RMM tools are the easy targets for cyber attackers, and the related news over past year has highlighted several breaches initiated through RMM tools. CISA is taking a proactive approach to ensure the security for such a widely used mechanism that can impact a large number of businesses. The approach centers around two types of actions. The first one is to collaborate among the industry players and the second one emphasizes security education.
However, it is imperative that these may help as various controls are put in place for both of these categories, and MSPs/MSSPs must ensure that their own environments and users are protected to prevent the use of RMM tools in breaches. There are number of methods that a next-gen security platforms such as Seceon’s aiXDR already has to help stop these types of attacks and protect their organizations and their clients in a more proactive approach.
Let’s review some of those methods here.
1. An attacker usually gets into the service provider’s environment through a connection made through methods such as phishing emails, compromised credentials or similar methods. All of these will lead to an external connectivity that is novel and has a different characteristic than is usually seen. You’ll want to have a network and endpoint detection and response mechanism that responds to these anomalous behaviors.Platforms such as Seceon aiXDR monitors all connectivity, and gathers telemetry from networks, endpoints, infrastructure, identities and considers threat intelligence and vulnerability assessments to add context and characteristics in near real-time. Seceon aiXDR then applies machine learning to identify the anomalous behavior of this exchange and open an incident of compromise and an alert based on the context. Such an approach proactively detects not only the beginning of such attack in real-time but blocks them and shuts them off right away through fully automated AI-driven containment method. The security team can also map the activities to the industry standard MITRE ATT&CK framework to visualize and validate the detection and containment.
2. Let’s go one more step ahead in becoming proactive and look for ways to prevent the attacker’s entry itself. One method of being proactive is to examine all the activities of the users, machines and activities. One such way of doing this is to provide security awareness training, create policies and procedures for AAA (Authentication, Authorization and Accounting) and deploy tools for hygiene such as firewalls, email gateways, authentication systems.
However, many of the daily activities that are similar to the attacker activities have to be known, recognized, altered if possible and monitor them closely. This requires modern tools that not only captures such activities but also maps them to attacker activities to identify a pattern of activities that an attacker can shadow and hide under the radar while executing the attack.
Modern security platforms such as Seceon aiXDR can track all activities, and use its dynamic threat models to map them to an attacker pattern and either automatically respond to anomalous or suspicious behaviors by users, machines or networks or notify IT/SOC teams to address them. This will not only deter the attacker but will catch the attacker early in their beginning stages of an attack. Such proactive approach is not undertaken today because of lack of tools and awareness.
If you are an MSP/MSSP and concerned about the rise of RMM based attacks, contact us and we would be happy to share how our existing MSP/MSSP partners are automating detection and responses for the threats CISA is highlighting