3 Security Lessons Learned From the Kaseya Ransomware Attack

Ransomware attacks targeting the supply chain are increasing in frequency, along with the cost of ransom payments. In the first half of 2021, the average ransomware payment totaled $512,000, a 171% increase from $312,000 in 2020. More so, the amount these attackers request has also increased, with the average ransomware demand in 2021 being $5.3 million, up 518% from the 2020 average of $847,000.

One security incident in particular, the Kaseya ransomware attack, brought attention to a new wave of ransomware attacks specifically targeting managed service providers (MSPs), which often serve as the security lifeline for small to medium-sized businesses. These attacks give cybercriminals access to the MSP provider, the organizations it serves, and many of the organizations' customer networks as well — creating a ripple effect of digital havoc. These attacks are also much harder to prevent, since they often exploit employees at the company who think they're performing everyday tasks like logging in to email. This issue has become more prevalent, especially with the shift to hybrid work. As more and more devices are connected to the cloud, the harder it is to safeguard those endpoints from attackers.

Let's explore how organizations can better prepare themselves and their customers for these attacks in the future, and some of the strategies to identify the threats before they become a widespread issue.

Trust No One: Zero Trust as a Prevention Mechanism
With the Kaseya attack, the REvil ransomware group was able to bypass authentication by simply sending a note password, granting them a session cookie that allowed them to have a low key where they could upload files onto the Kaseya VSA server. This was a fairly simple exploit that could have been avoided if there had been more stringent behavior detection practices in place, which can be achieved through zero trust.

The fundamental principle behind zero trust is that any entity trying to connect to an enterprise resource should be validated for compliance against a set of predetermined attributes before it can connect and stay connected to that resource. In effect, its premise is to consider anybody and anything operating inside or outside the enterprise network as hostile.

Not only should the MSP adopt zero trust, but organizations working with such providers should also consider implementing such a framework, especially to better secure a very vulnerable third-party supply chain.

Effective Incident Response With Clearly Defined Policies
MSPs and their customers' security teams all know the typical workflow when it comes to responding to threats. Something will be flagged as abnormal, a ticket will be created, and any necessary data is aggregated into the security platform of choice. Then analysis is performed with actionable steps on how to respond. However, ensuring these processes have clear, defined roles where every individual working on the team knows exactly how to respond is crucial in these types of situations.

One of the best ways to assure all parties involved in the supply chain understand their responsibilities is to perform regular tabletop exercises, which simulate various types of incident response scenarios. Did the attackers breach the network using phishing techniques? Was the threat vector a JPEG file with malicious code? Today's attackers are always finding new ways to infiltrate a network, including targeting MSPs to then get to bigger-ticket opportunities, so it's vital to be prepared.

Information Sharing for a Proactive Security Posture
It's important to be continuously evolving and learning from past security events, especially those like the Kaseya incident that feature less common entry mechanisms targeting an MSP. A primary way to help prevent such attacks is by proactively sharing information, threat research, data, or solutions with other customers — creating an information-sharing alliance.

As a security organization, protecting your customers is your No. 1 priority, and more often than not, your customers will share similar issues when it comes to preventing breaches. If a customer has a security framework similar to one that was just breached, there is likely information learned from your teams that can be used to conduct proactive threat hunting for others.

For example, with the Kaseya attack, we analyzed our customers' networks and found several of them had misconfigured firewalls, allowing all their services to be visible. We were able to identify these missteps and remediate them, while also sharing information with others who may have found this helpful.

With the return on investment during an MSP cyberattack being much greater than usual for cybercriminals, we can expect these types of vendors to become a more popular target for threat actors. With effective security policies in place across an MSP and its customer networks, paired with a zero-trust framework, MSPs and their entire ecosystem will be better prepared for the next inevitable threat.