Why threat actors are targeting the channel

Marian McHugh
clock • 7 min read

The recent attack on Exclusive Networks is only the latest in a series which has seen cybersecurity vendors, distributors and MSPs suffer breaches to their systems. CRN asks why the channel is seeing itself become a popular target for cybercriminals

The breach experienced by Exclusive Networks in recent weeks is just the latest in a spate of attacks that have also seen FireEye and SolarWinds suffer suspected nation-state hacks.

Channel firms have often found themselves the targets of criminals in the past, but it appears that these sorts of attacks have ramped up in the last 18 months, and the allegation of state-sponsored attacks on vendors adds another sinister element to the situation.

But why is the channel an increasingly popular target for these sorts of attacks? It's because of the profile of its customers, particularly at enterprise level, according to Dave Sobel, MSP commentator and host of the 'Business of Tech' podcast.

"It's a pretty obvious target," said Sobel.

"For example, SolarWinds was attacked because it is the dominant network management solution in enterprise and getting into network management tools is an excellent way to get into your end targets. SolarWinds has a very rich portfolio, they're in a massive number of the Fortune 500, all the major branches of the US military and lots of civilian organisations as well."

He added that the relatively recent popularity of cybersecurity firms as targets is due to the criminals now "noticing" them and the access they provide to customers' IT networks.

"Cybercrime is a really well-run business it just happens to be incredibly illegal," he said.

"We oftentimes think of it as a single person in a basement but it's not, it's a criminal enterprise and they're running it very efficiently. They're now starting to be really deliberate about making sure they attack CEO workstations or high-value targets. They're not blanketing, they're being very specific with their time and they're getting smarter each time.

"The magic of the channel has always been the way that it aggregates the ability to sell into customers. The channel is the best way to access those customers and the criminals have figured that out."

Defence

No form of cybersecurity is 100 per cent effective against attacks, but these series of attacks on vendors and a distributor will likely cause some concern among MSPs in how protected their own vendor partners are.

Sobel advised that MSPs need to start focusing less on assumed protection and more on mitigating the likelihood of an attack on themselves and their customers.

"We need to thinking differently about security; we're still thinking too much about how we can prevent this," he stated.

"Instead, we need to be thinking more along the lines of true zero trust security architectures, where our goal is to always minimise the damage, minimise the attack vectors and ensure that when it happens we're alerted faster, we've minimised the damage and were able to contain it."

These attacks on cybersecurity vendors should indicate to MSPs that they can't take it for granted that their partner's products are infallible and they should always be probing and questioning the efficiency of what they're selling.

"They need to be approaching this from the perspective of ‘trust no one'," Sobel added.

"We should be shaken to our cores that we can't necessarily trust the vendors providing the software. We have to verify that they are deserving of that trust and do that continuously - that's the value that you're expected to pass on to your customers. But you can't just trust that everything along the line is fine.

"If you just think ‘Well I'm going to just patch it' or ‘I'm going to change vendors' you're not actually solving the root problem, which is that we are too trusting in our infrastructures."

Channel companies also need to stop seeing each other as the "enemy" and work together to implement tighter processes across the industry, said Distology CEO Hayley Roberts.

"Rather than being this dog-eat-dog industry - like most industries are - why don't we work to help one another and become robust in our protection mechanisms? She asked.

"We should be working together to do good - regardless of whether it's with our competitors - because those that are looking to actually penetrate boundaries and steal data are the real enemy."

Regaining customer trust

For companies that have found themselves the victims of cyberattacks, the main priority is regaining customer confidence in their products and reputation. To paraphrase RuPaul, if you can't protect yourself, how the hell are you going to protect somebody else?

Sobel gave Johnson & Johnson as a classic example of how to regain customer confidence quickly and efficiently after being caught in several murder cases. In the early 1980s, its widely available Tylenol tablets were tampered with by an unknown person who put arsenic in several bottles throughout Chicago, killing seven people.

"Everyone was very afraid of Tylenol, so what did Johnson & Johnson do? They overcorrected," he explained.

"They removed all the Tylenol from the shelves, redid the supply chain, overinvested and overcommunicated it. They were quickly back to their place of trust and shareholder value within a short period of time because of that. I think anything other than that path is an endless sea of suffering because you will forever be trying to regain customer confidence. They are the classic example when talking about crisis management.

"If you're breached, overcorrect. You are now going to have to be incredibly transparent the entire time, overcommunicate it and go all-in on your strategy to repair your relationship with your customers."

Distology's Roberts agrees with this ‘honesty is the best policy' approach to rectifying customer relationships in the wake of an attack.

"The biggest concern is how you communicate that to your customer base and your partners," she added.

