How to Build a Robust Lights Out Checklist
A cybercriminal gets paid best by causing enough damage to a victim that justifies payment. After encrypting a few files on a laptop, the likelihood of receiving payment is low. However, encrypting an entire network justifies receiving payment. This is why organizations face a substantial spike in cyberattacks during extended weekends brought on by holiday observations.
Example: The following are notable cyberattacks that occurred on long weekends.
Kaseya RMM Vulnerability Exploit – Fourth of July Weekend
Attackers got a list of all the Kaseya RMMs in operation by scanning the internet, checking open ports, and cataloging them together. The exploit occurred just before the July 4th weekend, pushing out ransomware to almost every business on this list. Fortunately, the attack happened that Friday before the end of the day. So, Kaseya responded promptly by contacting their customers and instructing them to shut down their RMM servers.
Colonial Pipeline Darkside Ransomware – Mother's Day Weekend
The Darkside ransomware had infected the corporate office network of the colonial pipeline the Friday of Mother’s Day weekend, holding data hostage for a ransom. As a precautionary measure, officials with the Colonial Pipeline made the decision to shut down the pipeline altogether, and thus turning off networks, to prevent the cyberattack from reaching the systems responsible for the physical operations and transportation of the fuel itself. The pipeline was shut down for six days, leaving a huge impact on their customers who relied on the over 100 million gallons of fuel that was transported up the east coast each day.
PlayStation Network (Sony) and Xbox Live (Microsoft) -
PlayStation Network and Xbox Live were both victims of a Distributed Denial of Service (DDoS) attack on Christmas Eve, ironically during the time of year when most PlayStations and Xbox gift recipients are turning on their consoles for the first time. The attacking group, the “Lizard Squad”, claimed to start the DDoS attack “for the laughs” but eventually decided to extend the attack in order to make a statement and force the two companies to upgrade their cybersecurity. They chose Christmas Eve and Christmas Day for scheduling the attack because they knew it would reach the largest amount of people.
Ensuring a good cyber security configuration and posture are vital year-round. However, here are some items you can enlist to increase your odds of surviving a holiday weekend cyberattack.
Shut Down Your Devices
Shut down machines before you or your employees leave for the weekend if you do not plan on working. Shutting down machines stops remote access tools, ensure any missed open ports, such as 3389 are closed, and prevents reverse shells from running. This security step is at the human level, where individual employees outside the IT department can take care of this step.
Multi-Factor Authentication (MFA)
Incorporate Multi-Factor Authentication (MFA) into your security practices as frequently as possible, year-round. If you do not have MFA on things that can enable you to add this extra layer of security, add it. In some cases, IT professionals agree that implementing MFA everywhere is an extensive process. So, if you are in a time crunch, start with/ focus on admin and privileged accounts.
Block all untrusted software
Even if you are still in the learning stage of ThreatLocker, 99% of required software is learned during the first hour. So, it is safe to turn on secure mode before going away for the weekend. Secure mode makes it very difficult for attackers to gain access to your computer if they cannot run any untrusted software. It is key to remember that ransomware is just software, and it cannot run if it is not on the allowlist.
Recovery and Backups
Verify that you have several backups before leaving for the weekend. These backups should span multiple locations, with at least one not connected to your network. Having an off-site backup drastically increases your probability of recovering from a cyberattack. You can save a backup on an encrypted disk and bring it home with you.
Some cyberattacks change backup configurations to back up absolutely nothing but will still notify you that an “X” amount of data has been successfully backed up. Ensure your backup is going where you intend it to. Online backups are a simple way to back up large amounts of data from any organization.
Check for (Unmanaged) Remote Access Tools Within the Environment
Find and remove any unneeded/unwanted Remote Access Tools in your environment. Some standard tools include GoToAssist, Bomgar (Now BeyondTrust), and TeamViewer. Quickly uninstall the remote access tools or block them entirely.
ThreatLocker can find untrusted software easily with monitor mode and then block them by quickly switching to secure mode.
How to see what software is permitted in your environment with ThreatLocker
Minimize RMM (Remote Monitoring Management Tool) Access
If you have your own RMM server, you have more control of your server security. Your best practices include:
Patching your RMM as soon as patches become available
Monitoring your RMM for alerts
Blocking all ports apart from customer ports
Shutting down your server or taking it off the internet for the long weekend.
Patch your RMMs
Minimize RMM (Remote Monitoring Management Tool) Access with ThreatLocker
ThreatLocker takes endpoint security to the next level by implementing controls that can prevent the weaponization of RMMs year-round, including the long weekends.
