With various types of attacks utilising managed service providers to gain access to multiple targets, it's important to ask how those service providers can help improve security for enterprise environments. Although taking measures in this area requires a lot of effort, the recent increase in attack severity and breadth suggests that such efforts timely and worthwhile.
Cyber-attacks are increasing in severity. Cybercriminals now use the supply chain, management systems, or managed service providers to gain entry to insecure systems. Each attack can have multiple objectives depending on the threat actor, sponsoring nation, or even the target. The culture of threat actors affects the objectives and tactics, including the patience level of threat actors or the sponsoring nation. The cybercriminal may use the supply chain to target an individual organisation.
However, we’ve recently seen several broad attacks utilise a management system or managed service provider to gain access to multiple targets, such as SolarWinds and Kaseya. The attacks in the initial phases require organisations to rebuild systems and infrastructure, causing financial loss. But they may not be aware of any long-term objectives of the threat actors. The SolarWinds attack exfiltrated data from multiple organisations. It is unknown how that data might be used; therefore, there may be a long tail on some attacks.
My APINIC 52 keynote, The Role of Service Providers in Transforming Security, describes the current threat landscape and current trends in greater detail, which support the push for built-in security. I’ve spoken about how to improve enterprise security in the past, but what about managed service providers and their ability to impact enterprise environments? In particular, how can various types of service providers impact security for organisations that lack resources? Namely, how can they help protect the State, Local, Tribal, and Territorial (SLTT) networks or small businesses?
The Center for Internet Security and the CIS Mission
I joined the Center for Internet Security (CIS) almost a year ago, inspired by the mission and excited to work with colleagues aligned to the same inspiring goals.
The CIS Mission
Our mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.
For CIS, the mission is put into action in many ways, including providing best practice guidance in trusted materials, backed by a well-vetted process called the Community Defense Model. The best practice guidance includes the CIS Critical Security Controls and CIS Benchmarks to secure infrastructure, while prioritising safeguards to address the most common threats. CIS also works directly with the SLTT members, providing operational security management and assistance through the Multi-State Information Sharing and Analysis Center (MS-ISAC). Additionally, CIS partners with numerous hosted providers and traditional infrastructure companies to validate platforms using CIS Benchmarks or offering CIS Hardened Images (pre-hardened VMs in the public cloud). These platforms benefit organisations without the resources to secure their infrastructure themselves.
How Managed Service Providers Can Improve Security
Managed service providers of all types play a role in securing infrastructure for the Internet and hosted applications. The Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) is an excellent example of an effort taken at the Internet service provider level that impacts businesses of all sizes and resources. MANRS offers protection against spoofing as a result of this allow-listing approach to provide network-based anti-spoofing filters.
What other efforts could each type of managed service provider employ to provide attack prevention measures that would universally aid businesses of all sizes given the evolving threat landscape?
Internet Service Providers
- MANRS – If you are not participating yet, please consider this as a basic measure to prevent spoofing attacks, improve coordination between managed service providers, and increase adoption of Resource Public Key Infrastructure (RPKI).
- Consider supporting additional protections to assist with threats such as phishing or business email compromise (BEC) attacks:
- DomainKeys Identified Mail (DKIM) signatures on outbound mail by offering configuration assistance to supported organisations. DKIM provides authentication on outbound messages to ensure a listed domain sent the email and the email was not altered in transit through the use of a digital signature at the outgoing mail server.
- Offer Sender Policy Framework (SPF) configuration and support to all customers to provide further assurance on outbound mail. SPF establishes the set of servers allowed to send email for a particular domain through Domain Name Service (DNS) records. The server list is then used to validate the sending mail server as authorised.
- Improve the feedback to customers who implemented DKIM and SPF to refine configurations and improve the efficacy of these protocols. Domain-based Message Authentication, Reporting & Conformance (DMARC) support builds upon DKIM and SPF, further improving the validation process for email and reducing fraud. The Global Cyber Alliance is a rich source of guidance to aid in DMARC, DKIM, and SPF implementations.
- DNSSEC configuration, deployment, and verification support or making this standard within service provider offerings
Infrastructure as a Service (IaaS) and Application Service Providers
Two additional types of managed service providers are infrastructure as a service (IaaS) and application service providers. Below are a few recommendations to improve security in these environments.
- Provide assurance on system boot for firmware and BIOS adhering to NIST Special Publication 800-193 using attestation and if applicable, Trusted Computing Group (TCG) Reference Integrity Measurements.
- Adherence to security policies established to meet the needs of the supporting organisations (e.g. ISO27001/2). Implementations may be prioritised by current threats using the CIS Controls.
- Hardened operating systems, containers, applications, and devices according to agreed upon security guidance. You can achieve this by manually applying one of the more than 100 CIS Benchmarks and DISA STIGS. For virtual machine images in the public cloud, you can utilise CIS Hardened Images built to CIS Benchmark standards.
- CIS can verify environments that meet CIS Controls and Benchmarks in order to sell services with this assurance. Non-commercial use of these standards and guidance is free.
Three Ways to Outsource Security Services
- DNS filtering services to prevent access to known malicious sites.
- Take-down coordination improvement among providers to eliminate malicious content and domains.
- Email protection services:
- Increased adoption and support of DKIM making this as standard as BCP38 filtering.
- Increased support for DMARC and SPF through service offerings or national-led efforts
- Supported services for email screening (e.g. malicious content and domains) for organisations with limited resources
Questions to Service Providers to Help
- Are there other relay-based services or Internet-level protocols that could provide additional protection at scale to better assist organizations with limited resources?
- How can you support these or other security improvements?
- Can we raise the baseline level of service to one that provides basic cyber hygiene and assurance on connections, e.g., authenticated email via DKIM signatures, authenticated and encrypted sessions in line with zero trust tenets?
- Are there additional opportunities to build-in security or offer security with a supporting architecture that scales? The recommendations in this blog may not be complete, but are meant to inspire innovation and to raise the baseline of security
As organisations embrace transport encryption, they will lose visibility they are accustomed to having on the wire within their networks. Security is shifting to the endpoint as a result of the push for strong and ubiquitous encryption. Network managers will struggle with this shift unless they have support to gain some level of network visibility back. This may be possible within data centers using routing overlay protocols such as GENEVE or upgrading to IPv6. IPv6 provides better end-to-end capabilities as routing overlay protocols terminate at the network administrative boundary. Can service providers play a role to assist with a transition to IPv6 in order to support organisations who are considering use of increased transport encryption?
Summary: MSP Security Improvements Worth the Effort
Seemingly simple measures such as adherence to BCP38, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, took considerable effort. While similar efforts may also take considerable effort, the increase in attack severity and breadth indicates these efforts are timely and worthwhile. Working together to raise the baseline level of services to include built-in and verified security will increase the level of difficulty for attackers by substantially reducing the attack surface for organisations of all sizes. This blog and the APINIC 52 Keynote are not intended to provide a step-by-step guide of what to do, but rather to inspire engineers, service providers, and organisations to improve the baseline of services by simplifying and building-in security where possible.
This article was originally published as a CTO blog post on the CIS website.