Fortifying Security

Fortifying Security: Lessons from Recent Cybersecurity Attacks

October 3, 2023

No One is Immune...

In recent years, cybersecurity has become a critical concern for businesses worldwide. Even the most prominent companies are not immune to cyberattacks, as evidenced by the high-profile breaches at MGM Resorts and Caesars Entertainment. These incidents are stark reminders of the importance of robust cybersecurity measures in today's digital landscape.

MGM International recently came forward with the news that they were the latest victims of a cyber security attack on Sunday, September 10. A malicious actor found an MGM employee on LinkedIn and used their information to call the IT help desk and request a password reset for a privileged account. The attacker lurked on MGM's Okta single sign-on (SSO) service, sniffing passwords. MGM shut down all of their Okta sync servers as soon as they detected the Okta access.

Once these servers were shut down, the attackers launched a ransomware attack, which caused a shutdown of the MGM website and employee portals. Guests had to be checked in and out of their hotels manually by employees using clipboards, and they were not able to review receipts or charges at the time. Kiosk ATMs and credit card functions were down or severely limited, and all gambling machines were hand-paid out by employees. In addition, elevators and phones were down, and guests could not turn off lights or close the drapes in technology-based hotel rooms.

Could This Have Been Prevented?

There are a few methods that could have prevented this attack, such as zero trust architecture (ZTA), the principle of least privilege (PoLP), and multifactor authentication (MFA).

Zero Trust Architecture

The core principle underlying the Zero Trust security model revolves around the mantra of "never trust, always verify." This means that, by default, users and devices should not be deemed trustworthy, even if they are connected to a network with permissions, such as a corporate LAN, or have been previously authenticated.

ZTA is executed by implementing robust identity verification, confirming device compliance before allowing access, and ensuring that access is granted to only explicitly authorized resources. Today's corporate networks are highly complex, comprised of multiple interconnected zones, cloud services, remote and mobile environments, and unconventional IT components like IoT devices. In this intricate network landscape, the conventional notion of trusting users and devices within a predefined corporate perimeter or through VPN connections is deemed obsolete.

The Zero Trust approach advocates for mutual authentication, encompassing the scrutiny of user and device identities and integrity, irrespective of location. Access to applications and services is granted based on the combined confidence in the user's identity, device integrity, and user authentication rather than relying solely on network location. The ZTA has found relevance in various domains, including supply chains, where security must extend beyond traditional boundaries to protect sensitive information and resources effectively.

Principle of Least Privilege

The PoLP pertains to granting users the smallest necessary level of permissions required to carry out their job responsibilities. This is widely acknowledged as a cybersecurity best practice and represents a foundational measure for safeguarding privileged access to valuable data and assets. It is important to note that the PoLP is not limited to human access alone.

This model can be employed in scenarios involving applications, systems, or interconnected devices requiring specific privileges or permissions for executing essential tasks. Enforcing the PoLP guarantees that non-human tools possess precisely the necessary access and nothing beyond that. To effectively implement least privilege, it is imperative to establish a centralized mechanism for managing and securing privileged credentials. Additionally, having adaptable controls is crucial as they can strike a balance between cybersecurity and compliance mandates on one hand and operational and end-user requirements on the other.

As seen in this recent attack, a help desk technician can have high levels of authority, given the nature of their responsibilities, which can include password resets, mail access, and setting up Active Directory accounts. This makes the help desk a desirable target for attackers.

Multi-factor Authentication

MFA requires multiple methods of authentication on top of an account password in order to verify a user. Examples of MFA include time-based one-time passwords, SMS text message tokens, email tokens, hardware security keys, biometric authentication, and security questions. It is best practice to use a combination of these methods as it is a proactive approach to enhancing security, meeting compliance requirements, and safeguarding against a variety of threats. It adds layers of defense, making it significantly more challenging for attackers to gain unauthorized access to systems and data.

How Quadrant Monitors for Attacks

We first monitor for privileged account activity such as account creation, deletion, and alerts on password activity. We also have thousands of rules in place that we monitor for various activities across our network.

Next, we have an "Authorized to Modify" section in the console, which prevents unauthorized users from conducting any changes. We have Okta-specific rules that monitor for any unusual behavior from those accounts, such as password-related activity.

Ransomware is delicate; attackers will launch their attack once they realize they have been discovered. If you can keep their discovery a secret and set up a perimeter, you will have more success in saving data and backups. A perimeter may include segmenting networks, identifying targeted accounts, deactivating them, and changing their password. Quadrant recently aided a client following the Black Basta incident, as detailed in this Incident Overview.

The recent cyberattacks are glaring examples of the persistent and evolving threat landscapes that organizations face. While these incidents underscore the importance of implementing strong cybersecurity measures, they also illuminate the path forward. ZTA, the PoLP, and MFA represent pivotal tools in an organization's cybersecurity arsenal. By adopting these best practices, organizations can bolster their defenses and digital perimeters and proactively safeguard against the ever-present, ever-adaptive threats in today's interconnected world.


Tablet with stylus