepare for the Inevitable Cybersecurity Incident

Whether or not additional cyberattacks are coming because of the Russian invasion of Ukraine, it’s imperative that MSPs and other tech businesses act now to effectively mitigate the risks. It is time to harden defenses and put in place viable and tested plans for continued operations and recovery after an attack.

MSPs feel less comfortable now than they did a year ago. According to CompTIA’s State of Cybersecurity 2021 research report, only 69% of individuals felt like the state of cybersecurity was improving in 2021—down from 80% in the 2020 study. If you are an MSP, here are 14 things you must do to safeguard yourself and your clients:

1. Maintain Bullet-Proof Documentation. In many cyber incidents, there are issues with a lack of accessible, complete and accurate documentation. This is a recipe for additional frustration, delays, and even potential failure to recover. You must have a repository that is NOT susceptible to damage or encryption. Having documentation in backup is not adequate. We very often see in even large enterprise organizations, there are challenges with back-ups. They may be corrupted, deleted or encrypted. Even where they are not, restoration takes time, and in a major cyber event, time is something you simply do not have.
2. Update, Test, Repeat. Many of the recent attacks of businesses large and small were the result of poor firewall hygiene and other failed management of the network edge. Harden your network edge. Start doing this by using appropriate devices that are properly configured and always kept up to date. Get tested. Have outside vendors who are not responsible for managing the network test the work of those professionals who are. Regular testing can find mistakes, discover vulnerability and even identify attacks that are ongoing.
3. Plug Your Holes. Patch or otherwise remediate vulnerable applications of all kinds. Patching an operating system while leaving your internet browser to fend for itself, is not a viable vulnerability management plan. Test all of your applications (where possible) for poor configurations and known vulnerabilities.
4. Keep Complete, Preserved Logs. When we start a cyber incident project, the determination of who, what, where, when and how is often found to be impossible. Victims or their IT service providers have not captured and preserved logs. Or they did capture them, and the threat actor simply deleted them. Collect and export adequate logs to a separate system as they occur and where they cannot be corrupted or deleted by a savvy criminal. This also gives you and your tools some of the data needed to catch threat actors before they burn down the house. It allows us to understand what happened and close the holes used to get in and move around. It also helps us know what did not happen, such as a database with sensitive data being touched.
5. Validate Your Mail Tools and Processes. Phishing attacks are still a leading cause of systems breaches. Whether it is by dropping malware on your systems or convincing a user to willfully enter their credentials into a fake form or site, phishing is an effective attack method. Get control over your mail systems. Block all pop mail and personal email that is not properly filtered. Get enterprise class email spam and malware filtering. Leverage DNS and URL reputation services that block known nefarious websites. Block blacklisted websites. Educate users and test them to see if the education is working.
6. Watch Your Website Usage. Landing on malware-infected websites can and does infect systems. Beside blocking known high infections sites such as porn, gambling, hacking, etc., using browser isolation and other download prevention technology can help.Ensure your own computer is properly patched and that you are not using domain or local admin accounts to surf the web are other critical steps to reducing the chances of an infection.
7. Monitor All Endpoints. Get an enterprise endpoint detection response (EDR) tool configured with a service associated that is watching for anomalous behaviors and responding to triggered events. Having a good EDR without someone watching is like listening to a recording of a concert. You may hear the music, but you already missed the show.
8. Keep Hunting for Threats. Utilize constant threat hunting and vulnerability testing. One-and-done snapshot testing is of little use in today’s world. If you are not constantly seeking for the misconfiguration, vulnerabilities, and presence of a threat actor, you will likely only know what happened after the criminal tells you in their ransom note.
9. Enhance Password Policies. The number of cases that have been triggered by poorly configured RDP and VDI is somewhat astounding. Be sure you have a qualified professional that understands how to configure them. Limit access attempts. Require password complexity and minimum length. Enforce MFA. Enforce least privilege for services and data available. Patch the server OS and resident applications. Don’t allow local admin. Don’t allow cut and paste functionality from the remote host to the RDP or VDI desktop.
10. Maintain MSP Tools. We all know that MSP tools that were vulnerable or more likely poorly configured have caused substantial damage. It is critical to ensure that these tools are isolated, only accessible from specified devices, limited to certain professionals, require MFA, and are always maintained at the level needed to prevent known vulnerabilities from being leveraged.
11. Keep a Clean Supply Chain. We have seen plenty to know that we must vet our supply chains and be sure that we put in compensating controls where we can in order to deal with the unknowns of using any software, hardware or services. It would take an entire book to cover this issue, but it must be mentioned.
12. Play Traffic Cop. The days of having always-on unfiltered VPN without MFA, access controls, segmentation and zero trust are over for those who hope to be secure. Stop allowing unrestricted traffic.
13. Divide to Conquer. Segment networks and isolate machines, protocol, and processes wherever possible.
14. Keep Bad Actors Off Your Stage. Insider protections can be very effective in limiting what a threat actor can do as well. By protecting against what an insider might do, you are also making it so the criminal that gets control of an account, is also limited in what damage they can do. Keep in mind, once the threat actor enters the network, they are the insider.

Kevin McDonald is CISO at Alvaka Networks, co-chair of CompTIA’s Cybersecurity Advisory Council, and member of the CompTIA ISAO SME Advisory Committee.