Staying ahead of the threat landscape: Key takeaways for MSPs

The threat landscape is constantly evolving, with new cyberattacks and malware emerging all the time. As managed service providers (MSPs), it’s critical to stay on top of the latest threats and understand how they may impact your business and your clients.

The threat intelligence specialists at the ConnectWise Cyber Research Unit (CRU)  gather threat data from a multitude of sources to identify emerging cybersecurity risks. We combine this intelligence with insights from our own investigations and incident response activities to build a comprehensive view of the threat landscape. 

Our bi-monthly MSP Threat Briefing series provides MSPs with tailored threat intelligence, which is specifically focused on the risks facing small and medium-sized businesses (SMBs). In our most recent briefing, we covered the latest trends in ransomware, malware, and attacker techniques, along with real-world examples from incident response cases.

Throughout the rest of this blog post, we’ll provide key takeaways from our recent threat briefing webinar and outline actionable steps MSPs can take to continue to strengthen their cybersecurity posture.

Ransomware is still growing strong

Ransomware as a service (RaaS) remains one of the top threats for SMBs, with attacks spiking in May and again in July and August of 2023. The ransomware group Clop was responsible for many of these incidents, compromising MSPs to deploy ransomware across hundreds of downstream customers.

Our data shows that ransomware is not going away anytime soon. While individual groups like Clop may lay low after a successful campaign, new groups will take their place, inevitably looking for vulnerable targets.

For MSPs, this means continuing to focus on ransomware prevention, detection, and response with strategies such as:

• Layered cybersecurity controls: Endpoint detection and response (EDR) tools and email/spam filtering to block initial access attempts
• Vulnerability management programs: Find and patch exploitable weaknesses
• Backup systems: Recover encrypted data without paying the ransom
• Incident response plans: Contain and eradicate active threats

Proactive measures like these can limit or even stop many ransomware attacks before they impact your business or your customers.

Valid accounts remain a top attack vector

Our analysis of recent attacks shows that valid account compromises continue to be a leading point of entry for attackers.

With so many past breaches exposing usernames and passwords, attackers have a nearly unlimited supply of credentials to take advantage of. They simply log in with valid accounts, bypassing other perimeter defenses.

To close this gap, MSPs can take several steps, including:

• Implementing multifactor authentication (MFA) everywhere possible, especially VPNs, email, and privileged accounts
• Using a password manager to enable unique, complex passwords across all services
• Monitoring for suspicious account activity indicative of credential misuse
• Deactivating ex-employee accounts and privileges promptly

Following identity and access best practices makes it far more difficult for attackers to leverage stolen credentials against your environment.

Malware continues to fly under the radar

Today’s advanced malware is designed to evade traditional signature-based defenses. Attackers frequently use obfuscation, encryption, and other techniques to avoid detection by antivirus and other cybersecurity tools.

For example, we’re seeing increased use of “living off the land” attacks that rely on legitimate system tools instead of malware. Attackers use built-in tools like PowerShell for reconnaissance, lateral movement, and other activities that can fly under the radar.

To catch these stealthy attacks, MSPs need layered defenses combining endpoint detection and response (EDR) with a security information and event management (SIEM) platform. EDR sees suspicious endpoint activity while the SIEM connects the dots across the network.

MSPs can also leverage threat-hunting capabilities to proactively hunt for indicators of an attack rather than waiting for alerts. Our research team constantly develops new threat-hunting queries based on emerging attacker tradecraft.

Take a programmatic approach to cybersecurity controls

While technical controls are important, don’t overlook cybersecurity fundamentals such as patch management, user awareness training, and configuration hardening. Many successful attacks exploit basic cybersecurity gaps through phishing, unpatched software, or misconfigurations.

To close these gaps, take a programmatic approach:

• Establish a regular patch schedule for operating systems, applications, and firmware: Prioritize critical patches, but don’t neglect non-critical ones over time
• Train employees to recognize phishing attempts and report suspicious emails or messages: Conduct simulated phishing campaigns to reinforce secure behavior
• Standardize secure configurations for servers, workstations, and network devices: Continuously monitor for and remediate deviations from the standard
• Formalize your cybersecurity program: Use frameworks such as CIS Controls or NIST CSF for structured coverage of cybersecurity fundamentals

A mature security program focuses on cybersecurity hygiene in addition to the latest tools. Following program best practices significantly raises the bar for attackers.

Leverage threat intelligence to stay ahead

Finally, take advantage of threat intelligence resources to understand the latest attacker tools, techniques, and procedures. The ConnectWise Cyber Research Unit™ (CRU) publishes an annual MSP Threat Report to keep the community informed of the latest threats. This year, we expanded our reports to include quarterly updates, focused primarily on what has changed between quarters.

Threat intelligence informs detection rule development, employee training, and cybersecurity strategies. For example, knowing that attackers abuse legitimate tools for stealthy access means monitoring those tools more closely. Understanding the latest phishing tactics helps inform more effective user education.

Staying on top of the threat landscape requires continuous learning. Leverage threat intelligence from trusted sources to proactively protect your business and anticipate risks before they become front-page news.

Conclusion

Today’s fast-moving threat landscape demands vigilance from MSPs seeking to secure their business and their clients. Ransomware, credential theft, evasive malware, and other threats pose a constant risk to SMBs with limited IT resources.

By taking a layered, intelligence-driven approach to cybersecurity controls, MSPs can effectively counter these threats. Prioritize identity and access management, endpoint security, proactive threat hunting, cybersecurity fundamentals, and timely threat intelligence.

With the right blend of people, processes, and technology, MSPs can stay a step ahead of attackers, creating a more secure environment for their clients and a competitive differentiator for their business.

At our next MSP Threat Briefing, we’ll provide updated threat statistics and discuss new campaigns and cybersecurity trends relevant to MSPs. Contact us today to learn more about our threat intelligence offerings tailored to the MSP community.