- Why Abacus?
By Paul Ponzeka, Chief Information Security Officer/Chief Technology Officer at Abacus Group
This past weekend’s cyber-attack on the software company Kaseya was significant, and one of the largest in history. Not only did the attack compromise Kaseya, but subsequently Kaseya’s customers as well. As a vendor popular in the MSP space, there was an even further trickling down effect, with this cyber event potentially effecting thousands of customers worldwide. Referred to as the Kaseya/Revilware attack, this is yet another example of how cyber-criminals are escalating attacks across the entire landscape.
At Abacus, we were fortunate in that we do not use Kaseya and that none of our clients were affected by this attack. However, with the increasing number of cyber-attacks, I would like to take the time to walk through the safeguards we have in place to protect our clients in the event of a ransomware/cybersecurity incident. Further, I would like to outline our processes and mechanisms we have available to recover from such a significant cyber-attack.
Even though we do not use Kaseya, we do have an Incident Response Plan that we enact in situations like this, to ensure there is no exposure. Our first action was to block all known malicious IP addresses recorded in the attack. For clients leveraging our abacusFlex platform, we also proactively blocked any Kaseya-based application traffic centrally. Further, we added the signatures of the known malicious agents to our anti-virus platform to ensure they are blocked across our entire platform. We then scanned all machines across our entire client-base to identify if any Kaseya agent had been installed on any machine, and immediately disabled them when identified.
While Abacus does not use Kaseya, there are third-party application vendors in the alternative investment space who do leverage it. We were in constant communication with our third-party SIEM provider, to ensure they were proactively scanning our managed networks for any Indicators of Compromise (IOC's) of the attack. All of these were proactive and preventative measures, and should outline how serious this attack was and how we responded to it.
Moving beyond the Kaseya/Revilware attack, I would like to outline how we are prepared for a cyber-attack against our platform. At Abacus, our security coda is multilayered security, or “defense-in-depth.” Our approach is to expect to be attacked and minimize any damage through multiple layers of protection. Our core platform utilizes various tools similar to Kaseya, which is a Remote Monitoring and Management (RMM) platform. It is one of the ways that we provide day to day IT support to our clients. All access to the these various tools is performed from a dedicated and secure network. This specific network can only be accessed from an Abacus Corporate network which requires technicians to perform Multi-Factor Authentication (MFA), and requires a separate set of credentials from a technician’s normal Abacus credentials.
From there, our remote management tools do not allow administrative access from any location except the dedicated secure network. This means that we do not publish remote management consoles to the internet. For tools that only have access over the internet (i.e. Office 365 Admin Portals), we leverage resources such as Microsoft Azure Conditional Access policies to again restrict Abacus Admin access to only come from the secure network and leverage the same credentials and MFA requirements listed above. All admin consoles and clients utilize TLS 1.2 or higher, even though all traffic for remote management is done internally. Our internal support teams are restricted on who can administrate our internal tools. Least privileged access dictates that the majority of our technicians do not need access to sensitive systems such as RMM to do their jobs. We follow these principles at Abacus.
Next, we leverage reverse proxies to protect any internet-facing resources. For example, even though our admin interfaces are blocked from the internet, some services require agents that can talk to our infrastructure over the internet. For those services, we leverage these reverse proxies that help to harden their appearance on the internet and enforce things such as TLS version 1.2, as well as hardened encryption ciphers. It also allows us greater control over which portions of a server are restricted from the internet.
The majority of our clients leverage our abacusFlexConnect managed firewall/VPN service, which has their traffic filtered through our datacenters before passing on to the internet. For any of these clients, we are able to detect malicious traffic across the entirety of our client base, and put into play centralized rules to protect them. For example, during this event, we were able to quickly block any traffic between any Abacus client leveraging abacusFlexConnect and these malicious IP's.
Next, Abacus leverages a next-generation Endpoint Detection and Response (EDR) platform that allows us to monitor and centrally protect our clients against both known vulnerabilities, as well as leverage heuristics scanning to help prevent the exploitation of zero day vulnerabilities on the endpoints and servers. For example, all clients utilizing Abacus-managed EDR had blocks in place for the malicious software by Friday afternoon as part of our continuous platform hardening during the event.
Finally, all of these tool sets connect into our SIEM provider which is constantly monitoring the internet for malicious behavior. This service is our “Eye in the Sky.” This gives us not only insight into malicious traffic, but the ability to react quickly, confirm the behavior and spread of an attack, and remediate the affected asset. It's critical that our SIEM get the info it does from the various systems, Firewalls, EDR, Active Directory, network devices and edge devices. This is one of the reasons that at Abacus we sell a platform or suite of services intertwined together, instead of a la carte. This provides us with the ability to analyze and correlate patterns on such a large-scale activity across our platform. Not only does this help prevent an attack, but it also helps us isolate an issue before it spreads.
Undoubtedly, we have to acknowledge the possibility of a compromise, and discuss our recovery processes. While you can have the absolute best multi-layered approach to security, we are still aware that we are fighting an uphill battle. With state-sponsored attacks and supply chain attacks on the rise, you have to look at the reality of this type of event happening. What can we do to help with recovery in the case of such an event?
First, we leverage a separate backup system that is removed from our primary storage system and network. This helps to provide separation to ensure fidelity of our backups during an attack. We also provide an optional long-term backup product that allows clients to store data on a separate public cloud data bucket. This provides even further separation and is an extra layer of protection for clients that subscribe to that service.
Our disaster recovery system, which replicates traffic to a separate location, also provides us with the ability to recover individual VM's that are subscribed to this service, in addition to traditional backups.
Finally, we are in the process of covering all Abacus-managed servers with a new feature from our storage vendor that allows us to keep several days of immutable snapshots on the storage arrays. This means that unless the snapshot's retention expires, we cannot delete or modify the data in anyway, providing us with the ability to roll back large pieces of the infrastructure to a working state. Stay tuned for more on this later in the year.
All in all, we are continuing to work hard to provide our Abacus clients with a best-in-class IT platform, and cybersecurity protection is a main component of this. Some of the best things that you can do to protect your firm are to continue to review your cyber policies, continue to educate your users through increased cybersecurity training and phishing tests, and force all users to utilize MFA at all times. All of these are services that we offer at Abacus to help you succeed in your cybersecurity program. Unfortunately, if we've learned anything from the massive cyber-attacks of the past, such as RSA, Solarwinds, Colonial Pipeline and now Kaseya, is that it is going to happen again, and we all need to do everything we can to ensure we are as ready as we can be.