Cyberattacks are increasing in severity. Cybercriminals now use the supply chain, management systems, or managed service providers to gain entry to insecure systems. Each attack can have multiple objectives depending on the threat actor, sponsoring nation, or even the target. The culture of threat actors affects the objectives and tactics, including the patience level of threat actors or the sponsoring economy. The cybercriminal may use the supply chain to target an individual organization.
However, we’ve recently seen several broad attacks utilize a management system or managed service provider to gain access to multiple targets, such as SolarWinds and Kaseya. The attacks in the initial phases require organizations to rebuild systems and infrastructure, causing financial loss. But they may not be aware of any long-term objectives of the threat actors. The SolarWinds attack exfiltrated data from multiple organizations. It is unknown how that data might be used so there may be a long tail on some attacks.
My APNIC 52 keynote, The Role of Service Providers in Transforming Security, describes the current threat landscape and trends in greater detail. Both support the push for built-in security. I’ve spoken about how to improve enterprise security in the past, but what about managed service providers and their ability to impact enterprise environments? How can various types of service providers impact security for organizations that lack resources? Namely, how can they help protect the State, Local, Tribal, and Territorial (SLTT) networks or small businesses?
I joined the Center for Internet Security (CIS) almost a year ago, inspired by the mission and excited to work with colleagues aligned to the same inspiring goals.
For CIS, the mission is put into action in many ways, including providing best practice guidance in trusted materials, backed by a well vetted process called the Community Defense Model. The best practice guidance includes the CIS Critical Security Controls and CIS Benchmarks to secure infrastructure, while prioritizing safeguards to address the most common threats. CIS also works directly with the SLTT members, providing operational security management and assistance through the Multi-State Information Sharing and Analysis Center (MS-ISAC). Additionally, CIS partners with numerous hosted providers and traditional infrastructure companies to validate platforms using CIS Benchmarks or offering CIS Hardened Images (pre-hardened VMs in the public cloud). These platforms benefit organizations without the resources to secure their infrastructure themselves.
How managed service providers can improve security
Managed service providers of all types play a role in securing infrastructure for the Internet and hosted applications. The Internet Society’s Mutually Agreed Norms for Routing Security (MANRS) is an excellent example of an effort taken at the Internet Service Provider (ISP) level that impacts businesses of all sizes and resources. MANRS offers protection against spoofing as a result of this allow-listing approach to provide network-based, anti-spoofing filters.
What other efforts could each type of managed service provider employ to provide attack prevention measures that would universally aid businesses of all sizes given the evolving threat landscape?
- MANRS — If you are not participating yet, please consider this as a basic measure to prevent spoofing attacks, improve coordination between managed service providers, and increase adoption of Resource Public Key Infrastructure (RPKI).
- Consider supporting additional protections to assist with threats such as phishing or business email compromise (BEC) attacks:
- DomainKeys Identified Mail (DKIM) signatures on outbound mail by offering configuration assistance to supported organizations. DKIM provides authentication on outbound messages to ensure a listed domain sent the email and the email was not altered in transit using a digital signature at the outgoing mail server.
- Offer Sender Policy Framework (SPF) configuration and support to all customers, providing further assurance on outbound mail. SPF establishes the set of servers allowed to send email for a particular domain through Domain Name Service (DNS) records. The server list is then used to validate the sending mail server as authorized.
- Improve the feedback to customers who implemented DKIM and SPF to refine configurations and improve the efficacy of these protocols. Domain-based Message Authentication, Reporting and Conformance (DMARC) support builds upon DKIM and SPF, further improving the validation process for email and reducing fraud. The Global Cyber Alliance is a rich source of guidance to aid in DMARC, DKIM, and SPF implementations.
- DNSSEC configuration, deployment, and verification support or making this standard within service provider offerings.
Infrastructure as a Service and Application Service Providers
Two additional types of managed service providers are Infrastructure as a Service (IaaS) and Application Service Providers. Below are a few recommendations to improve security in these environments.
- Provide assurance on system boot for firmware and BIOS adhering to NIST Special Publication 800-193 using attestation and if applicable, Trusted Computing Group (TCG) Reference Integrity Measurements.
- Adherence to security policies established to meet the needs of the supporting organizations (such as ISO 27001/2). Implementations may be prioritized by current threats using the CIS Controls.
- Hardened operating systems, containers, applications, and devices according to agreed upon security guidance. You can achieve this by manually applying one of the more than 100 CIS Benchmarks and DISA STIGS. For virtual machine images in the public cloud, you can utilize CIS Hardened Images built to CIS Benchmark standards.
- CIS can verify environments that meet CIS Controls and Benchmarks to sell services with this assurance. Non-commercial use of these standards and guidance is free.
Three ways to outsource security services
- DNS filtering services to prevent access to known malicious sites.
- Take-down coordination improvement among providers to eliminate malicious content and domains.
- Email protection services:
- Increased adoption and support of DKIM making this as standard as BCP 38 filtering.
- Increased support for DMARC and SPF through service offerings or economy-led efforts.
- Supported services for email screening (such as malicious content and domains) for organizations with limited resources.
Questions to service providers to help
- Are there other relay-based services or Internet-level protocols that could provide additional protection at scale to better assist organizations with limited resources?
- How can you support these or other security improvements?
- Can we raise the baseline level of service to one that provides basic cyber hygiene and assurance on connections, such as authenticated email via DKIM signatures, authenticated and encrypted sessions in line with zero trust tenets?
- Are there additional opportunities to build in security or offer security with a supporting architecture that scales? The recommendations in this blog may not be complete, but are meant to inspire innovation and to raise the baseline of security
As organizations embrace transport encryption, they will lose the visibility within their networks they are accustomed to having on the wire. Security is shifting to the endpoint because of the push for strong and ubiquitous encryption. Network managers will struggle with this shift unless they have support to gain some level of network visibility back.
This may be possible within data centres using routing overlay protocols such as GENEVE or upgrading to IPv6. IPv6 provides better end-to-end capabilities as routing overlay protocols terminate at the network administrative boundary. Can service providers play a role to assist with a transition to IPv6 to support organizations who are considering use of increased transport encryption?
MSP security improvements worth the effort
Seemingly simple measures such as adherence to BCP 38, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing, took considerable effort. While similar efforts may also take considerable effort, the increase in attack severity and breadth indicates these efforts are timely and worthwhile.
Working together to raise the baseline level of services to include built in and verified security will increase the level of difficulty for attackers by substantially reducing the attack surface for organizations of all sizes.
This blog and the APNIC 52 Keynote are not intended to provide a step-by-step guide of what to do, but rather to inspire engineers, service providers, and organizations to improve the baseline of services by simplifying and building-in security where possible.
Kathleen Moriarty is Chief Technology Officer at Center for Internet Security and former IETF Security Area Director. She has more than two decades of experience working on ecosystems, standards, and strategy.
This post was first published on the Center for Internet Security Blog.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.