MGM & Caesars Cyberattacks: Lessons Learned

By Tim Callan, Chief Experience Officer, Sectigo

In the aftermath of the MGM and Caesars cyberattacks, many IT professionals are probably asking themselves, am I next? What lessons can businesses learn from these attacks and what can you do to make sure you are not next?

One thing to keep top of mind is the fact that everybody is a potential target. Many people say, “I’m not a major casino, bank, or business. Why would anyone go after me?” The answer is, why not?

If you are running digital systems necessary for your business to operate, you are a target. If your business comes to a stop, that is damaging to you, your customers, and your reputation. Therefore, anybody who has digital processes at the core of their business is a potential ransomware target. Thus, point number one is to get over the line of thinking that “I’m not a target” because you most certainly are.

Second, social engineering is and will always be an attack vector. By their very nature, our digital systems demand that human beings interact with them. And as long as there are places where human beings can interact with systems, human beings can be tricked into providing access to the system. Social engineering has been going on since before the internet, and the reason it has persisted for decades and decades is because it consistently works.

How then do we deal with social engineering? For many years, the approach has been training. We do recommend training, but training is not even remotely sufficient to solve the problem. If it were, these attacks would not continue to succeed. And no matter how much training people receive, they invariably make mistakes. They forget, they get distracted, they get taken in by a different flavor of attack that they are not used to and fall for it.

So, what do you need to do? Your best defense is to take the decision making out of the human being’s hands. If I am supposed to click on a window and put in a username and password, then there are ways for me to be tricked. There are ways for someone to trick me into putting my username and password in the wrong place. There are ways for someone to trick me into giving my username and password out to somebody else.

In a recent published attack, bad actors defeated one-time passwords using deep voice fakes spoofing the identity of the victim’s internal IT help desk team. When asked for a one-time password the employee readily gave an OTP to this “internal help desk.” The bad actors then used that one-time password in conjunction with a stolen credential to steal access to the company’s systems.

To the degree that you can remove the decision making from human beings, you take away the social engineering angle. Fortunately, such a mechanism has been used for 40 years and has never been defeated. That mechanism is Public Key Infrastructure, or “PKI.” Employees using known devices—laptops or mobile devices or workstations that remain at an office—can authenticate their identities automatically through the use of digital certificates on these devices. No known attack can defeat the cryptographically unassailable mechanisms that assure these certificates are real and true. And social engineering attacks to gain access are defeated.

So why would network administrators fail to employ PKI-based authentication? The main reason is ignorance. They think that username-password is secure, or they erroneously think that multi-factor authentication (MFA) is a bullet-proof addition. However, every major multi-factor authentication mechanism can be defeated by a determined, educated, and well-resourced attacker.

Multi-factor authentication leads users to a false sense of security. When you have MFA, you begin to think that you are beyond attack. In reality, you are beyond attack solely by “spray and pray attackers,” but you are not beyond attack by an Advanced Persistent Threat (APT). That is a mistake many people make. They put MFA in place, and they think they have checked a box that they need not think about again. In reality, well-resourced professional attackers can and do frequently get around it. Taking the decision making out of human hands as much as you can is what is most needed because the oddities of how the human brain works are not something that you and I are going to solve in our lifetime.

Companies must also adopt a zero-trust security mentality wherein no one trying to gain access to your site can or should be trusted. One of the core tenets of this paradigm is that it requires users to be verified regardless of whether or not they have been previously authenticated. The zero-trust framework institutes stringent access controls, continuous validation and yet another layer of security and protection from bad actors.

Another cyberattack like those at MGM and Caesars is not a matter of if but when. Taking the decisions out of the user’s hands and implementing critical, proven protocols like certificate management, PKI and zero trust, will ensure you are not the next victim of a cyber attack.

About the Author

Tim Callan ‌serves as Chief Experience Officer at Sectigo, the leading provider of automated certificate lifecycle management and digital certificates, spearheading efforts to optimize the customer journey across all aspects of the business. Tim has more than 20 years of experience as a strategic marketing and product leader for successful B2B software and SaaS companies, with 15 years of experience in the SSL and PKI technology spaces. For more information on Sectigo, please visit www.sectigo.com. To reach Tim Callan direct, please email [email protected].