While the full fallout of the recent breach of MGM Resorts remains to be seen, at this stage we are able to glean some valuable insights about how it happened from both MGM and the attackers themselves.
The ransomware gang named Scattered Spider is one of many groups of cybercriminals who are becoming organized in a way that was previously thought only possible by state-backed actors. They have access to sophisticated software and ransomware customized for the targets they choose, which is deployed by a growing cast of experienced hackers who understand how their targets work. In the world that the ALPHV ransomware gang operates in, many times the money that’s extorted from the targets seems secondary to chasing the fame that comes with the size of the entity the cybercriminals bend to their will. Regardless of the motivations that drive them, the result leaves their targets poorer, less trusted, and owing an explanation to the SEC if they are a publicly traded company.
In the case of the MGM breach, Scattered Spider started by targeting Okta, which is an identity management company that counts MGM among its clients. Scattered Spider looked at LinkedIn profiles to select the individuals they would impersonate and learned everything they could about the employees, so they could contact the Okta helpdesk and convince them to give up privileged access to the employees’ accounts.
MGM has been vague about what precisely occurred, stating in a September 13th SEC 8-K filing, “MGM Resorts recently identified a cybersecurity issue affecting certain of the Company’s systems.” However, through expert opinion, and even secondhand accounts from, we are able to deduce what could have mitigated or outright prevented the breach.
Employee training on social engineering and vishing (the use of phone calls to steal information or access) could have aided in the avoidance of a cyberattack. Detecting these attack attempts can be more difficult as an organization grows, as not all employees will be able to recognize the voices of everyone who works at the company. Therefore, it is vital to train employees on what an abnormal request is, empower them to question even those who would be in positions of authority, and communicate any odd attempts to gain information to their IT security personnel. This allows an organization to detect malicious activity and tip them off to a potential, large-scale attack.
Limiting the access of accounts, on either an individual or role-based basis, to the bare minimum of what they require to perform their duties could also mitigate a breach. The MGM attackers were able to escalate privileges of the accounts they gained access to by exploiting the lax enforcement of this least privilege principle.
Over Reliance on Vendor Security
When security functions are outsourced to vendors, organizations are relying on them to protect their business as if it were the vendor’s own. Determining how a prospective vendor operates can be time intensive and complex, and attackers frequently exploit knowledge gaps between a company and their security vendors. This is where the System and Organization Controls (SOC) report becomes relevant; it is intended to provide you with a detailed snapshot of how a vendor works and learn about their security and compliance measures.
McKonly & Asbury can assist your company in managing cybersecurity threats by performing a SOC 2 engagement or a SOC for Cybersecurity engagement to identify whether effective processes and controls are in place and provide you with recommendations to detect, respond to, mitigate, and recover from breaches and other cybersecurity events. We can answer any questions and help you determine if a SOC 2 or SOC for Cybersecurity report would be useful for your company. Be sure to visit our firm’s SOC, Cybersecurity, Forensic Examination, and Information Technology pages, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA regarding our services.