I said this a while ago and I certainly still believe this is true. Remote monitoring and management tools can take down your MSP.
Just last week the Kaseya hack devastated (or at very least disrupted) operations across thousands of MSPs. Over the past year, hackers have set their eyes on MSP infrastructures and they are not backing down.
They’ve keyed in on the huge pay days if they were to exploit vulnerabilities in RMM technology. Once they have access to your RMM, they have access to all your clients. As we saw last week, these attacks have far-reaching global impacts.
RMMs are a necessary evil. The features that make them easy to use and easy for your team to support users are the exact reasons why they are so dangerous.
My take home message today is that RMM tools—just like any tool you use in your MSP—cannot be simply set it and forget it when it comes to making sure everything is secure.
Even security centric MSPs battle with locking down their RMMs.
Today I want to review some ways you can harden your RMM—and this goes for any RMM. Don’t think for a second that just because you aren’t running Kaseya that you’re safe. The hard reality is that these hackers are sharpening their skills to target others, too. It’s a matter of when not if.
Here are a few things to look at when evaluating your RMM:
- Is MFA turned on for all RMM management accounts?
- Do you prevent Powershell execution on all hosts or at least limit Powershell?
- Do you change your RMM passwords regularly?
- Have you deployed some endpoint protections that do not rely on your RMM exclusively for signaling a problem?
- Are you reducing your RMM user accounts to bare minimum? Do you audit them regularly?
RMM attacks will eventually lead to broader threats down the horizon.
Hardening your RMM doesn’t have to be complicated. I would start with 3 simple steps:
Limit RMM integrations—in order to protect your clients and data, try to separate your data protection infrastructure from your RMM platform. If you are using a one in all solution, you might be putting yourself at risk of an attack that could jeopardize your entire network. The more difficult you make it for an attacker to compromise elements (especially critical ones) of your or your clients’ networks, the harder you’ll make it for them simply to deploy ransomware through your RMM.
Evaluate your backups—consider using a backup solution that prevents malware from deleting the backup. Make sure that your backup software is off network and that you will be able to access everything—including configurations—if you ever had an issue. I’d highly recommend disentangling your backup solution from your RMM to avoid any risk of an RMM-based attack impacting your backups.
Follow a checklist—make sure to have a checklist on different areas of your RMM that are especially vulnerable to attack. Make sure if your RMM is compromised, it doesn’t have reach across your entire network to completely cripple both your business and that of your clients. Here is a good primer on creating your RMM checklist.
Overall, the question is not what you are doing to protect your RMM.
You can’t protect against everything all the time—zero-day vulnerabilities or disgruntled employees.
But you can do better with awareness, training and process.
The clear indication of threats within MSPs is to be auditing yourself—to have eyes on your systems and a process for dealing with anomalies.
Unless you have processes for evaluating and course correcting, you are probably like the many MSPs putting their clients (and themselves!) at risk.
One of the easiest ways to address this is through a third party assessment of your systems and security stack to make sure its working the way you expect it to.
