The story of how Datto, Huntress Labs, and ConnectWise blocked the sale of an MSP’s administrative credentials on the dark web, which mostly took place last year but first came to light last week, offers a fascinating glimpse into the world of cybersecurity cloak-and-dagger work.
It also, however, provides a sobering illustration of the perils faced by MSPs now that hackers view them as a convenient way to compromise dozens of end users at once, not to mention the clearest look yet at the quiet effort by a growing body of vendors to counter that threat through cooperative action.
That effort began last summer with a message from Ryan Weeks, Datto’s chief information security officer, to Huntress Labs CEO Kyle Hanslovan and Vice President of ThreatOps John Ferrell. Inspired by a webinar in which the Huntress executives urged their peers to join forces in the fight against cybercrime, Weeks reached out to offer his support. Within days, the two companies met and formed what’s since become the MSP-ISAC, a security information sharing and analysis center (ISAC) for the managed services community.
“It started out this MSP-ISAC was just nothing more than a Slack channel for Datto and Huntress to communicate,” recalls Hanslovan.
Those vendors soon invited ConnectWise and Kaseya to participate as well, and other firms later joined them. Today, the MSP-ISAC has over 30 members, and grassroots recruiting continues. “Nights and weekends, we’re inviting security people from other channel companies through LinkedIn or through our direct relationships to join,” says Weeks.
The overarching goal, he continues, is to even the odds against attackers by exchanging best practices and pooling threat information that would otherwise reside in siloes across the industry. In particular, Weeks hopes to make the group a source of insights on what security experts call “TTPs,” the tactics, techniques, and procedures that bad actors use to break into targeted systems. That’s information rarely disseminated beyond cybersecurity experts at present.
“I want it to be a community where actionable information is presented that can help MSPs adapt their security programs,” Weeks explains, noting that the ISAC concept has a long history in other industries. “This model is proven,” he says. “It’s worked really well in healthcare, in financial services, and so it’s not that this is a new or groundbreaking idea.”
Sadly, much about the breach disclosed last week, in which a hacker put passwords belonging to an MSP in the eastern U.S. for sale on the dark web, is familiar too. Datto is one of many vendors that monitors the cybercrime underworld for signs that one of its partners, or an end user supported by those partners, has been breached, and then proactively contacts anyone it believes to be in danger.
“We do a lot of that on a weekly, monthly basis,” Weeks says.
The threat that Datto stumbled across last October, however, was unusual. Normally, Hanslovan says, thieves with stolen cyber-goods to sell operate in the deepest recesses of the dark web. This new for-sale listing, by contrast, was comparatively out in the open, on a site called Torum. It also made starkly real what for most MSPs remains an abstract phenomenon—the ongoing increase in threat activity against their business systems.