CISA releases cyber defense plan for remote monitoring and management software

The U.S. Cybersecurity and Infrastructure Agency has released a plan to address systemic cybersecurity risks in remote monitoring and management software.

The Remote Monitoring and Management Cyber Defense Plan was created to address the issue wherein cyberthreat actors gain footholds via RMM software into managed service providers and manage security service providers’ servers. In gaining access, the attackers can cause cascading impacts for small to medium-sized enterprises that are customers of these providers.

The plan provides cyber defense leaders in government and industry with a collective plan for mitigating threats to the RMM ecosystem. It addresses issues facing the top-down exploitation of RMM software.

There are two pillars to the plan. Pillar 1, Operational Collaboration, is said to encourage collective action across the RMM community to enhance information sharing, increase visibility and fuel creative cybersecurity solutions. So-called “lines of effort” include cyber threat and vulnerability information and enduring RMM operational community.

Pillar 2, Cyber Defense Guidance is all about educating RMM end-users on the dangers and risks to the infrastructure they rely on and how they can help promote security best practices. Lines of effort for the second pillar include end-user education and amplification.

“The benefits RMM provides to system administrators — remote access and configuration and control of an endpoint — are the same reasons a threat actor finds RMM software to be an attractive target,” Melissa Bischoping, director of Endpoint Security Research at endpoint management company Tanium Inc., told SiliconANGLE. “These types of applications are popular ‘living off the land’ resources for attackers because they are unlikely to trip common extended detection and response or antivirus detections and often operate with a high level of permissions on the devices they control.”

Bischoping was positive about the plan, saying that the “efforts to improve both education and awareness and vulnerability management of RMM software will reduce the risk of a threat actor successfully leveraging this tooling.”

Teresa Rothaar, governance, risk and compliance analyst at passwords and secrets management company Keeper Security Inc., was likewise positive, saying that the new initiative is critically important, since threats aren’t confined to silos and the responses to these threats cannot be siloed.

“This collaboration, if successful, will be highly educative for MSPs. They’ll learn how to run their own operations securely and, in turn, help their customers operate securely as well,”  Rothaar said. “The downstream effect of this effort to mitigate threats to the ecosystem will be more secure customers as a result of better-secured MSPs.”

Image: CISA