What is the Role of an MSSP In a Ransomware Attack?

By Jonathan Nguyen-Duy | September 06, 2022

While ransomware as an extortion attack type is not new, the tactics, techniques and procedures used by used by threat actors are constantly evolving and more dangerous than ever before.  Organizations of all sizes face a myriad of challenges as cloud adoption, expanding networks exacerbate end point protection and vulnerability management.  However, ransomware risks are also indicative of larger structural issues in asset management, vulnerability management, lack of proper segmentation and incident response. Indeed, these issues are symptomatic of traditional security strategies that don’t have persistent visibility on the LAN, WAN, data center and cloud edges have proven to be completely inadequate. 

The complexity of traditional solutions is at the heart of why so many companies struggle to prevent attacks. These issues are only compounded upon the advent of a ransomware attack that typically overwhelms the ability of security teams to contain, let alone mitigate the threat.  The ability of ransomware attacks to quicky exploit vulnerabilities and propagate across networks, causing enterprise-wide disruptions is why it is the number one cybersecurity concern. According to research commissioned by Fortinet, 94% of organizations surveyed worry about a ransomware attack, while 85% say that ransomware is more concerning than other threats.

Looking to supplement their in-house resources, many organizations turn to MSSPs for access of the latest technology, threat intelligence and security expertise.  To be successful, MSSPs should consider solutions that provide a broad, integrated and automated approach.

Start With Email

Email remains a primary ransomware delivery method. According to a recent report from FortiGuard Labs, ransomware is not slowing down in 2022. Indeed, with its high success rate, email-borne attacks will likely remain a continued starting point for ransomware attacks.

Providing robust email security that analyzes email attachment data for threats helps mitigate risk. Customers need and want solutions that go beyond spam and malware detection.

MSSPs can differentiate themselves in the market by providing a secure email gateway solution with multilayered protection. Some advanced email protection capabilities include:

  • Content disarm and reconstruction: scanning attachments, removing malicious content, rebuilding with safe content
  • URL click protection: creating filters for URLs that can be checked, rewritten, or blocked
  • Real-time and scheduled mailbox scanning: applying security profiles and actions based on source, sender, and recipient information
  • Cloud sandboxing: inspecting runtime behavior for malicious code

Monitor the Endpoints

The reason that cybercriminals target email is because it’s the easiest way into the user’s device. From malicious downloads to links that deliver malware, email-borne attacks have been consistently successful because they target both device vulnerabilities as well as human error. In some cases, the phishing email is the first step that the attackers use to gain unauthorized access to web applications. By delivering malware to a user’s device, the attackers can use it as part of the next step in an attack. For example, the malware may be used to exploit a web browser or software vulnerability that leads to gaining unauthorized web application access or spreading the ransomware across the network.

With advanced endpoint detection and response (EDR), MSSPs can provide risk mitigation at this point in the attack as well. Not only does EDR mitigate ransomware risk, but it makes incident response faster, reducing a successful ransomware attack’s impact. Like other cybersecurity tools, finding the right EDR is essential. When you’re looking to add this to your offerings, you want to make sure that you provide customers with:

  • Ability to discover and control rogue devices
  • Real-time detection and diffusion capabilities
  • Incident response automation
  • Elimination of dwell time
  • High fidelity alerts
"As MSSPs look to differentiate themselves, they should take a cybersecurity mesh platform approach that allows them to more easily detect and protect against threats by using advanced automation to minimize a ransomware attack’s impact."

Implement Zero Trust Network Access (ZTNA)

Digital transformation makes zero-trust architectural system designs critical. Beyond protecting devices and ensuring they meet security configuration requirements, organizations need to authenticate users and continuously assess risk for all sessions. Organizations no longer have the benefit of believing that their users are who they say they are. Modern ransomware attacks include unauthorized access and data exfiltration. With MFA, employees must answer additional challenges to verify their identity before accessing networks and applications.

This is another area where MSSPs can provide a valuable service to mitigate ransomware risk and attack damage. MSSPs can enable customers to implement zero-trust network access (ZTNA) by enforcing MFA at the application level, not just when accessing the network. By providing zero-trust policies both on and off the network plus automatic encrypted tunnels to hide applications from the internet, MSSPs offer robust zero-trust architecture capabilities to meet customers’ on-premises, hybrid, and cloud security needs.

Protect the Web Applications

Threat actors also exploit website and web application vulnerabilities to deliver ransomware. With many customers permanently adopting remote and hybrid work models, the increased use of Software-as-a-Service (SaaS) applications means that a robust web application firewall (WAF) is a table stakes offering that can be stand out in a crowded market.

As part of an MSSP’s WAF, customers will want something that:

  • Blocks known and unknown threats
  • Regularly updates signatures
  • Protects against OWASP Top-10 threats
  • Protects APIs while supporting mobile
  • Mitigates malicious bot activity

Segment the Networks

Mitigating ransomware and data exfiltration risk goes beyond keeping cybercriminals out. It means hindering their lateral movement, preventing them from traveling across and between networks. To mitigate this risk, organizations need to segment their networks. Logical segmentation using firewalls separates sensitive data from general information, mitigating the data exfiltration that can occur during a ransomware attack.

However, many organizations have hybrid networks, so they need a strategy that enables them to support users on-premises as well as remote employees. Deploying a solution that works primarily for cloud doesn’t give them the solution they need.

When MSSPs offer next-generation firewalls (NGFW), they enable customers to create a unified security strategy with end-to-end visibility. Offering a solution designed to operate at any edge, in any form factor, meets customers’ diverse business needs. In order to distinguish themselves, MSSPs need to offer an NGFW with:

  • SSL inspection to stop ransomware and command-and-control attacks
  • Automated threat protection
  • Consolidated and concurrently running IPS, web, and video filtering
  • DNS security services
  • Dynamic trust and port-level segmentation

A Platform Approach for Visibility

Even with the best technologies, incidents are inevitable. The changes in ransomware attack methodologies incorporate new stages and attack vectors. Monitoring email, devices, networks, applications, and firewalls independently becomes overwhelming and increases human error risk. MSSPs need to integrate all security monitoring into a single platform to build customer trust, generate business, and reduce overhead.

MSSPs should adopt a cybersecurity mesh platform so that they have visibility into all entry points and attack stages. As MSSPs look to differentiate themselves, they can take a cybersecurity mesh platform approach that allows them to more easily detect and protect against threats by using advanced automation to minimize a ransomware attack’s impact. 

Current partners can visit the Partner Portal to find important updates from Fortinet and our partner program.