ConnectWise CISO Patrick Beggs presented MSSP Alert Live 2024’s opening keynote Tuesday morning, walking attendees through the company’s response to its ScreenConnect vulnerability crisis.
Beggs and Vice President of Corporate Communications Amanda Lee unveiled the critical steps the company took after the discovery of the vulnerability tracked as CVE-2024-1709, which has a maximum severity score of 10 and could enable attackers to achieve authentication bypass and gain administrative control over a ScreenConnect instance.
The vulnerability was disclosed through ConnectWise’s vulnerability disclosure program on Tuesday, February 13, 2024, and staff worked throughout the week to validate the flaw and develop a fix. With a patch created by Friday, February 16, and instantly rolled out to cloud instances, the next challenge was getting the patch effectively distributed to on-premises customers.
“We did not want to run the risk of people not seeing their email [over the weekend],” Beggs said, explaining the difficult decision to wait until that Monday to publicly disclose the flaw and publish the patch. This was just one example where ConnectWise balanced the challenge of communicating the right information at the right time.
Once the patch was publicly available, Beggs said the scenario became an “awareness campaign instead of a response,” further emphasizing the importance of communication in this crisis. Lee also described a “race against time” to get the word out about the importance of the patch before the flaw was weaponized, while also combating “dangerous misinformation” tying the ScreenConnect flaw to the concurrent Change Healthcare ransomware attack.
A turning point came when, seeing that many instances were still unpatched, Beggs made the “unprecedented” decision to disable vulnerable versions of ScreenConnect, making them unusable and thus unexploitable. This move, along with the release of a remediation guide by Mandiant, sent patching numbers “through the roof,” Beggs said, curbing the crisis and preventing some of its worst potential consequences.
The role of AI in ConnectWise’s crisis communications
The ConnectWise keynote also revealed for the first time how the company used generative AI to ensure information shared both internally and with the public was timely, accurate and complete.
Specifically, ConnectWise used its own “Sidekick” AI tool, which is purpose-built for information technology (IT) applications and can automate a wide variety of tasks in response to natural language prompts. ConnectWise used Sidekick to retrieve relevant information faster than one could do manually.
“[Sidekick] consolidated and coordinated all this information instantly,” Beggs explained, finding the “needles in a haystack” needed to give a complete picture of the situation. Armed with this data, ConnectWise was able to scale its response and communications, simplifying the complicated task of presenting the timeliest information to staff members, customers and the public.
Ultimately, about 80% of the ScreenConnect population was mitigated against the vulnerability by February 26, a week after the patch was made available to all customers, according to CRN, with more customers continuing to patch in the following days, weeks and months.
While the flaw was ultimately weaponized in the wild, leading to attacks on some unpatched instances, ConnectWise’s response demonstrates how an effect crisis communications strategy, transparency during a crisis and use of time-saving tools like generative AI can mitigate negative impacts and maintain trust among customers and the public.
Beggs concluded the presentation by urging attendees to make use of educational and informative resources, including from the Cybersecurity and Infrastructure Security Agency (CISA), the LevelBlue Labs Open Threat Exchange, the Center for Internet Security’s Multi-State Information Sharing and Analysis Center (MS-ISAC) and ConnectWise’s own Cyber Research Unit (CRU). Arming oneself with timely and accurate information is key, both when responding to a crisis and preparing for future cyber risks and threats.
Discussion on the potential benefits of AI for cybersecurity practitioners and MSSPs will continue at MSSP Alert Live this afternoon with a panel from PCH Technologies, Blue Mantis, The Clarity Company and CyberRisk Alliance at 1:30 p.m. in the Zilker Ballroom, Hyatt Regency Austin, Texas.
