Many people are familiar with the stories of coal miners using canaries to detect carbon monoxide and other toxic gases as a warning system for when they should evacuate. Even though cybersecurity is far removed from coal mining, it has an equivalent “canary in the coal mine” that takes the form of indicators of compromise, or IoC for short.
So why should an MSP be concerned with looking for IoCs? We’ll cover two of the top reasons, including early detection of client churn, but we’re going to start with one of the security reasons because of recent events.
No honor among thieves
Early August 2021 saw a disgruntled affiliate of the Conti Ransomware cybercrime gang release their ransomware playbook and details about their C2 infrastructure, which detailed the use of legitimate remote monitoring and management software and remote desktop software to provide persistence for attackers so they could establish a more permanent foothold in an environment.
Attackers use legitimate IT support software because it will evade most security solutions and AV products. Attackers also never know when their initial entry point might be shut by defenders closing ports or mitigating vulnerabilities in an environment. Once those holes are patched by defenders, attackers will still have access to the environment due to the legitimate software they installed during initial stages of the compromise. In the case of remote monitoring and management software, the attackers will have system access to compromised systems, making further damage to their targets trivial via ransomware or data exfiltration.
Client churn
As an MSP, client retention is a very important part of operating a successful business. Some of the same IoCs that can indicate an attacker has a presence in an environment can also indicate a competitor has been given access to your client’s environment, and you may be looking at an early indicator of churn. MSPs have many tools at their disposal for gathering information about a prospect’s environment prior to contract negotiations, and this may happen without the prospect’s current MSP being informed.
By having the ability to monitor for those common tools MSPs use, such as other RMM solutions, remote desktop tools, and network scanning tools, you have an opportunity to quickly respond to the event. This can help reassure a client at danger of churning of your good security practices, and that you are closely monitoring what happens in their environments. It also gives you an opportunity to save the relationship or better prepare your business for the loss of the client. Knowing months ahead that a client may not renew a contract is better than discovering it at renewal time.
How to monitor for an IoC?
Monitoring for IoCs at scale requires the use of advanced solutions like an SIEM, SOC, or something similar, but there are a lot of baseline IoCs that can be monitored for by using the N-able™ RMM or N-central® solution. For example, 24/7 checks in RMM and service monitors for N-Central can alert you to incorrect Registry Hive permissions, VSS being disabled, or not creating timely snapshots, with many more options available in the Automation Cookbook and the ability to add custom monitoring.
When you start talking about indicators of churn, RMM and N-Central are perfectly suited to the task. They have the ability to alert when applications are added or removed, or to monitor for when certain software is present on a device that can give you an early indication of competitor presence or shadow IT in your clients environments.
Any early warnings you can get about competitor or attacker ingress is invaluable to an MSP—and automating that process is worth the effort.
Lewis Pope is the Head Security Nerd at N-able. You can follow him on:
Twitter: @cybersec_nerd
Linkedin: thesecuritypope
Twitch: cybersec_nerd