As a cybersecurity professional, it pains me to see the recent news about both Caesars and MGM casinos and resorts being compromised so thoroughly. The details about what happened at both are generally thought to be understood at this point. Of course, without direct statements and details from either, we are all still speculating a bit. With that in mind however, and with the caveat that we’re not here to shame either organization but to learn from them, let’s discuss what lessons we can learn from these breaches.
MGM: What We Think We Know
MGM appears to have been initially penetrated via a social engineering approach, contacting a helpdesk (understood to be a 3rd party organization) who incorrectly verified the identity of the attacker as someone who had access to elevated permissions within the system. If the attacker’s account is to be believed, they used nothing more than publicly available information (which I take to mean not needing any “dark web” information) to con their way into admin level access to the environment. If we listen to those who follow this attacker’s usual MO, we understand that they likely performed the social engineering helpdesk call where they successfully got MFA control and a password reset for an account that got them the access they needed to perform the next steps.
One of their next key steps was to set up a trusted identity federation source that allowed their own authentication solution to appear as a trusted source of access and authorization data for their malicious user accounts. Once that was done they were able to effectively access a wide swath of the environment, including the ability to log into the systems running virtual machine infrastructure and holding all the VMs on those systems hostage. Either the attack itself, MGM’s chosen response, or a combination of both did temporarily disable the entire MGM network, including preventing room-key systems and payment systems from working for quite some time.
The “good news” is that the attacker’s stated goal was to impact and influence actual gaming machines. It is extremely clear that this attacker is financially motivated, which should come as no surprise to anyone following cyber news these days.
More than a week later reporting suggests that while MGM is up and running again, it is still bleeding millions of dollars per day in residual costs and lost revenue as many systems are still not up and running at full capacity. It is presumed that MGM has not yet chosen to pay any ransom, as none has been disclosed in appropriate FTC or SEC filings, though they have disclosed an anticipated $100M negative impact from the breach.
Caesars: What We Think We Know
Caesars has admitted to paying about $15M to prevent the release of data. It may have included drivers license and social security numbers however Caesars claims that passwords and banking information was not compromised, which is certainly cold comfort for anyone who was impacted. No outage was reported, and no account of the incident’s particulars have so far been shared.
Cybersecurity industry sources suggest that the same group that attacked MGM attacked Caesars, and that some similar tactics were employed, but there is precious little thought to be understood about the Caesars breach.
3 Keys to Cyber Resilience
If we break this down into three basic focal points, we can find ways to help ourselves be more cyber resilient enterprises.
1. Anticipating Risk
Both casinos are clearly high risk targets. Having been repeatedly attacked and having lost customer data more than once each in the past, there is a clear pattern of risk for both to have addressed. Each is a business seen as being very lucrative to outsiders, and as having a treasure trove of PII data. The combination of both makes them exciting looking targets for cyber criminals who are looking to both make money off of this singular attack and gather research for upcoming attacks. After all, who hasn’t stayed at an MGM or Caesars location when they traveled to Las Vegas in the past few years? Given the plethora of industry events and conventions, not to mention the upcoming (or past, depending on when you read this) F1 event suggests that these organizations will have lots of very interesting people’s PII data.
Even if these aren’t the same overall risks for your organization, you still no doubt have systems that you rely on to do business. Those may have PII on them or not, but they are still critical to your organization’s success. What are the risks to those?
On a more tactical level, we clearly see some system vulnerabilities to be better addressed:
- SMS based multi-factor authentication should not be relied upon for corporate systems, as we’ve seen time and time again. The only place this should be even remotely acceptable is for individual consumer accounts, and even then companies should be striving to replace it with more secure solutions.
- Helpdesk based password reset processes must properly vet the user whose credentials are being reset – especially those who have administrative access and responsibilities.
- Admin roles need to be segmented – a singular identity should not have access across an entire organization – at least one of the sort of enterprise scale as either of these organizations.
- The ability to add a federated identity source must be not only restricted, but monitored for and should immediately be investigated if it happens outside of known change-control processes.
2. Withstand and Recover with Precision Response
We know very little about how quickly either organization detected their intruders. We don’t even know if they detected them or if the attackers made themselves known intentionally, a’la Colonial Pipeline. But it is clear that neither attack was detected prior to causing damage.
For MGM, the damage was extensive, impacting much of their infrastructure. For Caesars, the impact is harder to be confident about – data was clearly exfiltrated, but we didn’t see indications of the wide-spread impact that MGM had. It may be that the strike itself was more surgical, was detected sooner, or was simply better contained by system segmentation, helping them withstand this attack with less damage.
But we do know that detection is the first step to response, and without quick detection the scope of damage grows quickly, making response and recovery more difficult, time consuming, and costly.
3. Adapt and Improve Cyber Security Programs
This is where we can all help ourselves out, by learning from the misfortune of others. If I were part of Caesars cyber leadership, I’d be thinking about how that PII breach still cost the company $15M in ransom. I might be congratulating myself on how it was contained to just that part of the environment, but I’d clearly be looking at how that data is accessed. One of my first questions to the business would be:
- Do we need to keep that sensitive data as long as we do?
One of the universal axioms of data theft is that you can’t lose what you don’t have. And if the company does need to keep that data, I’d start reviewing what systems and people have read access to it, and why.
If I’m in cyber leadership at MGM, I’m probably pulling my hair out right now. But as I have time to reflect, I will probably be focusing hard on my MFA, helpdesk, and infrastructure architecture. I would be thinking about how unresilient we were that this attack was able to cripple us so thoroughly, and keep us crippled more than a week later. I might be turning my attention to focusing more on how turtle-shell-like our security seems to have been: all focused on protecting our perimeter, and woefully underprepared for an attacker that manages to get past those protections.
As I’m not in cyber leadership at either organization, I’m thinking about these same things, but perhaps not with the exact same level of heartburn and urgency. I’m thinking not just about what security tools I have, but of our organization’s architecture. I’m thinking about our ability to detect and respond. I’m thinking about what blind assumptions we’ve made that need to be reconsidered: where are we assuming we’re safe but we really are not?
MFA and password resets are high on my list of priorities to review there. All the while thankful for the opportunity to improve my program by reviewing what happened to someone else’s. And since I’ve recently been in Vegas, I think I’ll be paying some additional attention to my identity, credit score, and the like as perhaps my data was part of what was compromised.