Home > Expert Insights > LeadHER in Security

Protecting Critical Infrastructure: MSPs, SMBs, and the Power of Empathetic Leadership in Cybersecurity

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor
MacKenzie Brown - VP of Adversary Pursuit Group(APG) - Blackpoint Cyber
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google

Quick Takeaways:

  • While patching systems is vital, many overlook attackers using stolen credentials for access.
  • MSPs and SMBs still face threats targeting user identities, cloud systems, and core admin tools.
  • Brown highlights that organizations often overlook recurring security gaps that attackers exploit.
  • Blackpoint Cyber’s incident response and MDR efforts help organizations defend against real threats.
  • Young attackers thrive on curiosity, mastering techniques, then flexing that fluency of breach.

In this edition of LeadHER in Security, MacKenzie Brown, VP of Adversary Pursuit at Blackpoint Cyber, discusses the growing abuse of remote access tools in modern threat campaigns. Brown noted that this past year saw a sharp rise in such tools, often spread through social engineering campaigns like Fake CAPTCHA and ClickFix.

Before joining Blackpoint Cyber, Brown led global incident response efforts at Microsoft’s Detection and Response Team (DART), where she specialized in threat intelligence and nation-state investigations. 

Her earlier experience spans key roles in incident management at Optiv and cybersecurity analysis at the Idaho Department of Labor, shaping a career grounded in technical expertise and operational leadership. 

She emphasizes the importance of adopting an inside-out security mindset that prioritizes resilience, strategy, and proactive defense.

Read our full interview to see how Brown reframes threat intelligence for MSPs making it accessible, actionable, and focused on limiting the blast radius through stronger fundamentals.

Vishwa: Let’s start with the current threat landscape. From your vantage point at Blackpoint Cyber, what adversary behaviors and infrastructure patterns are most concerning right now for Managed Service Providers (MSPs) and Small and Medium Businesses (SMBs)?

MacKenzie: For adversaries, the goalpost hasn’t moved; however, the perimeter of the field has changed in some ways. There has been a relentless shift to the cloud as threat actors continue to target the identity plane through attacks such as token theft, session hijacking, and adversary-in-the-middle techniques, highlighting our increased need to both understand and continuously monitor cloud environments. 

While being concerned with patching and protecting every externally facing system that poses an opportunity for initial access is also a significant risk, we often lose sight of an adversary walking right through the front door with stolen, yet valid, credentials.

In addition to this cloud-focused shift, adversaries continue to successfully thrive via “living off the land” tactics, where using native, trusted, and legitimate tools becomes their glorified army tank as they persist and laterally move through their victims’ environments. 

This past year, we have seen an impressive uptick in the malicious use of remote access tools—often delivered via social engineering campaigns such as Fake CAPTCHA and ClickFix—that provide a semblance of security to the end user while, unbeknownst to them, they are being compromised.

The concerning patterns for MSPs and SMBs remain the same: the identity of the end user, the cloud, and the very system administrative tooling we rely on for infrastructure support are all cleverly being targeted.

Vishwa: The security of Managed Service Providers (MSPs) and Small and Medium Businesses (SMBs) has been called the “backbone of critical infrastructure.” Given the frequency of supply chain attacks, do you believe MSPs and their clients need to be federally recognized and invested in as critical infrastructure?

MacKenzie: I not only believe they should be—I believe they effectively already are critical infrastructure; however, the perception of their risk profile needs to catch up to the reality of operational dependency. 

An MSP is a single point of failure that acts as a multiplier; by compromising one MSP, an adversary immediately gains access to many downstream SMB clients. The most vulnerable entities in this chain are SMBs, which often lack the budgets and personnel required for security operations and effective defense. 

MSPs serve as that defense line. We need the industry to start focusing on this critical sector—stop treating MSP security as a competitive business differentiator and more as a national security pillar—democratizing defenses by enabling MSPs to deliver the necessary advanced capabilities such as 24/7 managed detection and response.

Vishwa: You’ve worked with Microsoft Detection and Response Team (DART) and Optiv. How did those experiences shape your technical and investigative approach to modern incident response and adversary pursuit?

MacKenzie: I often joke internally and to our partners that I went from the murder cleanup zone to moving a little more left in defense. My time at DART and Optiv was foundational, as I was able to witness the chaotic rubble left behind during cyber crises and instill the value of organizational resilience, so that incidents were not simply viewed as a technical problem but a business wake-up call.

This taught me to approach a sort of “inside-out security” mindset. My tenure helping clients prepare for and recover from intrusions also taught me to engage with simplicity and approach security from the inside out, prioritizing strategy over broken, reactive response. 

Incident response can certainly leave one with a pessimistic view of how organizations handle their posture, but in the same vein, that view can be a glass-half-full approach because it allows us to highlight the consistency and repeated gaps threat actors benefit from—and that organizations fail to address.

Incident response can cut the noise down and allow lessons learned to warrant increased buy-in and realistic prioritization of security. Real security incidents can be dirty and unpredictable, and often randomly motivated, moving beyond a process-oriented or compliance-based view of security and pushing the power back into awareness. 

