In the early days of September, MGM Resorts International grappled with a cyberattack on their Las Vegas properties, which wrought havoc on numerous critical systems and operations. Over the course of ten days, MGM's cybersecurity team diligently labored to ascertain the origins and scope of these infiltrations, devising a strategic plan to restore normal functionality. While the precise financial impact remains undisclosed, the reverberations are undeniably significant, given the widespread consequences that befell MGM's infrastructure, affecting everything from slot machines and ATM terminals to the guest loyalty program, room access key cards, and even the operation of elevators.
The MGM attack is widely attributed to Scattered Spider, a notorious hacker collective notorious for unleashing ALPHV/Black Cat ransomware as their weapon of choice. This criminal hacker group is adept at employing social engineering tactics to obtain login credentials through the company's help desk. Armed with these ill-gotten credentials, the attackers entered MGM's corporate network and Okta environment, thereby infiltrating multiple systems.
These events at MGM Resorts International serve as a stark reminder of the ever-present and evolving threats in the digital landscape. Transitioning our attention to the lessons gleaned from this cyberattack, we uncover valuable insights that can help us reinforce our defenses and enhance our cybersecurity practices in an increasingly interconnected world.
Social Engineering Preparedness –
Begin with the foremost lesson, which is to guarantee that your staff and service providers possess a strong understanding of social engineering techniques. Criminal organizations often zero in on employees and help desk personnel, employing age-old con artist tactics to lure them away from established procedures. Offer comprehensive and up-to-date training that illustrates the characteristics of these attacks and furnishes clear guidelines for sidestepping these pitfalls.
Incident Response Protocol –
It's essential to have a well-defined and thoroughly trained incident response protocol that caters to the potential incidents your organization might encounter. This protocol should undergo annual scenario-based exercises with your incident response team, ensuring its effectiveness. It should encompass crucial aspects, such as identifying and escalating incidents, conducting breach investigations, restoring critical systems, establishing backup communication channels, and conducting comprehensive system sanitization.
Comprehensive Security Layers –
Enhance your cybersecurity program to guarantee that your systems are shielded by a comprehensive array of security measures. The breakdown of a single control should not compromise access to critical systems or sensitive data. Strengthen your cybersecurity program to incorporate a multi-tiered security approach in which various controls collaborate to establish multiple layers of protection. The defense-in-depth strategy mandates the implementation of numerous security measures to safeguard assets. These safeguards encompass elements such as firewalls, endpoint protection, intrusion detection, user behavior analytics, separation of duties, two-factor authentication, and the adoption of zero-trust architectures.
Managing Third-Party Risks –
External entities with access to your critical systems may pose a potential vulnerability in your security infrastructure. Mitigate these risks by instituting a robust vendor risk management initiative. An effective vendor risk management program should encompass well-defined processes that guarantee the thorough assessment of risks, meticulous contract negotiation, streamlined vendor onboarding, efficient project and delivery oversight, rigorous business continuity planning, ongoing monitoring, and clearly defined protocols for sanctions when necessary.
Essential Process Assessment –
It's crucial to thoroughly assess key processes that underpin your system's security, including account management (comprising password resets, account creation, and privilege assignments), patch management, network and system monitoring, log analysis, and security information correlation. Processes that have been internally established and in use for an extended duration may harbor vulnerabilities that could potentially result in a security breach.
Regular External Review – It is important to obtain an external review of your cybersecurity strategy, processes, and controls occasionally from an independent and objective expert. Organizational reviews of an internally developed cybersecurity program are notoriously inaccurate as these are not expert or objective. An outside look at your program can uncover inefficiencies and weak points that are not so obvious from an insider perspective.
Periodic External Evaluation –
It is essential to periodically seek an independent and impartial evaluation of your cybersecurity strategy, processes, and controls from external experts. Internal reviews of a cybersecurity program developed within the organization may lack objectivity and expertise. An external assessment of your program can reveal inefficiencies and vulnerabilities that may not be readily apparent from an insider's perspective.