Commercial Integrator January 2022 - 12

THE SERVICE DESK
Lessons Learned Aſt er the Kaseya Attack
Key takeaways from the cyberattack and strategies to ensure your own security.
By Michael Hornby
EVERYONE LOVES THE HOLIDAYS. But
hackers are fully aware that they'll get plenty
of extra time to perpetrate their attacks
while people aren't watching.
This July 4th
weekend, they chose to exploit
a critical vulnerability in Kaseya's VSA
soſt ware. As with many cyberattacks, it
started Friday aſt ernoon, with the attackers
hoping they would have all day Saturday,
Sunday and the holiday Monday to infl ict
damage on more than 1,000 companies
and approximately a million computers
before being noticed. It's an MSP's worst
nightmare. Dealing with a single cybersecurity
incident is extremely diffi cult
and stressful; dealing with cybersecurity
incidents at every single client, as well as
internally, however, is absolute chaos.
There is no doubt about it: Kaseya's
breach is not going to be the last supplychain
attack we see. In order to protect our
clients, we need to protect ourselves.
The good news about the Kaseya vulnerability
is that only a small percentage of Kaseya
VSA servers were compromised. That
limited the damage to " only " around 1,000
companies. This means some MSPs were
able to protect themselves and their clients,
despite a huge security fl aw in the soſt ware
they were using. To answer the question of
how to protect ourselves, it's best to look at
who didn't get attacked - and why.
The fi rst step in most soſt ware companies'
support playbook is " whitelist these
folders in your antivirus, " regardless of the
issue. Hackers are smart enough to try running
viruses, masquerading as legitimate
soſt ware, inside of commonly whitelisted
folders. Even worse, if you've whitelisted
your RMM tool in your antivirus soſt ware,
you've given hackers free rein to perform
malicious activities, en masse, without even
being scanned. Whitelisting by path is a
terrible practice; it should be avoided.
Proof statement: Many MSPs that did
not whitelist the Kaseya directory in their security
tools were not aff ected by the attack.
Traditional antivirus tools compare fi les to
12
lists of known malicious soſt ware and block
any match. Hackers know this. They deliver
their attacks in more advanced ways that
can't be stopped by looking at a fi le hash.
" Next-Generation Antivirus, " or antivirus
based on behaviors, looks at what is actually
happening and decides if it looks dangerous.
To illustrate this, there are numerous ways
you could write a program to encrypt fi les
on a drive. It would be nearly impossible to
enumerate every possible way that program
could be written. However, by blocking the
activity of encrypting fi les, you're blocking
the dangerous behavior itself.
AI and ML-based antivirus products
generally accomplish this very eff ectively.
They operate in a manner similar to the
way humans think. I showed my toddler
pictures of diff erent breeds of dogs, and,
aſt er he saw a few pictures, he could identify
the animal as a dog even if I showed
him a completely diff erent picture that he
had never seen before. The AI engines are
fed known malicious soſt ware and analyze
the behavior of that soſt ware; aſt er ingesting
enough data, they can learn patterns
and activity that they can use to judge new
soſt ware that they have never seen before.
Proof statement: Several next-gen
antivirus products were capable of identifying
the encryption activity from the attack.
Therefore, they would have prevented it.
In the Kaseya attack, antivirus products
that lacked script-control functionality had
no chance of blocking the attackers. In fact,
a large percentage of malicious activity
is now executed through scripting (e.g.,
PowerShell, Offi ce macros, etc.).
Proof statement: Several endpoint security
products with script-control capabilities
were capable of stopping the Kaseya attack.
Zero trust goes a step further than
whitelisting. It's the ultimate tradeoff
of security versus convenience. But it's
also the diff erence between spending
hundred-hour (or longer) weeks, week
aſt er week, recovering from an attack and
sleeping well at night. Zero Trust means
Commercial Integrator JANUARY 2022
blocking by default and only allowing
known good things to run. Obviously, the
ransomware in the Kaseya attack was not
considered a " known good " script.
Proof statement: MSPs that utilized
properly confi gured Zero Trust soſt ware
were not aff ected by the Kaseya attack.
Although security practices like multifactor
authentication and least privilege
would not have prevented this breach,
they're wise to implement. They're likely to
protect against some future vulnerabilities.
Here are some additional tips:
› Ensure log information is preserved
and monitored for suspicious behavior.
› Separate backups. This means the
backups should not be accessible from
the same tools that access your customer
environments. Use a separate RMM and
a separate remote-access tool because,
if either is breached, then your customer
environments, as well as the backups, will
be destroyed. Some backup companies
off er " immutable backups, " meaning
there is no way to delete the backup.
› Monitor your environments! One of the
fi rst things the attackers did was disable
Windows Defender antivirus; that's a
typical fi rst step in any attack. Any RMM
has the ability to monitor antivirus status,
and, although the attack is already underway
when this alert comes through, it's
better than not knowing about it for days.
It's becoming increasingly important
to lock down environments properly.
Installing security software is not enough;
rather, we need to critically evaluate what
vendors tell us (especially " whitelist our
software in your antivirus " ) and determine
if the settings we're implementing are truly
the least privilege and most restrictive
needed to accomplish our goals.
Michael Hornby is CEO of
Techmentum, a member of
the ASCII Group since 2017.
For information, go to its site at
techmentumit.com.
commercialintegrator.com
http://www.techmentumit.com http://www.commercialintegrator.com
Commercial Integrator January 2022

Table of Contents for the Digital Edition of Commercial Integrator January 2022
