Building A Solid Defense Against Insider Attacks

By Greg Edwards, CryptoStopper

MSPs have a problem that not many people talk about in public. Cybersecurity effectiveness relies heavily on the people who access, operate, and support the systems, and no protection measure can completely eliminate human error or employee sabotage. Technology can only go so far, and even MSPs are not safe from this ongoing and constantly increasing vulnerability.

According to a recent industry report, insider incidents on businesses are rising, up 47% between 2018 and 2020 (from 3200 to 4716 attacks), and the risks are not likely to subside anytime soon. The human aspect of these threats will never go away. Worse yet, the tactics are constantly shifting, and as soon as security professionals gain an upper hand on one method, several others appear.    

Of course, MSPs need to be doubly concerned about the potential damage of these attacks. According to a recent report by the research firm Statista, data exfiltration is the most common type of insider threat, accounting for 62% of incidences by employees and contractors. Privilege misuse was listed in 19% of the cases. Both of those issues should be on the minds of MSPs since most IT shops have access to scores of networks and hundreds of computers. The potential damage of an insider attack on an IT services firm’s finances and reputation is astronomical.   

Even with policies and tools to limit access, MSPs hold the “keys to the kingdom” and that privilege and responsibility create new vulnerabilities. While an overwhelming majority of IT professionals will do everything possible to ensure each system is completely secure, worst-case scenarios must always be considered in a zero-trust world.

Not every ransomware attack on MSPs comes through the supply chain. The projected number of providers compromised during the SolarWinds and Kaseya incidents is likely quite small compared to the amount of malware unleashed by company insiders. Again, where there are people, there will be vulnerabilities.    

Mistake or Deliberate?

To stop insider attacks, it helps to understand the drivers behind these attacks. One of an MSP’s key responsibilities is to create a defense that addresses virtually every conceivable situation, so it’s critical to assess not just the systems and solutions but the people and conditions that could compromise the business. That approach must start at home. How safe is your MSP from the most common people-driven issues?

• Negligence—people often inadvertently provide access to cybercriminals or unauthorized personnel. These incidents are often simple mistakes such as opening a phishing email or clicking on a suspect link, or not signing out of apps or systems in open office areas. Phone scammers have been known to impersonate vendor representatives to get techs to share credentials or other critical information. Solid policies and ongoing training are good ways to minimize these liabilities.  
• Malicious— these are intentional attacks that use legitimate credentials to steal or destroy information. In many cases, insiders sell credentials to critical business systems or financial data, often to cybercriminals. Another scenario may involve a disgruntled or former employee who wants to get revenge by destroying valuable information or causing other types of IT-related chaos. It’s very easy today for tech-savvy workers to download and then unleash ransomware inside their workplace. MSPs need effective processes and policies to limit these malicious attacks, including steps to block employees' credentials immediately after separation (if not before). Limiting access privileges for non-essential systems will minimize a firm’s vulnerabilities. Many MSPs leverage applications with monitoring and alerting capabilities that help management spot these types of suspicious activities, though no system is completely safe from a tech-savvy troublemaker.        
• Moles—these are technically outsider attacks that gain access to privileged networks or systems. The poser may impersonate an employee or business partner (i.e., vendor representative, internet supplier, peer collaborator) to build trust and look for an opening to ask for credentials or other entry methods. Once a mole gets access to an MSP’s systems, there is no limit to what they may do to the company and its clients.

Defending The Kingdom

Insider attacks on MSPs can have a serious impact on not just their business but on the clients that rely on their services, whose systems and networks may be similarly compromised. That’s why cybersecurity experts recommend implementing a strong multi-layered defense to protect those “keys to the kingdom.”

What does that involve? Here are a few of the many options:

1. Awareness training. Educating employees on the latest schemes and warning signs is essential, even for those with deep expertise in cybersecurity. There should be no exceptions to the awareness training policy, including owners and managers, as well as all end users on the client-side of the business.
2. Email filtering. A solution that can identify and quarantine outbound messages with suspected spam, malware, or proprietary business information can help prevent insider attacks.  
3. Anti-ransomware tools. Using deception technologies like CryptoStopper to identify, detect and repel attacks creates the last chance defense for MSPs (and your clients). “Watcher” solutions provide an effective layer of protection when other measures fail for both MSPs and their clients.     
4. Encryption. One sure way to prevent employees from accessing, tampering with, or sharing sensitive or valuable files is to encode the information. The harder it is to access and utilize data, especially for unapproved individuals, the greater the protection.
5. Access controls. Enforcing system restrictions (authorized users only) will help minimize the damage one individual can do on their own. In other words, employees should only be allowed to access the information necessary to perform their work to avoid the misuse or corruption of confidential business data.
6. User and Entity Behavior Analytics (UEBA). These advanced solutions can detect intricate attacks across an organization involving one or many users, devices, and/or IP addresses. MSPs can use these applications to monitor and identify suspicious activities by employees, including attempts to access restricted files or proprietary information. These systems look for behavioral anomalies and alert managers to limit potential losses from insider attacks.

​Implement And Enhance

Cybersecurity is a dynamic practice. There is no such thing as a “foolproof” defense that requires no further development or testing. MSPs need to be continually researching and analyzing solutions and measures to strengthen their protection against all potential attacks, including those from employees and other “insiders.”     

The risks are simply too large to ignore. The financial and reputational damage resulting from an insider-initiated attack could put most MSPs out of business, especially when the incidents are intentional and spread to client environments. No provider can afford that type of liability.

Continual enhancement is a protective measure in itself. That intentional focus on improvement, repeatedly improving processes and cybersecurity tools, shows that an MSP understands and actively addresses the risks.

While there is no sure way to prevent an insider attack, other than eliminating employees and removing all access to outside entities, providers can limit their exposure. Just as importantly, MSPs must also strengthen their clients' businesses using the same best practices and tools. Those upgrades will provide greater overall protection for the collective IT ecosystem.        

About The Author

Greg Edwards is the CEO at CryptoStopper.