Kevin Nincehelser, COO of Premier One, explains how Blackpoint intervened to stop a supply chain attack targeting companies in the financial services industry. Although the attack impacted many of Premier One’s clients, Blackpoint’s rapid response enabled Premier One to act quickly to protect its client base. With attacks on Microsoft 365 and Azure accounts on the rise, Nincehelser stresses the indispensable role of Blackpoint’s MDR service to Premier One’s cybersecurity strategy. Where MDR used to be optional, Nincehelser says it’s a must-have for clients in 2024.
I’m Kevin Nincehelser, Chief Operating Officer of Premier One. I’ve been with Premier One for ten years. Premier One is a verticalized MSP, and we primarily serve the financial services industry with a specialty in insurance.
Can you tell us about an attack Blackpoint has stopped?
Blackpoint has stopped numerous attacks on behalf of Premier One for our clients, and those have ranged in terms of the type of attack. The ones that we see most and are most impactful to our clients today are primarily around account compromise and account takeover for their Microsoft 365 and Azure Active Directory identities.
The most recent attack started with a trusted vendor in the space. It was not initiated by a fake account, but rather a trusted IT support account for a vendor in the supply chain. That person’s email account or Microsoft 365 identity was compromised. From that compromise, they pivoted and used that account to send out a malicious Microsoft 365 credential phishing link to all of that person’s contacts.
This particular vendor deals mostly with folks at our clients who deal with a large volume of financial transactions. So they’re very much a prime target, and access to their accounts ultimately has a lot of value to the attackers. So there was a link sent out. It did have the capability to harvest an MFA token, and therefore ultimately bypass MFA and get access to those users’ accounts.
Blackpoint was really the first one to notify us of this issue, followed very closely in second by a user at one of our clients who reached out to us and said, “Hey, I clicked the link, I put in my credentials. And once I did that, I realized that there was an issue.”
However, right before that, Blackpoint had already alerted us to this account compromise, and so we were aware of it before the user called in.
And so Blackpoint followed the incident response procedure that we have on file with them. They contacted our primary security points of contact, let us know about the event. We confirmed that it was not a known good activity, and so they immediately blocked the account, blocked sign-in to the account, and then we were able to turn around, respond to that, and begin a recovery process for that client.
Furthermore, since we are verticalized, we were then able to see that this attack really impacted lots of organizations outside of just this one client. So not only did Blackpoint stop this one incident, but it was also instrumental in giving us the ability to respond very quickly and early in the attack to protect our other clients who received the same email.
How would this attack have been handled prior to Blackpoint?
Prior to Blackpoint, we would have relied almost entirely on preventative tools, first of all. So hopefully some type of email filtering or email security can stop these kinds of things. But in this case, it wouldn’t have, because it was a known, trusted account. It was not an account that was suspicious in any way.
So given that, really the only way that Premier One would have been alerted to this would be when bad things actually start to happen in the compromised accounts.
What role does MDR play in your service offering?
When we started in 2021, it was an optional add-on, potentially seen as important, but nice to have.
We have since moved to a position where not only is it a requirement for any new clients we bring on, but we are also bringing legacy clients, or clients who are not currently on it, we are bringing them on board to Blackpoint now.
Because really, Blackpoint covers the detection and response functions of the NIST cybersecurity framework better than any other tool that we have. Most everything else in terms of a security package falls in the area of identify and protect. We’re trying to identify those assets, or those accounts, and make sure that they are protected. But what we like to say is Blackpoint is there right of boom.
When the event occurs, that’s when we rely on Blackpoint to help us make sure to deal with it quickly, professionally and recover as soon as possible with minimal damage.
We appreciate the ongoing partnership that we’ve had with Blackpoint. They have invested in our success, certainly, even being involved in our recent TitleCon conference, and being there providing knowledge and resources to educate our clients as to why this is such an important and really unavoidable piece of security moving forward in in 2023 and certainly in 2024.
So while this potentially was a nice to have or optional feature of security in the past, we believe it is not anymore. It is absolutely something that you must have as a business in in 2024 to to protect yourself from these threats.