When it comes to your odds in Vegas, they say the house always wins. But if you’ve been following cybersecurity news over the past month, you probably know that lately, casino giants MGM Resorts International and Caesars Entertainment haven’t been dealt a winning hand.
I sat down with Bugcrowd CTO and Founder, Casey Ellis, to understand what exactly is happening with these recent casino breaches.
In September, MGM, who owns more than 20 hotels and casinos, reported a cybersecurity issue that impacted digital systems like hotel room keys to slot machines. Caesars Entertainment also experienced a breach, in which manyMaine residents had their information stolen by a ransomware group. It’s important to note here that when a breach happens, it is easy to point fingers, when in reality, breaches can happen to anyone. However, there are methods that organizations can keep in mind so they are more prepared during a possible breach.
Based on current information, it appears the breaches can be traced to a Russia-based ransomware group called ALPHV known for social engineering as their initial access technique. By using social engineering, they can prey on human instincts to find easier access into an organization. In the interview, Casey explained how common it is for humans to want to be helpful, especially at work. This is normally a great aspect of society, but it can also lead to costly mistakes when being targeted by a social engineering campaign. “There are all sorts of techniques, but there is no technical control for humans wanting to be helpful. The bad guys know that and that’s part of what they exploit to do stuff like this,” Casey said.
When it comes to business operations in a casino and hotel coming to a screeching halt, it’s safe to say that breaches like these cost organizations millions of dollars. There is also untold reputational damage.
In general with planned orchestrated ransomware attacks like these, they often get announced in different places. For example, the ransomware note will get posted on the internet so people can track what is going on. That being said, the MGM breach got more news coverage than the Caesars breach for several reasons. The MGM breach had a more visible impact on daily operations and customers, therefore the story got picked up by more news outlets. The drama of people waiting in line for hours and flashing lights on slot machines makes better news stories. Another reason why the Caesars attack seemingly went under the radar is because many believe that Caesars paid the ransom. This led to them restoring operations quickly.
Casey predicted that gaming companies and casino giants are going to continue to be heavily targeted. Logically, this makes sense, considering the massive amounts of money that threat actors are making from these sorts of attacks.
For organizations seeing these breaches and thinking about what they should be doing to protect themselves from similar attacks, Casey recommends they do a tabletop exercise. A tabletop exercise entails organizations thinking about what exactly they would do in a hypothetical breach scenario. It’s like sitting around a table with your team and discussing what you would do if your production systems got denied and encrypted, along with your backup systems, and you didn’t even have a skeleton set of infrastructure to continue operations off of. What would you do? Think about your response, how long it would take to recover, and how much it would cost.
This helps organizations spend the time testing response plans before they actually need them, instead of dealing with the fallout in the middle of the chaos of the actual event. “You want to freak out about this just enough to start asking new questions that are going to make you more resilient as an organization. I don’t believe in freaking out so much that you get paralyzed and just give up,” Casey said.
As another step, organizations should examine business operations to make sure it is harder for attackers to get in in the first place. This is where security testing and organizations like Bugcrowd come in, where the security researcher and hacker community can come in and basically say, “if I was a bad guy trying to get into your stuff, here’s how I’d do it and here is how difficult or easy it would be.” That sort of knowledge, from a preventative standpoint, is incredibly important because it allows organizations to prevent attacks before threat actors have a chance to even look into their systems.