top of page
Search

The Trusted Vendor Problem: How I Use Your MSP to Own Your Network

Your perimeter controls are irrelevant if I can walk through the front door wearing your MSP’s credentials.


That is one of the first things I think about when I take a red team engagement. Not your firewall. Not your EDR. Not your MFA. I think about your managed service provider, the vendor with persistent, privileged, always-on remote access to your environment. And then I open LinkedIn.


It takes me less than ten minutes to identify your MSP. Your job postings name them. Your IT staff list them on their profiles. Once I have a name, LinkedIn delivers every technician, their tenure, their certifications, the tools they use. I know who to call, who just started, and who left last quarter with credentials nobody deprovisioned.


Before I move, I check, do they hold a SOC 2 Type 2? I can count on one hand the mid-market MSPs with a current SOC 2 Type 2. Almost none. That tells me exactly what I’m walking into, what their control environment is likely to look like. 


Here’s how I commence the attack. I build a pretext around a support escalation, urgent, credible, vague enough. I call a technician identified on LinkedIn, someone junior and eager to help. I name the client environment, drop the right tool names, ConnectWise, Datto, N-able , and apply enough pressure that verification feels like friction. In a firm with no identity verification protocol for inbound requests, that’s enough. I’m inside a trusted session with local system privileges. Nobody is watching.


This is not theoretical. Kaseya VSA compromised over 1,500 organizations downstream. SolarWinds was the same trust model at scale. The pattern doesn’t change, only the names do.


Most organizations sign an MSP contract, agree to an SLA, and consider the risk transferred. It isn’t. You’ve transferred the work. You’ve retained the risk, and added an attack surface you don’t control, can’t see, and have never tested.


When I ask clients to walk me through MSP access controls, the silence is telling. They know what the MSP does for them. They cannot tell me what it accesses, from where, under what authentication, with what logging, or what offboarding exists for departed technicians. Wide-open door.


Enforce MFA on both sides. Require session logging. Demand just-in-time provisioning. Audit vendor access quarterly. Before you sign or renew any MSP agreement, ask for their SOC 2 Type 2. If they don’t have one, you’re not managing IT risk.


Remember, you can outsource the task not the risk.

 
 

Recent Posts

See All
Scamming - Public Service Announcement

A text arrived on my phone this morning. Final Warning. Today’s date. Massachusetts Department of Transportation. License suspension if I don’t pay by end of day. A code citation. Five escalating cons

 
 

Timcke Risk Management, LLC

660 Massachusetts Ave

6th Floor, Boston, MA 02118

 

© 2025 by Timcke Risk Management, LLC

 

bottom of page