"It's all very well saying ‘We're going to deal with it' but what happens is that partners don't know where to go with that information if their end users contact them. We've got to have almost like a disaster recovery a fire drill because I think that these issues aren't going away."

It's ‘totally' going to get worse

All contributors agreed that this trend is not going to go away and will likely get worse as cybercriminals sharpen their tools and expand their arsenal.

"It's totally going to get worse because there's money to be made here," Sobel exclaimed.

"We need to be thinking differently about this problem, if you keep doing the same thing over and over and expecting different results, that's insanity. If we're going to keep doing the same things and expect to get better at this problem, we're just crazy.

"This is not a buy another product, fix it, tweak it process, we're approaching this all wrong. We're going to have to think about new ways of managing customer data, and where we are truly just minimising risk through a zero-trust architecture."

Bridgeway Security boss Jason Holloway echoed this sentiment, saying that companies trying to increase productivity feel the need to add more security systems to their infrastructure which ironically can make those infrastructures more insecure.

"We live in a world where trying to become more productive and efficient means that we're integrating more and more disparate systems, and relying more on third-party supply chain organisations to do this for us in a secure manner. Unfortunately, the more we add to the mix, the more insecure the solution becomes," he explained.

"We are fighting this eternal challenge of how to increase the productivity and competitiveness of the organisations by implementing different IT systems, yet at the same time, trying to reduce the risk that these integrations pose. Unfortunately, the long term prognosis is not good.

This is a challenge that the whole industry is trying to face up to, but unfortunately, many people still ignore that the traditional approach to information security is broken and we need to rethink how we go about fixing this for the future. Otherwise, these kinds of challenges will continue to occur and these risks that we are adding to our systems will indeed come back to haunt us."

Related Topics

You may also like
Flotek acquires fellow Welsh MSP Ikona IT amid takeover spree

Reseller

Flotek acquires fellow Welsh MSP Ikona IT amid takeover spree

Deal marks Flotek's ninth acquisition in 18 months

clock 17 November 2023 • 2 min read
SonicWall acquires MSSP Solutions Granted to boost capabilities

Vendor

SonicWall acquires MSSP Solutions Granted to boost capabilities

Buyout gives SonicWall US-based SOCaaS, MDR capacity

clock 16 November 2023 • 1 min read
Distology becomes UK distributor for cyber-sec specialist OPSWAT

Distributor

Distology becomes UK distributor for cyber-sec specialist OPSWAT

The deal follows signings with MSP Harbor and Drata earlier in the year

clock 15 November 2023 • 2 min read
Marian McHugh
Author spotlight

Marian McHugh

View profile
More from Marian McHugh

CHG Meridian aims green financing option at channel

Is 2021 the watershed year for the channel's sustainability efforts?

Upcoming events
29 Nov
03:00PM
Website

Webinar: How MSPs can increase profitability, enable new services and expand the business

Register now
06 Dec
11:00AM
Website

Webinar: How Trustwave help your clients extract greater value from their Microsoft Security investments

Register now
01 Feb
10:00AM
Conference

Sustainability Summit 2024

Register now

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

Get the newsletter

More on Security

Cybersecurity incident response: Your company's ICU
Security

Cybersecurity incident response: Your company's ICU

Performanta CEO Guy Golan explains why incident response is the beating heart of a cybersecurity service

Guy Golan
clock 22 September 2023 • 4 min read
Qualys: 'We're not going to be able to scale without the channel'
Security

Qualys: 'We're not going to be able to scale without the channel'

The vendor says security tools consolidation is a key driver of sales

John Leonard
John Leonard
clock 19 May 2023 • 3 min read
Industry Voice: Beyond the Endpoint - 4 Tips to Help Your Customers Stay Secure
Security

Industry Voice: Beyond the Endpoint - 4 Tips to Help Your Customers Stay Secure

Secureworks
clock 06 April 2023 • 3 min read

Highlights

Staff & Salaries 2022
Careers and Skills

Staff & Salaries 2022

A snapshot of pay and headcount trends in the UK channel

Doug Woodburn
Doug Woodburn
clock 09 March 2022 • 1 min read
Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels
Distributor

Midwich CEO on Nimans acquisition, 2021 results and return to pre-pandemic levels

Stephen Fenby talks to CRN after Midwich’s 2021 results in which profitability exceeded pre-pandemic levels

Josh Budd
Josh Budd
clock 08 March 2022 • 3 min read
4 more vendors suspend sales in Russia following Ukraine invasion
Vendor

4 more vendors suspend sales in Russia following Ukraine invasion

IBM and Microsoft are among a number of vendors which have also announced that they will halt sales in Russia following the invasion of Ukraine.

Dan Bennett
clock 08 March 2022 • 3 min read