H-ISAC TLP White Threat: Joint Cybersecurity Advisory – Protecting Against Cyber Threats to Managed Service Providers

On May 11, 2022, the cybersecurity authorities of the United Kingdom, Australia, Canada, New Zealand, and the United States released a joint Cybersecurity Advisory (CSA) (AA22-131A) to provide guidance on how to protect against malicious cyber activity targeted managed service providers (MSPs) and their customers. The report was created in response to an observance of increased activity against MSPs and their customers in which malicious operations are expected to continue.

The advisory provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber attack including. Additionally, the advisory shares cybersecurity best practices for information and communications technology (ICT) services and functions, to include guidance that allows transparency between MSPs and their customers to secure sensitive data.

All members are encouraged to review AA22-131A: Protecting Against Cyber Threats to Managed Service Providers and their Customers.

The joint Cybersecurity Advisory (CSA) identifies MSPs as entities that deliver, operate, or manage ICT services and functions for their customers via a contractual arrangement, such as a service level agreement (SLA). In addition to offering their own services, an MSP may offer services in conjunction with those of other providers. Offerings may include platform, software, and IT infrastructure services; business process and support functions; and cybersecurity services. MSPs typically manage these services and functions in their customer's network environment either on the customer's premises or hosted in the MSP's data center.

MSPs provide services that usually require both trusted network connectivity and privileged access to and from customer systems. Many organizations, ranging from large critical infrastructure organizations to small- and mid-sized businesses, use MSPs to manage ICT systems, store data, or support sensitive processes. Many organizations make use of MSPs to scale and support network environments and processes without expanding their internal staff or having to develop the capabilities internally.

Threat Actors Targeting MSP Access to Customer Networks:

Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects. The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities expect malicious cyber actors, including state-sponsored advanced persistent threat (APT) groups, to increase activities targeting MSPs in their efforts to exploit provider-customer network trust relationships. For example, threat actors successfully compromising an MSP could enable follow-on activity, such as ransomware and cyber espionage against the MSP as well as across the MSP's customer base.

The UK, Australian, Canadian, New Zealand, and U.S. cybersecurity authorities have previously issued general guidance for MSPs and their customers. This advisory provides specific guidance to enable transparent, well-informed discussions between MSPs and their customers that center on securing sensitive information and data. These discussions should result in a re-evaluation of security processes and contractual commitments to accommodate customer risk tolerance. A shared commitment to security will reduce risk for both MSPs and their customers, as well as the global ICT community.

View the detailed report below.