Why threat actors are targeting the channel

The breach experienced by Exclusive Networks in recent weeks is just the latest in a spate of attacks that have also seen FireEye and SolarWinds suffer suspected nation-state hacks.

Channel firms have often found themselves the targets of criminals in the past, but it appears that these sorts of attacks have ramped up in the last 18 months, and the allegation of state-sponsored attacks on vendors adds another sinister element to the situation.

But why is the channel an increasingly popular target for these sorts of attacks? It's because of the profile of its customers, particularly at enterprise level, according to Dave Sobel, MSP commentator and host of the 'Business of Tech' podcast.

"It's a pretty obvious target," said Sobel.

"For example, SolarWinds was attacked because it is the dominant network management solution in enterprise and getting into network management tools is an excellent way to get into your end targets. SolarWinds has a very rich portfolio, they're in a massive number of the Fortune 500, all the major branches of the US military and lots of civilian organisations as well."

He added that the relatively recent popularity of cybersecurity firms as targets is due to the criminals now "noticing" them and the access they provide to customers' IT networks.

"Cybercrime is a really well-run business it just happens to be incredibly illegal," he said.

"We oftentimes think of it as a single person in a basement but it's not, it's a criminal enterprise and they're running it very efficiently. They're now starting to be really deliberate about making sure they attack CEO workstations or high-value targets. They're not blanketing, they're being very specific with their time and they're getting smarter each time.

"The magic of the channel has always been the way that it aggregates the ability to sell into customers. The channel is the best way to access those customers and the criminals have figured that out."

Defence

No form of cybersecurity is 100 per cent effective against attacks, but these series of attacks on vendors and a distributor will likely cause some concern among MSPs in how protected their own vendor partners are.

Sobel advised that MSPs need to start focusing less on assumed protection and more on mitigating the likelihood of an attack on themselves and their customers.

"We need to thinking differently about security; we're still thinking too much about how we can prevent this," he stated.

"Instead, we need to be thinking more along the lines of true zero trust security architectures, where our goal is to always minimise the damage, minimise the attack vectors and ensure that when it happens we're alerted faster, we've minimised the damage and were able to contain it."

These attacks on cybersecurity vendors should indicate to MSPs that they can't take it for granted that their partner's products are infallible and they should always be probing and questioning the efficiency of what they're selling.

"They need to be approaching this from the perspective of ‘trust no one'," Sobel added.

"We should be shaken to our cores that we can't necessarily trust the vendors providing the software. We have to verify that they are deserving of that trust and do that continuously - that's the value that you're expected to pass on to your customers. But you can't just trust that everything along the line is fine.

"If you just think ‘Well I'm going to just patch it' or ‘I'm going to change vendors' you're not actually solving the root problem, which is that we are too trusting in our infrastructures."

Channel companies also need to stop seeing each other as the "enemy" and work together to implement tighter processes across the industry, said Distology CEO Hayley Roberts.

"Rather than being this dog-eat-dog industry - like most industries are - why don't we work to help one another and become robust in our protection mechanisms? She asked.

"We should be working together to do good - regardless of whether it's with our competitors - because those that are looking to actually penetrate boundaries and steal data are the real enemy."

Regaining customer trust

For companies that have found themselves the victims of cyberattacks, the main priority is regaining customer confidence in their products and reputation. To paraphrase RuPaul, if you can't protect yourself, how the hell are you going to protect somebody else?

Sobel gave Johnson & Johnson as a classic example of how to regain customer confidence quickly and efficiently after being caught in several murder cases. In the early 1980s, its widely available Tylenol tablets were tampered with by an unknown person who put arsenic in several bottles throughout Chicago, killing seven people.

"Everyone was very afraid of Tylenol, so what did Johnson & Johnson do? They overcorrected," he explained.

"They removed all the Tylenol from the shelves, redid the supply chain, overinvested and overcommunicated it. They were quickly back to their place of trust and shareholder value within a short period of time because of that. I think anything other than that path is an endless sea of suffering because you will forever be trying to regain customer confidence. They are the classic example when talking about crisis management.

"If you're breached, overcorrect. You are now going to have to be incredibly transparent the entire time, overcommunicate it and go all-in on your strategy to repair your relationship with your customers."

Distology's Roberts agrees with this ‘honesty is the best policy' approach to rectifying customer relationships in the wake of an attack.

"The biggest concern is how you communicate that to your customer base and your partners," she added.

"It's all very well saying ‘We're going to deal with it' but what happens is that partners don't know where to go with that information if their end users contact them. We've got to have almost like a disaster recovery a fire drill because I think that these issues aren't going away."

It's ‘totally' going to get worse

All contributors agreed that this trend is not going to go away and will likely get worse as cybercriminals sharpen their tools and expand their arsenal.

"It's totally going to get worse because there's money to be made here," Sobel exclaimed.

"We need to be thinking differently about this problem, if you keep doing the same thing over and over and expecting different results, that's insanity. If we're going to keep doing the same things and expect to get better at this problem, we're just crazy.

"This is not a buy another product, fix it, tweak it process, we're approaching this all wrong. We're going to have to think about new ways of managing customer data, and where we are truly just minimising risk through a zero-trust architecture."

Bridgeway Security boss Jason Holloway echoed this sentiment, saying that companies trying to increase productivity feel the need to add more security systems to their infrastructure which ironically can make those infrastructures more insecure.

"We live in a world where trying to become more productive and efficient means that we're integrating more and more disparate systems, and relying more on third-party supply chain organisations to do this for us in a secure manner. Unfortunately, the more we add to the mix, the more insecure the solution becomes," he explained.

"We are fighting this eternal challenge of how to increase the productivity and competitiveness of the organisations by implementing different IT systems, yet at the same time, trying to reduce the risk that these integrations pose. Unfortunately, the long term prognosis is not good.

This is a challenge that the whole industry is trying to face up to, but unfortunately, many people still ignore that the traditional approach to information security is broken and we need to rethink how we go about fixing this for the future. Otherwise, these kinds of challenges will continue to occur and these risks that we are adding to our systems will indeed come back to haunt us."