IT and Business Insights for SMB Solution Providers

How to Survive a Supply Chain Attack

Here are steps MSPs can take to improve their security posture and preparedness if ransomware or a supply chain attack hits. By Jon Bove

The major ransomware attack against Kaseya VSA this summer hit managed service providers hard. When the software vendor experienced one of the largest attacks to date, it impacted dozens of MSPs and their clients—an estimated 1,500 companies.

MSPs have gained traction, especially in the past year, with more and more IT departments turning to them for a number of reasons—including the desire to improve security and reduce costs. For MSPs impacted by the Kaseya attack, that meant it also affected their customers. And this marks a renewed warning for channel partners about what they need to watch out for when it comes to ransomware and supply chain attacks.

The attack on Kaseya was, unfortunately, yet another in a string of high-profile ransomware incidents. Ransomware attacks have increased in volume, morphing and evolving through the years into the debilitating attacks we see today. According to a recent Global Threat Landscape Report from FortiGuard Labs, ransomware attacks increased tenfold in the first half of 2021 and became even more disruptive.

What to Do If You Are Impacted

The unfortunate reality is that it’s not a matter of if but when your company will be affected by a ransomware attack. In the wake of the Kaseya attack, the FBI and CISA released guidance for affected MSPs that is relevant for any such supply chain/ransomware attack. These recommendations include:

  • Use a manual patch management process according to vendor remediation guidance, including installing new patches as soon as they become available.
  • Ensure backups are current and stored in an easily retrievable location that is air-gapped from the organizational network.
  • Implement multifactor authentication and principle of least privilege on key network resources and administration accounts.

It’s also important, as difficult as this can be, to stay calm and follow your documented incident response plan.

If you don’t already have a documented incident response plan in place, start creating one now, because this is crucial. The steps below will help, but you can also reach out to your security vendor for help. When you report the incident to your insurance company, they also may have a list of expert security providers who can help you.

Steps Your IR Plan Should Contain

When it comes to your incident response plan, it should include:

  • Stop the spread: First, identify the range of the attack. If the incident is already known to be widespread, implement blocks at the network level, such as isolating traffic at the switch or the firewall edge, or temporarily take down the internet connection. If the incident scope is narrower, consider isolating attackers at the device level by pulling the Ethernet or disconnecting the Wi-Fi. If available, endpoint detection and response (EDR) technology can block the attack at the process level, which would be the best immediate option with minimal business disruption.
  • Find the initial point of access: Identifying the access point will help find and close the hole in your security. This is sometimes difficult and may need the expertise of digital forensics teams and IR experts.
  • Find your backups and determine integrity: With many ransomware attacks, cybercriminals have usually been in your network for days, if not weeks, before deciding to encrypt your files. This means that you may have backups that contain malicious payloads that you do not want to restore to a clean system. Scan your backups to determine their integrity. 
ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.