How MSPs Can Stop Attackers From Building a Map of Their Networks

April 19, 2019

A recent article in TechTarget described how during a red-team exercise a simulated attacker was able to take control of an MSP’s RMM (Remote Management and Monitoring) tool, thus gaining privileged access to ALL the MSP’s customers.  This MSP was described as large with over “$60M in revenue and 100 employees”

One of the key aspects of the attack was the use of network mapper (Nmap) to find a way to move through the MSP network from the attacker’s machine to the RMM.  When an attacker enters a network, they likely don’t know anything about the devices on it, so they use tools like Nmap to learn the lay of the land and plan out their attack.  Left undetected, a motivated attacker will make their way to the target. They don’t exactly know where they are going, so they are going to bump into things. They are not going to take the most direct route.


Building Network Baselines is Key

Building a baseline of normal activity on your network is the biggest advantage that you have against a motivated attacker who has breached the firewall.  In the scenario described in the article, it seems pretty unlikely that it was common for that machine on the VPN to aggressively scan the network. That activity was undoubtedly anomalous and if that MSP had built effective network baselines it would have been detected.  

The NIST CyberSecurity Framework actual defines some of these controls in the Detect function – Anomalous Events subfunction

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed

DE.AE-2: Detected events are analyzed to understand attack targets and methods


As the article also points out, MSPs have been under attack for some time.  Just this week, Wipro, a very large MSP based in India, was hacked and at least 11 of its customers were also compromised. (MSSP Alert)  In October 2018, the US Department of Homeland Security issued an alert.  

The top operational recommendation was:

Create a baseline for system and network behavior. The system, network, and account behavior should be baselined to make it easier to track anomalies within the collected logs. Without this baseline, network administrators will not be able to identify the “normal” behaviors for systems, network traffic, and accounts.

So if DHS issues an alert, and NIST CSF says that this is a control that you should have in place, why don’t more MSPs have this type of control in place?


CyGlass Spots Probing and Reconnaissance

At CyGlass, we think the reason is that most MSPs don’t deploy a Network Traffic Analytics (NTA) solution because they think that it’s too hard to deploy (needs an appliance), too expensive to purchase, or it’s going to generate too many false positives and make the solution ineffective.

CyGlass Network Defense as a Service (NDaaS) has been build for SMBs and the MSP/MSSPs that service them.  Specifically, CyGlass can detect the types of Nmap scans that are described in the article.

CyGlass’ NDaaS has a SmartAlert called “Probing and Reconnaissance”.  This alert is triggered when there are suspicious scanning behaviors. There are two types of behaviors – Horizontal Port Scan Behavior and Vertical Port Scan Behavior.  

A Vertical Port Scan runs up and down the port range of a single machine in an attempt to see which ports on a given machine are open, and therefore exploitable.  They might use a command like:

sudo nmap -sS -Pn -A


Here’s what a Vertical Port Scan looks like in CyGlass:




A Horizontal Scanning Behavior is when an attacker is attempting to connect to a number of machines on the same port.  For example, the attacker has stolen an SSH key and they are looking for open SSH ports (port 22) on the network. They might use a command like:

nmap -p 22 –open -sV


Here’s what a Horizontal Port Scan looks like in CyGlass:




CyGlass NDaaS is an affordable effective option for MSPs to add this much-needed protection to their networks.  The MSP in the story was very large and well funded and could likely survive this type of breach. Smaller MSPs may not be so lucky.  CyGlass can help.


We’re offering free no-obligation 30-day trials: Here.

Back To Blog
Why CyGlass Product Resources