At APG, we approach this with the same mentality: every containment and action in MDR, enhanced with intelligence that highlights actionable remediation, gives organizations a fighting chance—and a realization that they have a larger team fighting the fight for them.

Vishwa: The Adversary Pursuit Group focuses on tracking threats and translating intelligence into action. How is that intelligence converted into measurable defensive data?

MacKenzie: Our mission is to convert intelligence into actionable remediation for our MSP partners, essentially moving from the academic understanding of intel to a measurable defensive posture. Consuming and redistributing threat feeds is not a sufficient solution for our partners.

Internal emulation, analysis of threats, and understanding the tradecraft and patterns of these threat actor groups give confidence to detection and response. Among these, we prioritize vulnerability scoring, as we developed internal scoring mechanisms that prioritize vulnerabilities by actual impact to MSP and SMB environments—not just by volume—ensuring the highest-risk gaps are addressed in real time.

And finally, collaboration is key. We work within BROC (Blackpoint Response Operations Center), where that intelligence is immediately operationalized in detection rules, containment playbooks, and partner alerts, allowing us to act as a hive mind from analyst to analyst.

Vishwa: Many SMBs struggle to operationalize threat intelligence effectively. What practical steps can smaller teams take to improve their defensive posture without overwhelming limited resources?

MacKenzie: “Democratizing threat intelligence” for an MSP comes down to accessibility and action. Effectively disseminating intel that is reasonable and actionable for an MSP to implement—either through awareness for their threat operations or through resource allocation in administration—is key.

However, we still see the fundamentals falling behind in MSPs and SMBs, such as phishing-resistant MFA strategies, patching known exploited vulnerabilities on externally facing assets, and locking down remote access while implementing application control to block unwanted tools from executing.

Whether or not a specific adversary group or targeting is occurring is essentially useless, because at that point the “who” is irrelevant, and being reactive in time to limit the blast radius is the focus. Focus on the fundamentals in order to operationalize threat intelligence effectively, strategically reducing the attack surface.

Vishwa: We often see young individuals demonstrating remarkable skill in offensive cyber activities. From your perspective, what makes younger minds so adept at understanding adversarial techniques?

MacKenzie: The very backbone of a successful threat operations unit is adapting to an understanding of attacker tradecraft—putting themselves in the shoes of the threat actor. Fresh minds in this field come with inherent, unrestrained curiosity, and flexing that fluency of techniques and tactics that lead to a successful attacker objective keeps that flexible mindset strong.

The best advice I received when I started in cybersecurity, building out tabletop exercises that left an impression, was approaching it from the threat actor’s position of “if I can access it, I can explore it.” This exploratory thinking is like a muscle that translates into any future role in this industry.

Vishwa: Your background blends theater studies and cyber operations resilience, which is unusual and fascinating. Has that creative foundation influenced how you lead or communicate in cybersecurity?

MacKenzie: When it comes to cyber and the influence of theatre, storytelling is the new art. While an unorthodox background, translating technical voices and connecting to the audience with these insights in a memorable way helps empower and inspire—especially when considering how that translation differs between a CEO and a practitioner.

Understanding human motivation and perspective is key, whether in theatre, social engineering, or influencing. A foundation of empathy for clients experiencing a breach—in non-technical positioning of factors such as stress or resource limits—allows the storyteller to become the strategist.

Vishwa: What kind of community or legacy do you hope for women entering technical and threat intelligence roles in the years ahead?

MacKenzie: We benefit in our careers and in life by having trusted advisors. Find your team—the ones you can lean on to mentor, teach, push, and provide a feedback loop—and diversify this team. A culture of active advocacy paired with this creates community.

I have benefited so much from the community, both locally in my city and within the MSP channel. Advocacy is everything, regardless of gender. Align yourself with employers and mentors that embrace the power of diverse perspectives, because ultimately, the legacy is grown through finding new ways to solve problems—especially in cybersecurity, where some of the most persistent issues collectively need a fresh approach.

I hope for a community in this field where women in technical roles are not just present but championed.

Add a Comment
Related
Three Controls To Curb Shadow AI, Impact of Indirect Prompt Injection, And Why Security Teams Need AI-Specific Governance 
Quantum Computing: Challenges of Threading PQC into Infrastructures, and Migrating Without Ripping Out Systems, Because Attackers Aren’t Waiting
How Digital Skepticism Enables Early Detection and Prevents Online Exploitation
Crystal Morin - Senior Cybersecurity Strategist - sysdig
Between Legacy Limits and Real-Time Demands: The New Cloud Defense Equation
Charles Randolph - Senior Vice President - 360 Privacy
Veterans in Cyber: AI as a Force Multiplier, Guiding Young Offenders, and the Correlation Between Data Science & OSINT Professionals
Bert Kashyap - CEO and Co-Founder - SecureW2
Building Passwordless Trust Through Machine Identity Automation

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: