The Environment
A small but well-regarded IT services company provides managed IT support to a cluster of local organizations: two public school boards, a municipal library system, a regional recreation centre, and a handful of local small businesses. The firm handles helpdesk support, network administration, patch management, and remote monitoring for all of them — making it a classic managed service provider (MSP). With just four full-time staff, including the owner-operator, there is no dedicated security function. A single part-time technician handles most of the day-to-day IT work across the client base.
The firm’s own infrastructure is modest: twelve endpoints, a small on-premises server used for client remote access and ticketing, and a cloud-based remote monitoring and management (RMM) platform through which they access and administer all client environments. That RMM platform is the firm’s operational lifeline — and its most significant security liability. A compromise of the MSP’s own environment doesn’t just affect twelve endpoints. It opens a door into every school, library, and business they support.
Frostbow Deployment
The owner-operator’s requirement was straightforward: enterprise-grade protection at a price and complexity level that made sense for a four-person business, with no budget for a dedicated security tool stack, no time to manage rules or signatures, and no tolerance for alert noise that would distract an already stretched team. Frostbow was deployed in the Complete Security Platform configuration covering all twelve internal endpoints and the on-premises server, with particular attention paid to monitoring the RMM platform’s access patterns. Deployment was completed in five days. The owner received a dashboard view accessible from any browser. Monthly reporting was configured automatically.
The Scenario: RMM Platform Compromise — Supply Chain Attack on Municipal Clients
A threat actor targeting MSPs as a supply chain vector obtained the credentials of the part-time technician through a credential stuffing attack. With valid RMM credentials in hand, the attacker authenticated to the RMM platform outside of business hours and began enumerating the client list — identifying connected school board and municipal library systems as high-value targets for a ransomware deployment. Their intent: push a malicious script to all managed endpoints simultaneously via the RMM’s legitimate software deployment function, encrypting client systems before the school day began.
How Frostbow Responded
The RMM authentication from an unfamiliar IP at 2:14 AM was the first signal. The technician’s account had never previously authenticated outside of business hours and had never been used from that geography. Frostbow scored this as medium-confidence and held, watching.
Within four minutes, the authenticated session began enumerating client records in the RMM platform at a rate far outside the technician’s established baseline — nineteen client profiles queried in under three minutes. Frostbow had formed a concept it called RapidClientEnumeration, recognizing that bulk account querying by a single operator credential outside business hours is a strong precursor to lateral movement into client environments. Combined with the anomalous authentication, the composite confidence crossed the high-severity threshold.
Frostbow revoked the active RMM session, locked the technician’s account, and blocked outbound connections from the on-premises server to the RMM platform — preventing any malicious script deployment from reaching client environments. An incident alert was pushed immediately to the owner’s dashboard and mobile notification. The owner, woken by the alert at 2:19 AM, confirmed the technician had not been working and authorized a full credential reset across all RMM accounts before business hours.
Every school, library, and business in the client base opened the next morning without incident. The attack had progressed to the point of client enumeration — one step away from mass ransomware deployment — before being stopped.
Key Deployment Characteristics
- Full deployment in five days by a single Frostbow technician
- Designed for a four-person team with no dedicated security function
- RMM platform access patterns treated as a priority monitoring surface
- Automated monthly reporting requiring no analyst effort to produce
- Protection extended implicitly to all downstream municipal and SMB clients
- After-hours autonomous response with immediate owner notification — no analyst on call required