Service providers can add value by prioritising supply chain security defences

Chester Wisniewski, Principal Research Scientist, Sophos.
Chester Wisniewski, Principal Research Scientist, Sophos.
4 years ago

Supply chain cybersecurity attacks have been in the news lately, but they are nothing new. In fact, nation state adversaries have been targeting and abusing supply chain vulnerabilities for years.

These vulnerabilities are an easy in, giving attackers an open door to more lucrative targets. Managed service providers, MSPs, and managed security service providers, MSSPs, are particularly attractive targets because they hold the keys to many different customer organisations. Look at what happened when hundreds of dental office customers were hit by ransomware after their shared MSP was compromised.

“I didn’t think we would be a target” are words spoken by compromised organisations all too often. Yet the truth is we are all targets. We are all links in someone’s supply chain, and that makes us susceptible if we are not protected.

It is easy to imagine how one might be a backdoor into a military contractor if they supply them with services or tools, but would you consider your local nail salon to be a supply chain risk? Well, you should. In fact, an attack against a large company began by compromising a local salon and using their billing system to send malicious PDFs to executives at the company who used their services.

“Service providers need to stop sharing passwords, it is an ongoing problem.”

There is tremendous opportunity for MSPs and MSSPs alike to improve supply chain security defences both internally and for the customers that they serve. This might seem like a daunting task, but you can tackle it often with immediate and measurable results by focusing on three important areas:

1. Authentication

Service providers need to stop sharing passwords. It sounds like common sense, but it is an ongoing problem. As someone who has investigated credit card fraud, I have seen first-hand the risks of payment terminal providers using remote access software like TeamViewer or VNC with a single, shared password to manage thousands of customer accounts.

“Security is a journey and securing the supply chain is just one piece of the bigger puzzle.”

Earlier this week, law enforcement officials in Florida announced that an attacker used TeamViewer to successfully gain access to a password protected control panel and attempted to poison a critical infrastructure water supply. The attack was fortunately stopped but could have been deadly.

This lack of security is no longer acceptable. Phishing one member of your support staff is enough in many cases to destroy your reputation and potentially your business in one incident.

No different than in traditional IT departments, accounts that possess privilege should only be used when needed, and they should always require multi-factor authentication. All usage should also be logged and reviewed frequently.

2. Access rights

Should every technician be allowed access to every client? Perhaps, but probably not. Often, groups of clients, especially key customers, have a dedicated support person or team. No different than how we segment networks to provide audit points and to contain risk, privileges require bounds.

“Monitoring is often under resourced as opposed to prevention.”

Logging is critical in recognising unusual access like off hours use or access to an account assigned to a different team, which can be signs of insider fraud or an external threat actor preparing to launch a ransomware attack.

3. Monitoring for compromise

Monitoring is often under resourced as opposed to prevention. The problem is, we know that prevention is not always 100% achievable, yet when it comes to detection and monitoring for the failure of our preventative controls, we are being too reactive. Once an attack becomes obvious it is often too late. By the time a criminal pulls out the ransomware, they have already stolen critical data and, more often than not, have had access to your network for 30 days or more.

During investigations conducted by the Sophos Managed Threat Response team, two things stand out as early indicators of compromise. One is the use of credentials for remote access and administrative purposes during off hours; the other is the abuse of system administration tools in order to conduct surveillance and steal data from the network.

The use of legitimate accounts and your own tools is often referred to as Living Off the Land, LotL. Detecting this requires vigilance and skill. To a trained security operations centre analyst, these things stand out clearly and can tip you off to thwart the attack before the bulk of the damage has been done. You either need to invest in training your staff to monitor these behaviours or engage with outside experts to monitor it on your behalf.

“Prioritising supply chain security defences can be a significant competitive advantage for service providers.”

Improving on these three important areas will significantly reduce cybersecurity risk, putting MSPs and MSSPs ahead of their competition when it comes to protecting customers.

Prioritising supply chain security defences can be a significant competitive advantage for service providers in acquiring new customers and perhaps most importantly, retaining the ones they already serve.

These are simply starting points where we have identified common points of failure. Security is a journey and securing the supply chain is just one piece of the bigger puzzle.


There is scope for MSPs and MSSPs to improve supply chain security and they can tackle by focusing on three areas, writes Chester Wisniewski of Sophos.

Don't Miss

Chester Wisniewski, director, field CTO, Sophos

Most Educational Organizations Paid More Than the Original Ransom Demand, Says Sophos Survey

Sophos has published its annual sector survey report, , “The State of

Ransomware Groups Weaponize Stolen Data to Increase Pressure on Targets Who Refuse to Pay, Sophos Report Finds

Sophos has released a new dark web report titled “Turning the Screws: