Thinking like a threat actor: Why MSPs must look beyond the visible attack surface

In an exclusive interview with Rik Ferguson, VP of Security Intelligence at Forescout, it becomes clear that effective cybersecurity now demands more than compliance and regular practice. To stay ahead of increasingly sophisticated threats, MSPs must think outside the box, challenge assumptions, and view their clients' environments through the eyes of an attacker.

For years, cybersecurity has been built around a familiar principle of identifying risks, deploying controls, patching vulnerabilities, and maintaining compliance. Today’s threat landscape is forcing MSPs to confront the uncomfortable reality that only doing what is required is no longer enough.

The attackers targeting organisations today are not simply looking for the obvious weaknesses. They are studying business operations, exploiting blind spots, abusing trust relationships, and targeting the very technologies designed to provide protection. To stay ahead, MSPs must begin thinking less like defenders and more like the attackers they are working to defend against.

Attackers are often more focused on thinking outside the box to identify unexpected routes into an environment than organisations are on anticipating them. As Ferguson illustrates through the example of a vulnerable IP camera in a hospital setting, what appears to be a low-risk, isolated device can become the entry point into wider IT systems and even operational infrastructure, creating a pathway from a seemingly minor weakness to systems that underpin critical services.

The security blind spots no one owns

One of the most significant shifts in cybersecurity over the past decade has been the expansion of the attack surface. Organisations now rely on an ever-growing mix of traditional IT assets, cloud services, operational technology (OT), Internet of Things (IoT) devices, building management systems, communications platforms, and third-party services, many of which sit outside traditional security visibility.

Ferguson notes that MSPs are seeing OT being much more frequently targeted, as threat actors increasingly focus on areas outside traditional IT ownership and oversight. This is compounded by the accelerating risk profile of these environments, where “the amount of vulnerability in those devices has increased exponentially and the time to weaponisation has decreased at the same time”, significantly reducing the time organisations have to respond.

The challenge is that many of these assets sit outside traditional security visibility.

Most organisations can provide a number when asked how many endpoints they manage. Yet time and again, security assessments reveal a far larger and more complex environment than expected. Devices that are unmanaged, forgotten, or simply unknown create opportunities that attackers are increasingly eager to exploit.

Threat actors do not care about organisational silos. They do not distinguish between devices owned by IT, facilities management, operations teams, or third-party contractors. If a vulnerable asset provides a pathway into the network, it becomes a target.

Ferguson highlights that edge devices are particularly attractive to attackers, since “it's part of your security stack, but it's very often not visible. It occupies this privileged position for further lateral movement into the environment.” For MSPs, this requires a mindset shift. Security tools can no longer be assumed to be inherently secure simply because they are security tools. Every device connected to a network must be viewed through the lens of an attacker asking a simple question:

"How could I use this to gain access?"

Perhaps the biggest lesson MSPs can learn from modern threat actors is creativity. Attackers are increasingly willing to compromise assets that appear insignificant if those assets provide access to something more valuable. An internet-facing IP camera, an HVAC controller, a VoIP system, or a forgotten building management device may seem unrelated to cybersecurity. To an attacker, they are simply alternative routes into the environment.

In modern environments, the attack surface is therefore not defined by importance, but by connectivity.

The motivations behind modern threats

Understanding the technology behind cyberattacks is only part of the challenge. Increasingly, organisations also need to understand the motivations driving the people behind them.

Historically, cybercriminals, hacktivists and nation-state actors occupied relatively distinct categories, each with their own objectives. Criminal groups were primarily motivated by profit, hacktivists by ideology, and state-sponsored actors by espionage or geopolitical interests. Today, however, those lines are becoming increasingly blurred. As Ferguson explains, motivations still matter because they influence how attackers select targets, measure success and adapt their tactics.

Traditional cybercrime is financially motivated. For financially motivated attackers, every intrusion ultimately comes back to a simple question: can it generate revenue? As Ferguson highlights, “they are driven by how they can monetise the attack, otherwise they won’t do it.”

Yet not all threat actors are driven by financial gain. Hacktivist groups, he explains, are "cause-motivated", seeking disruption, visibility or reputational damage in support of a particular belief. Meanwhile, nation-state actors have traditionally focused on espionage, intellectual property theft and strategic intelligence gathering.

The challenge for defenders is that these motivations are no longer neatly separated. Ferguson points to a growing trend of nation-state actors adopting hacktivist identities or working through affiliated groups to obscure their involvement and create plausible deniability. At the same time, hacktivist groups are becoming more technically sophisticated, moving beyond website defacements and denial-of-service attacks to target operational technology and critical infrastructure.

He adds, "State-level actors are getting involved in that scene as well in two ways, either by outsourcing to activists, or by posing as activists themselves." For MSPs, this shift reinforces the need to think beyond traditional threat categories. Understanding the mindset of an attacker means recognising that different adversaries are pursuing different outcomes, whether financial gain, disruption, influence or strategic advantage. As those motivations increasingly overlap, defenders must prepare for a broader range of tactics, techniques and objectives than ever before.

Visibility is the new foundation of security

For all the discussion around AI, advanced detection platforms, and next-generation security tools, the fundamentals remain surprisingly unchanged. Security teams cannot protect assets they cannot see. They cannot patch systems they do not know exist. They cannot assess risk without understanding their environment. As Ferguson notes, “It’s the visibility that is essential, because if you don’t know what you have, you don’t know which patches or vulnerabilities apply within your network.”

As organisations continue to adopt cloud services, connected devices, and hybrid infrastructure, visibility becomes the foundation upon which every other security decision depends. The question MSPs should be asking clients is no longer, “What security tools do you have?” Instead, it is, “How confident are you that you know everything connected to your business?” Because if the answer is uncertain, attackers may already have an advantage.

The next evolution: thinking like the adversary

The future of cybersecurity will not be defined solely by new technologies. It will be defined by mindset. AI will accelerate vulnerability discovery. Supply chain attacks will continue to grow. Token theft will increasingly replace traditional credential theft. Attackers will continue moving up the value chain, targeting trusted providers and service platforms to reach larger numbers of victims.

Yet despite these changes, the most effective defensive strategy remains surprisingly human. The organisations that succeed will be those willing to challenge assumptions, question visibility gaps, and examine their environments through an attacker's eyes.

MSPs sit in a unique position. They have visibility across multiple clients, multiple environments, and multiple industries. That vantage point gives them an opportunity to move beyond compliance-driven security and become genuine strategic defenders. The challenge is no longer simply building stronger walls. It is understanding where an attacker would look for the door.

This shift in mindset is becoming even more important as the regulatory landscape evolves. Under the forthcoming Cyber Resilience Bill, MSPs are expected to become directly regulated entities, placing greater accountability on providers themselves rather than solely on their customers. That change will increase pressure on MSPs to demonstrate not only compliance, but also a deeper understanding of their own attack surfaces, supply chain exposures, and the risks posed by the trusted position they occupy within client environments. As attackers continue to target service providers as a route into multiple organisations, resilience will increasingly be measured by an MSP's ability to anticipate adversarial behaviour, not simply meet baseline security requirements.

By Anthony Lobretto, SVP of Connectivity, 11:11 Systems
By Ricardo Arroyo, Principal Product Manager at WatchGuard
By Elliot Samuels, AVP at DigiCert
Chris Carreiro, Chief Technology Officer at Park Place Technologies, examines how sovereign compute...
By Rob Van Lubek, VP of EMEA, Dynatrace.