The Anglophone Five Eyes intelligence alliance has issued a joint advisory, coinciding with the National Cyber Security Centre’s (NCSC’s) annual CyberUK conference, alerting IT managed service providers (MSPs) and their customers to potential supply chain cyber attacks.
The joint advisory, which is backed by the national cyber bodies of Australia, Canada, New Zealand, the UK and US, sets out a series of practical steps that can be taken to reduce the risk of falling victim to a supply chain compromise – such as those that famously befell users of Solarwinds and Kaseya, in which threat actors used a vulnerable product or service as an initial access point to the networks of customers, resulting in globally cascading effects.
The authorities have previously issued guidance on this topic, but the latest advisory zeroes in on enabling transparent, well-informed discussions between MSPs and their customers, centring on securing sensitive information and data.
They said these discussions should lead to a re-evaluation of existing security processes and contractual agreements to accommodate the customer’s risk appetite.
It can also be read in conjunction with related guidance issued in relation to the war in Ukraine, as many recent supply chain intrusions have been orchestrated by Russia-based threat actors, and it is considered a distinct possibility that such incidents will continue to occur as the war goes badly for Russia.
“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that,” said NCSC CEO Lindy Cameron.
“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”
Jen Easterly, director of the US’s Cybersecurity and Infrastructure Security Agency (CISA), said: “I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.
“As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.
“We know that MSPs that are vulnerable to exploitation significantly increase downstream risks to the businesses and organisations they support,” said Easterly. “Securing MSPs is critical to our collective cyber defence, and CISA, and our interagency and international partners, are committed to hardening their security and improving the resilience of our global supply chain.”
Cameron and Easterly’s Australian counterpart, Abigail Bradshaw, added: “MSPs are vital to many businesses, and as a result, a major target for malicious cyber actors.
“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods.
“Effective steps can be taken to harden their own networks and protect their client information,” she said. “We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this advisory.”
Some of the guidance contained in the advisory includes an emphasis of the importance of storing the most important logs for at least six months, given incidents can take a long time to detect; the adoption of multi-factor authentication across MSP customer bases, and mandating its use in contracts; and prompt attention to patching known exploited vulnerabilities in software, operating systems and firmware – CISA maintains a highly cromulent list of these, which, though pitched at US organisations, are globally relevant.
The advisory also clarifies that these guidelines should be implemented as appropriate to an organisation’s unique environment, in accordance with its specific security needs, and in compliance with various regulations.