shut-them-down-strategyYou have an advanced security stack.

You’re investing in what seem to be amazing shiny new tools that can do all sorts of things.

Maybe your clients apricate all of what is in your stack. Maybe they don’t. NOTE: one of the easiest ways to communicate security risk and value in clients investing in security is by performing a penetration test to show what they actually have at stake. And one of the easiest ways to see how a pen test process works (and to see your security stack in action) is performing a free cyber stack assessment.

But even if they appreciate a need for advanced security tools, how are you showing them that your team provides them with extreme value?

Maybe having an exceptional service desk? Maybe solving issues quickly?

Those are great, but why not show them that you’re more prepared than pretty much anyone out there?

What if you had built into your stack a SHUT THEM DOWN Strategy?

I know some of you might be asking “what the heck is a SHUT THEM DOWN strategy”?

What I mean here is having a strategic plan to shut any vendor down in the event that their tool were compromised. Think of all the tools an MSP has on their client networks (let alone their own). Some tools have nearly entire access to the keys to the kingdom. What if these tools got into the wrong hands?

If you were to communicate that you had a tested plan to help shut down any rogue tool, wouldn’t that make them feel like you’ve got your ducks in a row?

Tell them a story of any recent incident where a tool was compromised—I’m sure there are a few top of mind—to get your clients to understand just how fragile their security is and why they need a competent team looking out for them at every turn.

Here’s how I’d go about getting a SHUT THEM DOWN strategy working.

STEP ONE: Make a list of all of these tools. Here are some to get your list primed:

RMM?

Quick note: RMM isn’t the only attack vector that would allow an attacker to infect multiple MSPs all at once. Think about other remote-control tools. How about privilege access management? What about your backup agent? Continue thinking about what would fall on your list:

Remote Control?

Backup AGENT?

ANTIVIRUS?

SIEM?

XDR?

SASE?

You will want to think about antivirus and other security tools that are running on devices.  You can handle it much like backups, having a script that goes in and disables it.  You will want to test this out as you will find that antivirus can be pretty grouchy about being turned off by another process.

Some of you might want to reach out to your antivirus vendor for specific steps on how to do this.

Remember: Cyber security is changing. What worked yesterday no longer works today.

Another way to think of it is…

If you were protecting your house from attackers showing up and breaking your window then taking everything you own and running out the front door. Today, they would be showing up in a spaceship and sucking all of your belongings out through the roof of your house. If you haven’t improved your security in the last 12 months, I can practically guarantee you are vulnerable.

Users work from coffee shops, they work from home, they connect to free Wi-Fi…

They also have to decrypt data to access it and work which means they have keys.

Finally, users make bad decisions. I’m sure you can fill in the blanks here.

As a hacker how would you get into the endpoint? There are a couple of steps that you could take.

You could focus in on tricking the user, or you could maybe even trick a help desk engineer that would get access to all of an MSPs’ clients…. That would be a ransomware win fall, right?

But how could you get more? What if you broke into something that gave you access to a bunch of MSPs and all their clients all in once shot.

Your opportunity here is to discuss with your prospects and your clients how you have controls in place to make sure that if one of these tools are compromised you have other layers to help shut them down.

Yesterday I was asked by one of our partners, can I eliminate all of my other tools if I have threat locker in place, the answer is no. Threat locker can be used to shut something down, but we may be in a spot at some point that we need to shut threat locker down…so we have to have a little bit of redundancy.

STEP TWO: Shut them down.

Devise a way where you can shut down any single tool if it were compromised. I know this is easier said than done. We have a complete SecOps training on this very topic for this very reason (it’s too complicated to adequately discuss in one post).

Let’s dig into shutting them down…

What can you do?

Come up with a plan.

Here’s a simple one. One that I which I had at my MSP during the first attack like this? Remember this? Remember when a number of MSPs were getting hacked through a Kaseya / Connectwise plug in?

I used to lose sleep over this. And I lost momentum. I had to shut down my RMM, until we knew what was going on. First, we shut down our RMM tool.

Then we blocked all traffic to it and started it back up. Next, we evaluated the server for IOC.

Next, all of our clients were mainly working in offices (this was before 2019), so the next step was giving them access to our system.

Here’s what we did.

One at a time we brought our clients offices back online.

What is your plan to stop tools that are in your environment from working?

Will you use a firewall?

Will your antivirus or your MDM tool stop the attacker from spreading?

Now your plan should include steps around communication, so you can give your clients a heads up.

Looking back at the event we dealt with, I should have communicated a little risk to our clients proactively saying:

We will be working offline while we figure this out…so you may have events that we usually monitor for and prevent on your network popping up.

For example, we might miss an alert in the middle of the night for your server being off line.

Next you will want a protocol for deactivating your plan.

This is where you get the all clear from the vendor or you are given a patch that you can install, you install the patch and you are ready to turn on the tools again.

The key here is that you do two things:

  1. Make a list of things that should have happened while the RMM or whatever solution was offline. Example: patches, make sure they are not queued up.
  2. Make sure you turn everything back on slowly. If you have a big environment and you turn it all on at once you might have events that impact your overall ability to respond to them. Example: if you turn on the RMM all at the same time and they all start patching and rebooting servers you now have 200 clients that are upset at you…you just made a bad situation worse.

Now that you have a simple plan, you would want to test it. Create and test a policy that shuts down all remote access into the firewall. This means no SSL VPNs, turning off regular VPNs, etc.  You may want to have static entries to allow point to point VPNs based on IP addresses.

If your firewalls check in with the firewall vendor or a management server, you will also want to work with your vendor to find out how to turn that off and on.

A couple things that will save your bacon, the first is an updated contact list. Making sure you know how to access the primary contacts at each of your clients.

This list should include first name, last name, company name, phone number and cell phone number.

You may want to consider having the same person that is exporting IT glue runbooks exporting this list for you as well.

You might want to also consider an offline ticketing process.

Could you do this on paper, sure, that is actually what I did when I was running my MSP.

The issue is that isn’t going to work with everyone working remotely like we have today.

What does your team say when your system is offline?

Do you want them telling all of your clients that your network is down?

You will certainly want to handle this communication with your team and practice it.

An example: we are taking a proactive measure of shutting our normal support system down due to a possible security flaw. We want to make sure we are being SUPER cautious.

YOUR MISSION:

Your mission is to create a script to turn off your RMM agents inside your antivirus tools or any other tools you have on each endpoint that could be used to do this.

Test it and make sure you are prepared to turn it back on.

If you have issues with this, don’t forget we have programmer office hours to help you out.

The takeaway: If you got nothing else from this, I want you to take home that having a shut down strategy is a HUGE differentiator to communicate to clients AND prospects. Not sure you have a good strategy? Consider a FREE cyber stack evaluation.