Superhero Stuff: MSP Best Practices for Fighting Evil… or REvil


By Brandon Bischoff, CISSP, Manager of Structured Managed Services —

As an IT managed services provider, I spend a lot of time thinking about crime fighting – but no capes. I’m preoccupied with how to shore up and safeguard what seems like an endless expanse of systems spread among a multiverse of clients.

I think about the things Structured must inevitably manage and mitigate, the superhero comic strip equivalent of Thanos teaming up with Darkseid. I consider:

  • important software patches that also could “break” end-user devices/access,
  • end-of-life servers hosting obscure and ancient business-critical software, and
  • users who create rogue DHCP devices in a network.

It’s a tough gig – and I haven’t even gotten to the stuff that’s really evil. Or REvil, in this case.

REvil is a notorious ransomware-as-a-service organization that is widely believed to operate from Russia and is known for its high-profile and disruptive attacks. In a ransomware attack, the attacker infiltrates systems and installs software that encrypts, and sometimes exfiltrates, data. Once encrypted, the criminals demand a ransom — usually in cryptocurrency such as Bitcoin — to unlock the data. In the event of exfiltration, the criminals demand a ransom to keep the data private.

I took pointed notice of REvil’s recent supply chain ransomware attack against Kaseya’s VSA software – the software that many MSPs use for remote monitoring and management (RMM) of their client networks and endpoints. 

As it happens, Structured does not use Kaseya for this function so we were not impacted by this particular exploit. But that is not to insinuate we are immune from a supply chain attack. On the contrary, it is perhaps the subject that most consumes my thinking. The very last thing Structured wants is to be the vector through which our clients are harmed.

We’ve spent years – and will continue to spend many more – hardening platform security, improving practices and honing skills. This is part and parcel of maintaining our coveted American Institute of CPAs (AICPA) SOC 2 certification.

Most recently, we have modified customer management solutions to be more insulated through specific service accounts (SA). For example, we’ll establish one SA for the customer’s network monitoring tool and another SA for RMM. This is to help minimize the risk of breaches by limiting credential overlap across platforms.

We are also restricting permissions and access to those platforms in a “least-privilege” model. There is a two-pronged approach at work here.  First, we are optimizing how Structured’s monitoring solutions interact inside of a customer’s environment. Second, we are limiting the permissions of individual Managed Services team members as much as possible in those solution platforms.

For instance, some of our tools may require admin-level access. Tightening these tools too much negatively impacts functionality and limits our ability to support clients. However, the Structured Managed Services team uses the least-privilege model, meaning our team members have limited and defined access rights inside of any account. This methodology is applied to all our support solutions and their respective portals.

A final key piece to Structured’s best practices for combating malware — including the kinds of ransomware attacks seen in the Kaseya compromise — is the enterprise-wide, non-negotiable deployment of sophisticated endpoint protection software (anti-virus/anti-malware) combined with regularly scheduled weekly patching, supplemented by out-of-band patching when needed. Yes, this is unglamorous, unsung work, but it is the MSP’s responsibility in a dangerous world.

“Security first” has always been Structured’s mantra, and that is equally true inside the Managed Services team. This villainous incident with REvil crystallizes exactly why we take that approach, and why I will never put away my invisible supersuit.


If you would like to read more about the tactics REvil used to compromise the Kaseya VSA and how that threat is being mitigated, here is a blog with additional links from Huntress: https://www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident

Meanwhile, here is Kaseya’s link to its official updates: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689

Search By Category