Huntress and Axcient: Planning for the Next Ransomware Attack

I was lucky enough to ‘sit down’ (virtually) with Jason Phelps, Security Engineer at Huntress, to discuss the current state of the cybersecurity landscape. Huntress helps IT service providers protect customers from persistent footholds, ransomware, and other attacks that can sneak past preventive security tools. Combining automated detection with real human threat hunters, Huntress detects, analyzes, responds to, and reports attacks to reduce future risk.

With the Kaseya VSA attack as the backdrop, we talk about how the channel needs to prepare for today’s targeted threats on MSPs, SMB clients, and supply chains. Agreeing that multi-layer security infrastructure is necessary to recover from inevitable attacks, Jason and I highlight the criticality of incident response for business continuity. Keep reading for expert insights and best practices, or watch the webinar here.

What We Learned From the Kaseya Attack

When hackers compromised the tech-management software company Kaseya on the Friday before July 4th weekend, Axcient and Huntress experienced a similar influx of partner calls. Clients were hit with ransomware through Kaseya VSA, and they all needed to recover quickly. While the hackers executed the strategic attack during the holiday weekend – when many employees were unavailable – Kaseya was warned about the vulnerability in April. Via ‘technical debt,’ or old code in pages and files that don’t get checked often, companies risk bad actor entry, penetration, and eventually, ransomware.

Jason says, “This can happen to anybody. Who can say that they’ve addressed all of their tech debt? Whether it’s old MSP partners that we haven’t removed their tools to their accounts, firewall rules from an Exchange server decommissioned, or those RDS servers we took offline, they’re all available ways into the network. One takeaway from this is to make sure you have a list of that technical debt. Go through and clean it up, or at least be aware of that.”

From a recovery standpoint, the takeaway is also preventative. Only a small percentage of Axcient partners were compromised, but the attack was pretty devastating. For one partner, the attack compromised every single one of their clients. The MSP’s first reaction was to turn everything off, regroup, and then recover. Unfortunately, that made recovery harder because they had to “disinfect” everything before bringing it back online. It required abundant human capital onsite and in the network to go to each client individually for restoration. The process took six to eight weeks in total.

The takeaway here is preparation. Assuming an attack is inevitable, rather than hoping it won’t happen to you, enables you to act swiftly, recover efficiently, and have the solutions in place to virtualize instantly for uninterrupted business continuity. If your MSP was attacked tonight, would you need time to regroup? What could that cost you in the long term?

Are You Prepared for the Inevitable?

As an MSP, you already know the dire statistics around cyberattacks. They’re bad, getting worse, and targeting both you and your SMB clients. So why are so many MSPs still not prepared for what could be a business-fatal attack that is very likely to occur any day now? An overarching issue throughout the channel is the failure to establish the layered security approach required for end-to-end protection. Jason and I use the NIST Cybersecurity Framework as a guide to implementing a layered security approach.

NIST Cybersecurity Framework

Using this framework, Jason observers what he believes is the neglected component leaving MSPs vulnerable to attack. “I think there’s a giant dark area in the layered security approach that people take. They focus heavily on prevention and identification and protection, and then they jump all the way over to recovery.” There’s a focus on protecting at the perimeter and being able to recover from backups, but there’s nothing in between. This gap leaves a huge blind spot via missing layers in a concerted approach. It’s not one thing that’s going to protect you; it’s all of these things. If you’re solely relying on backups – which should be your last line of defense – you’re missing out on a huge portion of your security.

Get Prepared with Incident Response

How do you know if you have enough layers in your layered security approach? What is enough? MSPs can answer these questions with an established incident response (IR) policy. The main objective of an IR policy is to prepare your business for an attack with a pre-determined map, manual, and guide of your response. This includes:

  • Identification of the incident response team: Who will be contacted when and for what purpose, including current contact information if internal systems are compromised.
  • Procedures for breach notification: The absolute first thing necessary is to contact your cyber liability insurance carrier to understand their needs, which often requires you to wait on restoration until forensics can be completed. Depending on your location and vertical, you may need to report breach information within a specific timeframe to both compromised and uncompromised customers, the state, regulatory agencies, and your legal counsel.
  • Pre-determined messaging: Breach notification should include specific details while holding others confidential. They need to come from the right leadership within the organization and convey an appropriate tone based on the severity of the breach.
  • Risk analysis framework: When multiple clients are hit at once, you need to prioritize restoration based on the factors that most influence clients. Specifically, they should move ahead in the restoration queue if they’re bound by regulatory requirements and may incur fees and penalties if not restored within a certain time period. Jason recommends the following, “Make a Venn diagram. On one side are the customers who are encrypted, and on the other side are customers most likely to litigate. Where they overlap, that’s where you start.”
  • Decision implications: No matter what, the decisions you make following a cyber incident will not make everyone happy. Clients may get mad about how they were prioritized or notified of the breach, but decisions have to be made, and you need to be able to defend and stand by them.

Despite the importance of each of these components, 77% of companies don’t have a cybersecurity IR plan applied across the organization. This is especially troubling because an IR policy can be the difference between losing your business entirely or winning new clients based on your ability to recover.

Drill, Rehearse and Regularly Update

An IR policy is nothing without regular practice in table readings, drills, and rehearsals. It’s during these run-throughs that you identify holes, inaccurate information, new regulatory and insurance policy demands, and guarantee that your IR plan is sound for when the unpredictable hits. An IR policy that has not been updated and drilled every quarter is probably outdated due to how quickly the threat landscape changes. Ensure your incident response team meets regularly, including other team members for backup, and maintains current contact information and system access.

Not only is IR pivotal for your business as an MSP, but it goes for your clients as well. Put your clients to the test to highlight where they could improve their security posture and prepare for the same threats targeting MSPs. We tout the risks of ransomware so often that clients can become numb to the message. Make them real through testing to relay the value of security to your clients. It’s an eye-opening learning experience that leads to a better understanding of why business continuity is critical to business survival.

Backups are Dead, but BC/DR is the Solution

Because of sophisticated attacks like Kaseya experienced, new MSP-specific state regulations, rising cyber liability insurance premiums, and the sheer frequency of attacks, backups just don’t cut it anymore. Today comprehensive business continuity and disaster recovery (BCDR) solutions are required to both survive an attack, and to come out of it whole. You’re not judged by whether you can prevent an incident but rather by how you recover. A cybersecurity event is an opportunity to prove that your MSP can quickly restore your clients’ business operations when an inevitable attack occurs. That’s how you build your reputation and grow your business.

Take the Axcient Challenge to see how you can transform your business with full BCDR at up to 50% less than you’re paying for backup alone. Compare a complete solution to what you’re using now and see how your IR policy stands up. Start Your Free 14-Day Trial Today!

Ben Nowacky

Ben Nowacky // SVP of Product, Axcient

As Senior Vice President of Products for Axcient, Ben Nowacky leads the Engineering and Security teams to provide business continuity and cloud enablement services. He’s also a semi-amateur boxer and modern-day renaissance dog trainer. When he’s not banging the keyboard and helping MSPs, he loves long walks on the beach and romantic dinners with his wife.

More Great Stuff From Our Blog:

Check out some other interesting pieces from our blog: MSP-friendly resources and tools to help MSPs educate clients to combat phishing attacks and Fight the Phish!, we dove into how chain-based backup works and why chain-free is the way to be, we talked with Jason Phelps from Huntress Labs about planning for the next ransomware attack, our CEO David Bennett explains why the current cybersecurity landscape means traditional backup is dead, or learn how you can ditch pricey on-site appliances with Local Cache for Direct-to-Cloud BCDR.