The compromise of several Managed Service Providers (MSPs) was reported in 2017. In response, the Australian Cyber Security Centre (ACSC) provided organisations with the information they needed to protect themselves and others from this threat.
In 2018, adversaries continued to target and compromise MSPs and, through them, their customers. The ACSC reiterates the need for organisations to scrutinise the cyber security measures implemented in contracted ICT solutions to combat the threat.
Managed Service Providers and the ACSC
To provide a level of confidence and improve the standard of cyber security of MSPs, the ACSC has developed an MSP Partnership Program. MSPs are encouraged to participate in the program and provide feedback. Likewise, prospective MSP customers are encouraged to consider their potential providers’ participation in this program as a factor in their procurement process.
This document shows organisations the actions they can take to manage the security risks posed by engaging and authorising network access to MSPs. Many of the following recommendations apply to any outsourced ICT service provider, not just MSPs.
The number and type of controls used with an MSP will vary depending on the sensitivity of your systems. The ACSC recommends the following strategies to reduce the risk of compromise via MSPs.
Make sure your own network is secure
Implement a cyber security standard, such as the ACSC Essential Eight developed by the Australian Signals Directorate; a prioritised list of strategies to mitigate Cyber Security incidents. 7 These strategies are effective in defending against malicious activity such as preventing the execution of malware and reducing the vulnerability surface of an organisation.
Get security in the contract
Security may not be a primary consideration when outsourcing the management of a system; however, the cost of remediation after a compromise far exceeds the cost of upfront implementation.
Clearly state cyber security expectations upfront. Ask candidate MSPs to provide evidence of their ability to meet your security requirements while administering your network. During negotiations you may ask a candidate MSP to walk through how they administer a customer’s network.
During negotiations, ask the MSP for contact information for other clients. You should be able to have an open conversation about another customer’s experience of the MSP’s ability to protect customer systems.
Ensure your contract requires your MSP to maintain a good internal security culture, and to implement cyber security guidance such as the ACSC's Essential Eight.
Include cyber security incident notification clauses in your contract with your MSP. The MSP must be obligated to notify the customer in the event of any cyber security incident that may endanger the customer network. This may include cases in which MSP systems related to the administration, management or storage of information on the customer network have been compromised or accessed by an unauthorised and/or unknown party.
Define the security clearances expected of MSP staff working on your systems and ensure that this is provided to you for validation. There is additional risk from insider threats if the MSP engages staff outside your normal security clearance and background checking procedures.
Control MSP access to your network
To perform their contracted duties, a MSP must administer either a system on your network or your entire network. Without proper controls, this high level of privileged access, combined with the unknown security posture of a network that you do not control, can leave your network vulnerable to intrusion.
Know where the boundaries are between you and your MSP. Ensure that your organisation clearly identifies which systems each MSP can access and how, and keep the record up to date. These accesses should be treated as untrusted for anything outside the scope of the MSP’s responsibility. For example, a connection from an MSP into a specific customer system should be treated as an untrusted access with regards to other systems on your network.
Segment your network from the MSP’s. This will limit an adversary’s ability to move laterally from a compromised MSP network into the customer network. The ACSC has observed adversaries using compromised MSP workstations to move laterally to customer domain controllers located in foreign countries, increasing access to the victim’s network. Examples of segmentation include:
- Where an MSP administers an entire network, the customer may stipulate that the MSP network not be used to administer a customer’s systems. Instead, MSP staff administer the customer’s network from a system within the customer’s network.
- Consider segmenting your network into trust zones .
Utilise a secure jump host for MSPs to perform administrative tasks. If a MSP must access your network from theirs, or remotely, specify a dedicated workstation on which MSP administrative staff should perform sensitive administration duties, with restricted access to critical servers. Combine this with multi-factor authentication to limit an adversary’s ability to compromise critical assets .
Mitigate the impact of stolen or abused credentials
Credential management is part of controlling and restricting MSP access to your network. As a key exploitation vector, credentials require special protection. Typically, when an adversary has full access to your MSP they will have access to all the credentials on their network. This not only includes corporate credentials of the MSP but also credentials for their client’s devices and systems managed by the MSP, if they are stored on the MSP system.
Implement least-privilege administration to decrease the impact of adversaries gaining MSP-level access to customer networks. Provide the MSP with the least privileged account(s) required to do their job .
