There is a lot of excellent advice readily available about how to protect against ransomware attacks. But the unfortunate truth for many organizations is that, much like Alanis Morrissette, it is “…the good advice that you just didn’t take.” A lot of ransomware protection advice is aimed at organizations with a large enough security budget and staff to implement the suggested changes.
The inability to implement some of the more advanced protections is going to be a bigger problem in 2022, as ransomware groups are going after smaller targets but still leveling relatively big extortion demands. This is where Managed Security Service Providers (MSSPs) and Managed Detection and Response (MDR) providers can be very helpful.
According to a report from McKinsey & Company, 15% – 20% of “semi-mature” small- and medium-sized businesses rely on MSSPs to secure their organization, while the “mature” segment relies on MSSPs 40% – 50% of the time.
In the same report, McKinsey & Company notes that the MSSP market is projected to be $10 billion in 2022. The general consensus is that the MSSP market is growing, and more small- and medium-sized businesses are expected to rely on MSSPs for security.
MSSPs have been around for several decades. Traditionally, they offer a comprehensive monitoring and alerting solution, collecting logs from a diverse set of security devices and generating automatic alerts when there is a security event.
MDRs, on the other hand, are a recent addition to the security vendor landscape. They tend to take a more proactive approach, often threat hunting for specific threats, and with a strong focus on endpoint monitoring.
Over the last couple of years, the distinction between MSSPs and MDRs has become murkier, as MSSPs have started offering more MDR-like services, while many MDR providers have started adding more MSSP-like services. For the purpose of this blog post, we’ll just use the term MSSP to describe both.
Because MSSPs serve hundreds and even thousands of clients, they benefit greatly from the economies of scale, ingesting and processing billions of log events for signs of intrusion. On top of that, they have seen a lot of different types of ransomware attacks, and incorporate lessons learned from each attack across their entire client base.
Another advantage of MSSPs is that, in most cases, bringing one in is significantly less expensive than hiring security personnel.
Of course, any MSSP can miss attacks, especially if the attack uses a new technique. But even in those cases, having the MSSP on board can make the recovery process a lot faster and run more smoothly.
One reason is that MSSPs often maintain an incident response (IR) team available only to their clients (please verify this with your MSSP). If your organization is hit with a ransomware attack, they can deploy an IR team to assist with your recovery, often more quickly than a third-party IR service. You can usually pick up the phone and call them as soon as you notice the attack, and get advice on how to contain the attack or start the IR process.
In addition, your MSSP will have all the logs necessary to start the investigation process and uncover how the ransomware actor gained initial access, as well as the tools used by the attacker to move around the network. The MSSP has the added benefit of storing all of those logs offsite, so there is less concern about the ransomware actor attempting to overwrite the logs during the attack.
As discussed in my ransomware book, the day after a ransomware attack is often the worst day in an organization’s history, filled with a lot of confusion and even hopelessness. Business owners who have dedicated their lives to building a business feel helpless as they watch everything they built destroyed. Having a strong MSSP partner during this period can literally be the difference between a business surviving and being forced to close.
Working with your MSSP to recover from a ransomware attack requires a great deal of planning prior to the attack. If your MSSP doesn’t have the necessary logs or right accesses, it may make recovery more difficult and will undoubtedly cause unnecessary delays.
To avoid gaps in coverage and increase the likelihood of recovery in the event of a successful ransomware attack, you will need to develop a ransomware incident response plan with your MSSP.
The good news is that your MSSP will know almost everything needed to help your organization recover successfully. Some items your MSSP will likely need to check include:
- Log sources they’re collecting vs. what they still need
- Understanding how your backups are configured (assuming the MSSP doesn’t manage those)
- Understanding the configuration of your Active Directory domain(s)
- Network diagrams, including any segmentation (assuming the MSSP didn’t set it up)
- Asset inventory so the MSSP can be aware of any blind spots they (and you) may have
- Information about systems that the MSSP can’t collect logs from. For example, whether or not you outsource your mail to a third-party provider who doesn’t share log information is important to know.
This is a really good exercise to carry out with your MSSP, because it will help define gaps in coverage and provide an action plan for both you and your MSSP to improve coverage and make a successful ransomware attack less likely.
Once you have worked through this plan, set a timeline for follow-up to make sure that your team and the MSSP are both completing the assigned tasks in a timely manner. Then conduct regular check-ins with your MSSP to ensure that you have everything in place to hopefully prevent, or be able to recover quickly from, a ransomware attack.
Once the technical side of thing has been worked out, work on a well-documented communication plan in the event the worst-case scenario occurs. Most MSSPs are staffed 24×7, but don’t make that assumption—your team also might not be 24×7.
Lines of Communication
Keep in mind that it is just as likely that your MSSP will notice a ransomware attack as someone in your office, so your communication plan should account for both scenarios. The MSSP needs to understand your call tree, and you need to know who to contact, as well as what level of coverage you have in the event of a ransomware attack—in other words, how involved will your MSSP be in the recovery?
Just as you would for internal communication, develop an out-of-band communication plan with your MSSP in the event your normal methods are compromised.
An MSSP can be a great partner for preventing or recovering from a ransomware attack. But like most partnerships, the best response requires a lot of work on your part and the part of the MSSP. Making sure they have the tools they need to help you, and prioritizing a clear path of communication between you and your MSSP will go a long way to a successful recovery in the event of a ransomware attack.