top of page

What the New RMM Cyber Defense Plan From the Joint Cyber Defense Collaborative Really Means

In line with the latest directives on fortifying remote access software against cyber threats, the Joint Cyber Defense Collaborative (JCDC) has unveiled the RMM Cyber Defense Plan, a significant stride in safeguarding critical infrastructure. Released as a response to the CISA Strategic Plan for 2023–2025, this document outlines a collaborative strategy to mitigate risks and bolster the resilience of key organizations reliant on Remote Monitoring and Management (RMM) solutions.

Avishai Avivi, CISO at SafeBreach

Avishai Avivi, CISO at SafeBreach, shared his insights on the directives:

"The Joint Cyber Defense Collaborative (JCDC), established by the Cybersecurity and Infrastructure Security Agency (CISA), announced their plan to help protect Remote Monitoring and Management (RMM) tools. This one sentence containing three acronyms may sound complicated - but let me unpack it for you.

"This announcement further supports CISA's crucial role in the 2023 Biden-Harris Cybersecurity Strategy Implementation Plan (https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/13/fact-sheet-biden-harrisadministration-publishes-thenational-cybersecurity-strategyimplementation-plan/). More specifically, CISA is tackling one of the most urgent and critical cybersecurity risks - Remote Monitoring and Management tools.

Why is this the most urgent and critical risk? RMM tools, by their very nature, allow administrators to connect to their environments from outside. These tools are often implicitly trusted and have extensive control capabilities over the organization's networks and endpoints. While very convenient, this represents a significant exposure. Malicious actors may also have access to the same system and use this access to breach the organization. Recently, three RMM vendors - SolarWinds, Kasaea, and ManageEngine - were either breached or had a critical vulnerability that allowed malicious actors to gain unauthorized access to organizations using these products.

It is important to note that the impact was not on the vendors. Rather, the impact was to any organization or agency using the RMM products provided by these vendors. The vulnerability exploited in this case is referred to as a supply-chain vulnerability. This type of vulnerability allows ransomware groups like Clop and threat actors like Volt Typhoon to breach any customer using the vulnerable RMM tool. In 2021, the SolarWinds RMM breach impacted nine federal agencies and about 100 companies. The Kasea breach impacted up to 1500 businesses. In 2023 Clop breached multiple organizations by leveraging supply-chain vulnerabilities in the MOVEIt and GoAnywhere tools.

When considering the examples above, RMM tools are the most alluring target for malicious actors to breach. JCDC's focus on supporting RMM vendors and the RMM ecosystem to enhance their security makes perfect sense. At a high level, the plan depends on four different efforts:

  1. Information sharing: The JCDC is collaborating with the RMM community of vendors and operators to quickly share information about new vulnerabilities to get ahead of the malicious actors using them. This threat intelligence will allow the RMM users to validate the security of their RMM environment.

  2. Establishing an RMM operational Community: The JCDC seeks to promote collaboration within the RMM ecosystem by building on the first effort. While the first effort may be seen as a top-down initiative, this is more of a bottom-up effort.

  3. End-User education: The breaches mentioned above could have been avoided if the end-users of these systems had appropriate guidance. With the right guidance, the impact on millions of consumers would be eliminated.

  4. Amplification of CISA services: The JCDC will examine ways to enhance the delivery of their advisories and alerts to the RMM stakeholders.These efforts will allow companies and agencies to build effective Continuous Threat Exposure Management (CTEM) practices. By combining relevant threat intelligence and continuous security validation, the RMM ecosystem will be significantly more effective."

###


Comments


bottom of page