ThreatLocker Allowlisting blocks all untrusted software. Threat actors cannot push any untrusted software to your organization’s endpoints. This includes driving any additional RMMs from what you already have implemented to run malware.
Allowlisting blocks software pushed by RMMs. If you need to push out new software through your RMM, it is much safer to block all untrusted software. Then, you would go through the two-minute process of approving the software you need to be pushed.
If a threat actor gains access to your RMM, ThreatLocker Ringfencing can stop them from
Editing, encrypting, sharing, or even accessing your files and data.
Sending anything out to the internet or connecting to the internet at all during the long weekend.
Implement Network Controls
ThreatLocker Network Control uses dynamic controls that block all inbound traffic to servers (including RMM servers) while being configured to allow only trusted objects. These “objects” can be an explicit group of computers that Network Control can identify beyond the IP Address, which could change daily. This will allow you to essentially “turn off” traffic flow outside of what is necessary for the users who need access to your servers or the internet during long weekends.
Before departing for the long weekend, check your ThreatLocker Network Control denies to look for suspicious denies on your servers. If you see suspicious activity, someone may be plotting a cyberattack on your organization.
Port Scans, Check Port 3389
Sometimes, ports are left open after being opened temporarily and accidentally forgotten about. This is not just on organizations’ server firewalls but also on home firewalls, where users take their work laptops home and map their home firewalls to port 3389.
Make sure you don’t have any remote desktop ports open by doing a port scan of all your IP Addresses before going home. Check that nothing is responding that you don’t expect to be responding. This goes for any other ports that are open in which you did not expect or want to be open.
Enable Alerts
ThreatLocker Ops is a comprehensive Zero Trust threat detection and behavior monitoring tool that hardens an environment by notifying and automatically responding to identifiers of attempted compromise. Influences of alerts include, but are not limited to:
Failed login/brute force attempts and how many attempts there were
Ports scans and how many times ports were scanned (in combination with Network Control)
When an attack continuously gets blocked after attempting to run unknown (in combination with Allowlisting)
Failed/blocked vulnerability exploits (in combination with Ringfencing )
If you want to learn more about how ThreatLocker can harden your lights-out checklist and overall cybersecurity strategy, contact a ThreatLocker Cyber Hero Team Member.
Regardless of whether you are a ThreatLocker customer or not, if you do run into trouble during the holiday weekend, ThreatLocker Cyber Hero Team is available 365 days per year, with an average response time of 60 seconds or less. No order required; ThreatLocker will help you recover in the event of a disaster.
By ThreatLocker
ThreatLocker will be exhibiting on stand 641 at The MSP Show, on 17-18th April 2024, ExCeL London. You can now register for your free ticket here.
Meet the Brand: Leaseweb
Learn more about Leaseweb before meeting their team at the MSP Show.
- What do Leaseweb do?
Leaseweb is a leading Infrastructure as a Service (IaaS) provider serving a worldwide portfolio of 20,000 customers ranging from SMBs to Enterprises. Services include Public Cloud, Private Cloud, Dedicated Servers , Colocation, Content Delivery Network , and Cyber Security Services supported by exceptional customer service and technical support. With more than 80,000 servers, Leaseweb has provided infrastructure for mission-critical websites, Internet applications, email servers, security, and storage services since 1997. The company operates 25 data centers in locations across Europe, Asia, Australia, and North America, all of which are backed by a superior worldwide network with a total capacity of more than 10 Tbps.
- How did you get started?
Our company started in the clouds. Over 25 years ago while still working as professional pilots, our Dutch founders understood the importance of reliability and global connections. They crossed borders. They safely brought passengers, crew, and craft around the world.
Witnessing the growth of the internet around the world, our founders envisioned how they could use their skills and experience to build the internet as a service, making it accessible and available to everyone. Today, that same vision remains part of our DNA.
We have always aimed to go beyond expectations. Growing from a start-up to a global player is just the beginning. We have the drive, experience, and ambition to go faster and further, while never forgetting the importance of trust and reliability. We’re proud of who we are and excited about the future.
- What are you looking forward to most at the MSP Show?
We are looking forward to engaging with MSP’s and partners at the show to understand how they currently use IaaS for the end user requirements and show them how Leaseweb are able to add value and forward thinking cloud solutions to their portfolio of products.
- Why should visitors come to your stand?
Leaseweb offers a wide array of services, including cloud hosting, dedicated servers, colocation, and content delivery network (CDN) solutions. Visiting our booth will give you the opportunity to learn more about these services and how they can meet your specific needs.
Meet the Leaseweb team at stand 665 at the MSP Show, on 17-18th April 2024, ExCeL London.
