How your MSP may be “APT”-ly putting your credentials at risk.
In a recent alert issued by the U.S. Computer Emergency Readiness Team (US-CERT), the “National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs). Since May 2016, APT actors have used various tactics, techniques, and procedures (TTPs) for the purposes of cyber espionage and intellectual property theft. APT actors have targeted victims in several U.S. critical infrastructure sectors, including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing.”
The alert describes how MSPs provide remote management of customer IT and end-user systems, and by servicing a large number of customers, MSPs can achieve significant economies of scale. However, a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk. For example, an APT actor using compromised legitimate MSP credentials (e.g., administration, domain, user) can move bidirectionally between an MSP and its customers’ shared networks. Bidirectional movement between networks allows APT actors to easily obfuscate detection measures and maintain a presence on victims’ networks.
US-CERT warns that a “successful network intrusion can have severe impacts to the affected organization, particularly if the compromise becomes public. Possible impacts include temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses to restore systems and files, and potential harm to the organization’s reputation.”
In response, US-CERT recommends incident response planning, incident reporting and response measures, and “committing to an effort that secures the endpoint and network infrastructure: prevention is less costly and more effective than reacting after an incident.”
conXted™ ThwartZone™ technology was developed to secure endpoints and prevent attacks such as APT.
While today’s security paradigm suggests stronger passwords, restricting MSP accounts by time and/or date, account tiering, better logging, and greater operational controls, the simple fact is network security that relies upon maintaining secret, static credentials will always be vulnerable.
For example, if updating security certificates annually or every six months might improve security with current system architectures, then imagine a system with access credentials updated every day? Or every minute?
Based on the premise that every security credential could eventually be compromised, the ThwartZone™ process enables devices to perform machine-to-machine authentication and protect communications with a patented system of dynamically-generated, unpredictable, and ever-changing credentials to continually secure computing devices.
ThwartZone™ defeats cyber attacks that leverage weak, stolen or misplaced passwords by rendering credentials obsolete and useless before an attacker has time to use them to gain access to a target system. The ThwartZone™ process generates ephemeral credentials on the fly, in the background, as often as desired — every 30 minutes, every 30 seconds, or every 0.3 seconds — so that even an attacker with perfect credentials is defeated the instant the process updates. The timing of credential generation can be configured and adjusted appropriately for the system as desired.