In a significant milestone for the Joint Cyber Defense Collective (JCDC), the group has issued its first guidance aimed at fortifying the remote monitoring and management (RMM) systems ecosystem responsible for safeguarding critical infrastructure in the United States. The JCDC was established two years ago as a collaborative effort between public and private cybersecurity sectors, and its latest initiative seeks to address the vulnerabilities associated with RMM tools used by managed service providers (MSPs).
RMM tools enable MSPs to remotely access and monitor various critical infrastructure systems. Unfortunately, threat actors have increasingly targeted these tools to gain unauthorized access to organizations. Once infiltrated, threat actors can stealthily operate within the infrastructure systems, eluding detection and maintaining persistent access.
Melissa Bischoping, the director of endpoint security research at Tanium, explains that RMM tools are attractive to attackers since they are unlikely to trigger standard endpoint detection and response (EDR) or antivirus protections. Additionally, these tools typically operate with high-level permissions on the devices they control. Bischoping commends the JCDC’s efforts to enhance education, awareness, and vulnerability management of RMM software, as these measures would mitigate the risk of threat actors successfully exploiting these tools.
One notable example that showcases the potential risks associated with RMM tools is the attack on Florida’s water supply. John Gallagher, vice president of Viakoo Labs, highlights TeamViewer as an instance of a legitimate RMM tool that can be easily abused. With over 200 million users, TeamViewer provides direct access to an organization’s computing infrastructure. However, if its security is breached, the consequences can be devastating, as threat actors can operate within the compromised system undetected. In 2021, a threat actor gained control over TeamViewer and manipulated the chemicals used to treat Florida’s water supply.
To address these vulnerabilities, the JCDC RMM Cyber Defense Plan outlines several recommendations. CISA states that the plan’s primary goal is to foster collaboration among operators and provide cybersecurity teams with guidance. The report emphasizes the need for the RMM ecosystem to facilitate threat and vulnerability information sharing, establish a sustained operational community, educate users, and amplify threat alerts and advisories across the RMM community.
Teresa Rothaar, a governance, risk, and compliance analyst at Keeper Security, notes that many MSPs are relatively new to the security domain, as they have only started offering security services in response to the increasing commodification of network administration. Rothaar believes that this collaboration, if successful, will prove highly educational for MSPs, enabling them to develop secure operational practices and help their customers operate securely as well.
Roger Grimes, from KnowBe4, expresses enthusiasm for the JCDC RMM Cyber Defense Plan. He recognizes that remote management systems have long been a persistent weakness in cybersecurity systems and believes that the ideas and framework presented in the plan have the potential to deliver significant success in addressing this long-standing issue. However, Grimes also acknowledges that only time will tell if the plan will yield the expected results.
The JCDC’s publication of its RMM Cyber Defense Plan represents a crucial step in fortifying the cybersecurity defenses of critical infrastructure in the United States. By raising awareness, promoting collaboration, and implementing best practices, the JCDC aims to enhance the security posture of RMM systems and mitigate the risk of threat actors exploiting these tools. The successful implementation of the plan’s recommendations would not only benefit MSPs but also contribute to a more resilient cybersecurity ecosystem nationwide.