You can now register for your free ticket here.
Speaker Q&A: Michelle Coombs, The Tech Leader Network
With over two decades of experience spanning technical, service delivery, and leadership roles on a multinational scale, Michelle’s journey has led her to a pivotal point to channel her skills and knowledge back into the MSP community, refining their leadership capabilities and operational excellence across people, process, and technology.
On the 17 April at 11am, Michelle will be presenting the seminar 'Growth – It’s more than Sales – retaining clients/ amazing service', where she will delve into the strategies that MSPs can employ to fine-tune their service delivery, ensuring their clients are not just satisfied but delighted.
How did you get into the profession?
I must have been around 10 when my dad brought home a book about how telephone signals travel down fibre optic cables, it was written for non-technical people and I found it fascinating. A few years later, I used to go to site with my dad on weekends to help him with cabling - I'm sure it was just because I was small enough to get in the tight spaces...I knew at that point I wanted to work in IT.
My first real IT job was a Helpdesk Operator, which was pretty much "log and flog" as there weren't any remote support tools back then. After a while, that got a bit boring, so I used to hang out in the workshop and take kit up to my desk to work on between calls. So, the first 10 years were very much hands-on. After that, I moved into management roles and worked for both MSPs and their customers, picking up skills from both sides of the MSP/customer relationship.
What do you enjoy most about what you do?
I love seeing others succeed! I'm a quick-thinking problem solver, so I really enjoy working with MSPs to identify and overcome their challenges to get the results they want.
What advice would you give someone starting out in the industry?
Find a peer group. There are so many MSP communities out there, and they are all so helpful to each other, whether there's a particular tech issue that's cropped up, the need to review your pricing model, to get ideas for lead gen, people challenges... the list is endless, so it's good to have a group where you can get the support you need.
Know when you need to take a break. When it comes to work/life balance, remember work is just one aspect of life - WLB doesn't mean that work equals all other aspects of life.
What are the key points you’ll be covering in your seminar session?
I'll be covering how service and customer retention can help MSPs to grow. I'll also be sharing some of the challenges and how you can resolve them around communication and customer feedback, plus I'll also be sharing the process I take my clients through for continual improvement
What are you looking forward to the most at the MSP Show?
I'm particularly looking forward to the knowledge sharing talks - it links with what I enjoy most in seeing others succeed, so the fact that people are sharing their expertise with the wider industry is amazing.
The MSP Show is taking place on the 14-15 May 2025 at ExCeL London. Registration is free, you can book your free ticket here.
Uptime Solutions and Inbay Brands Become One
Today marks a significant milestone for the MSP Outsourcing industry as Uptime Solutions and Inbay unveil a dynamic new brand that will enhance the Managed Service Provider (MSP) outsourcing market. Following the company merger in September 2023, the organic next step was the creation of a unified entity that will continue to build on the strong legacies of both companies.
Uptime Solutions, founded in 2010 with humble beginnings in a second bedroom, quickly rose to prominence as a global helpdesk provider for MSPs. Inbay, with its origins as a local computer store, underwent a similar trajectory to become a leading MSP provider. Now, leveraging their collective expertise and resources they become ONE central brand that promises unmatched service excellence.
"As individual brands, both Uptime and Inbay have delivered exceptional services for years. Following the merger, we are incredibly excited to unify our messaging and brand, taking us to the next chapter in our story” Jason Kemsley
The new brand offers a comprehensive suite of services designed to enhance and strengthen MSP operations. With offices spanning five continents and a dedicated team of over 150 professionals, the brand is well-positioned to meet the evolving needs of MSPs worldwide.
Meet the Uptime team at stand 750 at the MSP Show on 17-18th April 2024, ExCeL London.
Meet the Brand: Phishing Tackle
Introducing Phishing Tackle, who provide award-winning automated Cyber Security Awareness Training, real-world simulated phishing, and policy management.
What do Phishing Tackle do?
We are British security awareness training specialists with a keen emphasis on MSPs.
How did you get started?
We built the best automated security awareness training platform, then got on the phones to tell everyone about it!
What are you looking forward to most at the MSP Show?
Meeting our existing MSP customers and in addition new MSPs, we know they will be excited by what they see!
Why should visitors come to your stand?
Many MSPs are struggling to find the right security awareness training provider to help them reduce user risk quickly and easily. We have developed a first in the world innovation for MSPs, all packaged up with a first class service and massively affordable commercials.
Meet the Phishing Tackle team at stand 780 at the MSP Show on 17-18th April 2024, ExCeL London.
You can now register for your free ticket here.
