As MSPs expand their portfolio of offerings, some are enhancing their cybersecurity capabilities with an interesting addition to their staff: ethical hackers.
These offensive hackers — sometimes called white-hat or red team hackers — differ from penetration testers already working for MSPs in several ways, including how they identify vulnerabilities, the tools and strategies they use to find threats, and what falls into their purview as a threat.
Here are some reasons why an MSP should consider adding offensive hacking capabilities to their existing staff.
Ethical Hacker Scope of Capabilities
Penetration testing often is a passive process that finds security vulnerabilities in applications and systems or performs simulated cyberattacks on a company’s computer systems and networks.
Ethical hacking is more aggressive, actively challenging network security. An ethical hacker could even impersonate an enterprise’s business partner to determine if a company has a physical security vulnerability or supply-chain risk — something well beyond the standard remit of a pen tester.
“The value proposition of an MSP is aggregation, concentration, and correlation, and that makes them an attractive target,” said Shay Colson, managing partner of cyber diligence at Intentional Cybersecurity, formerly Coastal Cyber Risk Advisors. “The big piece is to have someone at the table when the MSP is making decisions from products and services to architecture and operations. That gives another perspective from either the threat actor, the hacker, or even just a general security perspective.”
Offensive Attack Mindset
MSPs with offensive cybersecurity capabilities can offer far more expertise than an MSP with classically trained security engineers, said Gregory Hatcher, co-founder of White Knight Labs.
An engineer’s abilities and toolset paired with a red-team mindset provides proficiencies beyond that of most MSP staffers.
Offensive security training is invaluable for testing the on-site security controls of an MSP’s customers — and the MSP itself. The exercise could include social engineering of the client to test their computing resources, staff training, and physical security.
In-house Vs. 3rd-party Expertise
Having an offensive-focused engineer in the MSP’s Rolodex can be useful, according to Peter Hefley, associate director of attack and penetration at consulting firm Protiviti. This is especially helpful if an MSP’s cyber insurance policy requires third parties for forensics and other investigative tasks after a breach.
But there’s still value in having both forensics and red-team engineers on staff. An offensively trained engineer may be part of an MSP’s own incident-response team, but they likely will perform other tasks, such as ensuring the MSP is secure from third-party threats and red-team penetration testing adversary simulations.
SMBs — often law firms, CPAs, financial services organizations, healthcare providers, and other high-value targets — opt for MSPs because they rarely have their own cybersecurity staff. An MSP with offensive abilities provides added value by identifying privacy and security threats that pen testing cannot detect, Hefley said.
The Cyber Insurance Element
An ethical hacker provides an MSP with the expertise to ensure their own network is secure enough for the MSP to qualify for cyber insurance. Many cyber insurance underwriters have higher standards for services providers who manage potentially hundreds of client accounts, since it’s a higher risk to the insurer than for a single company.
IT services providers also could use the ethical hacker’s skills to stress test clients’ networks to help them meet underwriter requirements for a new insurance policy or a renewal, expanding the MSP’s service offerings and revenue.
It’s the Little Things that Count
Patrick Shaw, senior assessment manager at Dox Electronics, said it’s critical to maintain and update privileged accounts, particularly service accounts.
Too often, these are ignored, even though some likely have passwords 5 years or older, he noted. Compromised service accounts, like other seldom-monitored accounts, can lead to a breach that MSP security engineers often aren’t trained to identify.
Editor’s Note: If your MSP wants to monetize ethical hacking services, check out Certified Ethical Hacker Tyler Wrightson’s step-by-step guide on this topic.
Image: iStock