CISA Unveils Cyber Defense Plan for RMM Software

Highlights:

• The plan offers industry and government leaders a strategy to mitigate threats to the RMM ecosystem.
• Of the two pillars of the plan, the first is Operational Collaboration, promoting info sharing, while the second is Cyber Defense Guidance educates RMM users on risks and security.

A plan to address systemic cybersecurity risks in remote monitoring and management software has been made public by the U.S. Cybersecurity and Infrastructure Agency.

To address the problem of cyberthreat actors infiltrating managed service providers using RMM software and controlling the servers of security service providers, the Remote Monitoring and Management Cyber Defense Plan was developed. Small to medium-sized businesses that are clients of these providers may experience cascading effects due to the attackers gaining access.

The plan gives cyber defense leaders in business and government a coordinated strategy for reducing risks to the RMM ecosystem. It addresses difficulties with top-down RMM software exploitation.

The plan is supported by two pillars. Operational Collaboration, the first pillar, is supposed to promote collective action within the RMM community to improve information sharing, raise visibility, and spark innovative cybersecurity solutions. Information on cyber threats and vulnerabilities, as well as the ongoing RMM operational community, are examples of so-called “lines of effort.”

Pillar 2, Cyber Defense Guidance, aims to inform RMM end users about the threats to the infrastructure they rely on and how they can help adhere to security best practices. The second pillar’s lines of work include end-user education and amplification.

Tanium Inc.’s Director of endpoint security research, Melissa Bischoping, said, “The benefits RMM provides to system administrators — remote access and configuration and control of an endpoint — are the same reasons a threat actor finds RMM software to be an attractive target. These types of applications are popular ‘living off the land’ resources for attackers because they are unlikely to trip common extended detection and response or antivirus detections and often operate with a high level of permissions on the devices they control.”

Bischoping expressed support for the strategy and claimed that the “efforts to improve both education and awareness and vulnerability management of RMM software will reduce the risk of a threat actor successfully leveraging this tooling.”

The new initiative is crucially important, according to Teresa Rothaar, a governance, risk, and compliance Analyst for password and secret management firm Keeper Security Inc. Threats aren’t contained within silos, and the responses to these threats cannot be siloed either, she added.

Rothaar said, “This collaboration, if successful, will be highly educative for MSPs. They’ll learn how to run their own operations securely and, in turn, help their customers operate securely as well. The downstream effect of this effort to mitigate threats to the ecosystem will be more secure customers as a result of better-secured MSPs.”