This article was written by guest contributor Chris Henderson, who runs threat operations and internal security at Huntress.
If there’s one thing last year’s breach of U.S. telecommunications providers taught us, it’s this: Threat actors are relentless, and no organization is beyond their reach. While most MSPs aren’t protecting critical infrastructure, the lessons learned from incidents like the Salt Typhoon cyberattack should serve as a wake-up call to reopen conversations with clients about the need for proactive cybersecurity measures.
Learning from the Salt Typhoon Cyberattack
Shockwaves went through the cybersecurity community at the end of 2024 when it was announced that a sophisticated cyberattack attributed to Salt Typhoon, a known state-affiliated threat group, had breached U.S. telecommunications systems. This attack not only demonstrated the advanced capabilities of modern threat actors but also exposed critical vulnerabilities in national infrastructure.
The attack was notable for its precision and scale, compromising key systems and potentially endangering sensitive communications. Beyond the immediate technical fallout, it raised serious concerns about the security of supply chains and the cascading risks to industries dependent on telecommunications services. Organizations across the board had to confront the stark reality that no network, regardless of its fortifications, is impervious to determined adversaries.
How to Engage with Clients about Their Cybersecurity Posture
While there are many conversations to be had about how we bolster critical infrastructure, the private sector, regardless of business size, can also learn from this incident. For MSPs, the Salt Typhoon attack presents an opportunity to engage in proactive conversations with clients about their cybersecurity posture.
Here are three key conversations to have with your MSP clients in the aftermath of the Salt Typhoon attack:
1. Evaluate Multifactor Authentication (MFA) Implementation
Now is the time to sit down and evaluate the MFA methods you have employed for both your staff and clients. If you haven’t implemented MFA yet, yesterday was the time to do it. There are many ways to employ MFA—SMS-based, time-based one-time passwords (TOTP), email-based, biometric, and hardware tokens. However, not all are created equal.
SMS-based MFA is the weakest link. SIM swapping, where an attacker socially engineers your phone carrier to move your number to their phone, has always been a security concern. However, the recent Salt Typhoon attack exacerbates this issue. If Salt Typhoon can intercept SMS messages, your SMS-based MFA codes become vulnerable.
This highlights the need to move beyond SMS-based MFA and adopt more secure alternatives. SMS MFA is better than no MFA, of course. But MSPs should use the Salt Typhoon attack to revisit stronger MFA methods with clients, especially for highly targeted ones like financial institutions, healthcare providers, and manufacturers.
2. Test Incident Response Plans
If you have not recently run a test of your and your clients’ incident response plans, now would be a good time. A good incident response test will include individuals from all arms of the business, both technical and nontechnical stakeholders.
Pick a recent newsworthy breach and run through the scenario as if your company or client were the ones impacted. Document the timeline of the simulated attack and take note of any gaps in your response capabilities. Evaluate the effectiveness of communication channels and decision-making processes.
Following the test, be sure to identify where assumptions were made or what steps needed to be performed that weren’t already documented. Then, revise your incident response plan to address any shortcomings and ensure it remains a living document that adapts to the evolving threat landscape. Running these exercises will help identify gaps or weaknesses in your current plans and allow you to improve before a real incident occurs.
3. Ensure Comprehensive Security Coverage
While discussing the Salt Typhoon attack with your clients, take a moment to talk about the coverage of their existing security controls. I hear frequently that smaller organizations opt to install endpoint detection and response (EDR) tools only on their servers but not on desktops. While that strategy will certainly keep costs down, it dramatically increases the risks of an adversary gaining initial access via one of the unprotected desktops.
Security is only effective when it’s systematically deployed across the entirety of an attack surface. The costs saved by picking and choosing which assets to fully protect will be swiftly lost when an unprotected asset is breached.
Use the Salt Typhoon Cyberattack as a Sobering Reminder
The Salt Typhoon cyberattack serves as a sobering reminder of the evolving sophistication of cyberthreats and the vulnerabilities inherent in our critical infrastructure. It underscores the urgent need for proactive cybersecurity measures, not just for national systems but for organizations of all sizes. While no system is entirely immune, there are proactive steps that organizations can take to significantly reduce their risk. These include implementing stronger MFA methods, rigorously testing incident response plans, and ensuring comprehensive deployment of security controls across all assets.
This is a pivotal moment to reassess and reinforce cybersecurity practices. MSPs have a crucial role to play in helping clients navigate this evolving threat landscape. Use the lessons from the Salt Typhoon cyberattack to engage in meaningful conversations, both internally and with clients, about the importance of robust defenses. By adopting a proactive and comprehensive approach to security, you can help your MSP clients mitigate risks and build resilience against future threats.
If you missed Chris Henderson’s last column, see Backup vs. Ransomware: How To Ensure Your Last Line Of Defense Holds Strong.