Strongly control enterprise and domain administrator accounts. Enterprise and domain administrator accounts should have no members by default. Utilise just-in-time principles for privileged accounts like the domain administrator. Use a manual process or privileged access management software to add named accounts to the domain administration role, for a limited duration.
Provide attributable accounts. Accounts should be attributable to the MSP to enable easy identification of MSP activity in privilege allocation and logs. The ACSC has observed adversaries using legitimate support accounts provisioned by MSPs to deploy malware to customer networks; rapid attribution of such activity would assist the customer to work with their MSP to remediate compromises of their network.
Enable multi-factor authentication on remotely accessible services used by your MSP to access your network and systems. This will ensure that, even if an adversary has compromised credentials of MSP accounts, they remain incapable of logging on without a second factor such as a token. Adversaries have used Remote Desktop Protocol directly from a MSP network to deploy malware to servers anywhere in an administered network; multi-factor authentication can prevent an adversary from obtaining unauthorised access. Also consider blocking MSP access by default and allowing remote access at an agreed time. Correlate this access with a specific job ticket .
Ensure visibility of MSP actions on your network
Capture relevant logging to improve visibility of potentially malicious activity. Logs should be stored in a centralised location. A security administrator or independent party without access rights/accounts should regularly review logs for suspicious activity in the reviewed systems. Also consider including a contract requirement for your MSP to perform logging of hosts and networks used to remotely connect to the customer environment. Relevant logging includes:
- host-based event logs to provide visibility of malicious activity on workstations and servers 
- firewall and proxy logs to provide visibility of network connections associated with adversaries
- remote access logs to help identify unusual network access from accounts used by MSPs.
MSPs should be responsible for reviewing their logs to ensure their access to the customer network aligns with an actual business requirement and/or job ticket. Further, the MSP should be obligated to provide detailed logs if the customer has security concerns they wish to investigate further.
The recommended event log retention time is at least 18 months; however, some organisations may have a regulatory requirement to retain event logs for a longer period.
Maintaining default sizes of event logs may cause older logs that contained key data to be overwritten prior to commencing an investigation; it is therefore advised that organisations increase the default sizes or forward logs to a central location for storage.
Plan for a cyber security incident
Have a practical incident response plan
If you detect a cyber security incident, or have been notified by your MSP of a possible cyber security incident, ensure you get as much detail as possible. Look for indications of what level of access enabled the cyber security incident to occur. A web-facing scan of services is very different to an external system logon, or internal lateral movement. Information to request includes:
- What sort of cyber security incident is it?
- What specific data and systems are known to be affected?
- What was the indication that there was a cyber security incident?
- Date and time of the cyber security incident?
- Is the cyber security incident ongoing?
- What actions is the MSP taking to investigate and remediate?
- Has this cyber security incident been reported anywhere?
Have a communications strategy
Communicate securely. If the compromise involved your corporate network, you may no longer be able to trust corporate communications. Ensure you have alternate secure communication channels internally and with your MSP. Keep records of any engagement with the MSP for future reference.
Report to the relevant authorities. Firstly, ensure that the appropriate person(s) within your organisation have been notified. If personal information has been lost or compromised, you may be legally required to report the cyber security incident to the Office of the Information Commissioner. You should also report the cyber security incident to the ACSC for advice and assistance on how to remediate your network.
The Australian Government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems. It can be found at https://www.cyber.gov.au/acsc/view-all-content/ism.
The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM. The complete list of strategies can be found at https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents.
ACSC has developed a set of questions that customers can ask MSPs prior to engaging their services. The Questions to Ask Managed Service Providers publication can be found at https://www.cyber.gov.au/acsc/view-all-content/publications/questions-ask-managed-service-providers.
For services outsourced to a cloud service provider, see the ACSC's Cloud Computing Security Considerations publication at https://www.cyber.gov.au/acsc/view-all-content/publications/cloud-computing-security-considerations.
The United States Computer Emergency Response Team (US CERT) has also produced guidance on mitigating the risks of engaging with MSPs. The full document can be found at https://www.us-cert.gov/ncas/alerts/TA18-276B.
If you have any questions regarding this guidance you can contact us via 1300 CYBER1 (1300 292 371) or https://www.cyber.gov.au/acsc/contact.