Just two years after Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly unveiled the Joint Cyber Defense Collective (JCDC) initiative, a cooperative effort between public and private cybersecurity sectors, the group has presented its first piece of guidance: a road map to shore up the remote monitoring and management (RMM) systems ecosystem behind the country’s critical infrastructure.
RMM tools are used by managed service providers (MSPs) to remotely access many critical infrastructure systems. Not surprisingly, threat actors have sought out RMM tools to gain access to the organizations using them, the JCDC explained in its new RMM Cyber Defense Plan. Once breached, threat actors can evade detection and maintain persistent access in these infrastructure systems.
“These types of applications are popular ‘living off the land’ resources for attackers because they are unlikely to trip common EDR [endpoint detection and response] or antivirus detections and often operate with a high level of permissions on the devices they control,” says Melissa Bischoping, director of endpoint security research at Tanium. “The JCDC’s efforts to improve both education and awareness and vulnerability management of RMM software will reduce the risk of a threat actor successfully leveraging this tooling.”
RMM Tool Used to Attack Florida Water Supply
TeamViewer is an example of these legitimate RMM tools that can be abused all too easily, according to John Gallagher, vice president of Viakoo Labs.
“Remote monitoring and management software is extensively used. TeamViewer, for example, has more than 200 million users — and provides direct access to an organization’s compute infrastructure,” Gallagher says. “It provides secure access, but if that security is breached it can be devastating because of the ability of a threat actor to operate as if they are within the company and in front of that computer.”
In 2021, a threat actor was able to gain control over TeamViewer to tweak the chemicals used to treat Florida’s water supply, Gallagher adds.
RMM Plan Recommendations
CISA explained the RMM Cyber Defense Plan is intended to facilitate collaboration across operators and provide guidance for cybersecurity teams in the space. Specifically, the report found the RMM ecosystem needs to promote threat and vulnerability information sharing, build an enduring RMM operational community, educate users, and amplify threat alerts and advisories across the RMM community.
“Many MSPs are still relatively new to the security space, having only begun to offer security services as things like network administration have become commodified,” says Teresa Rothaar, governance, risk, and compliance analyst at Keeper Security. “This collaboration, if successful, will be highly educative for MSPs. They’ll learn how to run their own operations securely and, in turn, help their customers operate securely as well.”
Roger Grimes, with KnowBe4, is a bit more effusive in his praise of the JCDC RMM Cyber Defense Plan.
“Remote management systems have been a multidecade, continuous, never-stopping weakness in our systems,” Grimes says. “Only time will tell if what CISA is announcing here will return the expected dividends, but the ideas and framework for great success are put in place.”