Every few months there’s a cyberattack or a group of attacks that makes people completely stop in their tracks. The recent MGM and Caesars hacks fall into that category. The Clop ransomware group’s MOVEit campaign was certainly another and hit close to home for federal agencies.
As bad as some of the cyberattacks are, there is always an opportunity to learn from these devastating events and better prepare and protect your organization moving forward. In the case of the MGM and Caesars cyberattacks, there are several lessons federal agencies can learn to better protect themselves for the future:
Humans are a leading path for cyberattacks
According to a post on Twitter by VX Underground, the MGM cyberattack started with a successful “vishing” attack – a phone call where a malicious actor gains access to a network by posing as a trusted source. VX Underground revealed that all the criminal had to do was find an employee on LinkedIn and call the help desk to compromise the casino and hospitality giant.
This is concerning on many levels but most of all because of the ease with which they were able to break through and get access to MGM’s network.
The best cybersecurity software in the world cannot prevent an employee from giving out the wrong information to the wrong person over the phone. With that being the case, it’s on employers to better train their staff for these situations. If it’s a federal agency, every person that either works for or does work with the agency needs to be ready to fend off bad actors, no matter where and how they try to gain access to the network.
There are strong cybersecurity training platforms and tests that agencies can require all employees to complete periodically, which is a good start. However, nothing compares to the experience you gain from a real-world scenario. So, for example, if agencies wanted to make sure employees were ready for any type of attack, they could implement red team testing to simulate real-world attacks and uncover vulnerabilities before threat actors do.
Should a red teamer gain access to your network, the employee that granted them access would be on very high alert moving forward. This approach is effective because these exercises happen randomly, and employees don’t know it’s a test run until it’s over. That feeling in the pit of your stomach when you believe that you’ve put your whole agency in danger can stick with you for a while, which in turn can make you a much tougher target for a cyberattack.
And although not new, the current vishing attacks are targeting IT help desks, some of which appear to have been outsourced to third parties. Now is a good time to catalog all the IT help desk functions within your federal agencies and perform a thorough review of procedures for validating a user’s identity before resetting passwords or enrolling new devices into the enterprise.
Focus on your identity and authentication infrastructure
The threat actors claiming credit for the MGM and Caesars attacks are known for being experts at leveraging native identity providers and weaknesses in authentication (including multi-factor authentication (MFA)) tools to carry out their attacks. In addition to the federal zero-trust initiative, federal agencies should ensure that phishing-resistant MFA is used by all employees and required for contractors performing help desk responsibilities.
Alerting should also be configured leveraging the Mitre Att&ck framework associated with Scattered Spider (aka, UNC 3944). Once configured, it is best practice to validate the configuration by emulating the threat actors most commonly used tactics, techniques, and procedures.
Caesars confirmed that its cyberattack was caused by social engineering on an outside IT vendor – a more challenging scenario to get in front of than if a Caesars employee had been targeted directly. You can thoroughly vet the countless vendors you do business with, but it only takes one mistake from one of them to cause irreparable damage to your organization. As a federal agency, one approach you can take is to consolidate your vendors by working with more end-to-end platforms. This can reduce your attack surface significantly, and it is also easier to contain the impacts of an attack.
Additionally, implementing a zero-trust security model, which all federal agencies are required to do by the end of September 2024, can play a key role in limiting damage. With cyberattacks increasing in volume and sophistication, initial entry is often a matter of when, not if. With a ZTNA strategy in place, lateral movement is much more difficult for threat actors because of the constant layers of verification they’ll need to clear.
Furthermore, federal agencies can best prepare for attacks on outside vendors by having a clear incident response plan in place before a cyberattack happens. Should one of your vendors be compromised, everyone within your agency should know what their responsibilities are, how to respond appropriately, and the communications chain of command. Agencies need to function like well-oiled machines in these scenarios to limit the damage and keep our nation protected.
Agencies also need to consider various situations. For example, the federal government offers generous vacation and sick leave policies. If a key team member is out of the office when a vendor is attacked, there must be clear guidelines established so the next person is ready to fill in effectively. It’s easy to remember to hand off day-to-day responsibilities to your team before you head out on vacation, but it’s even easier to forget to prepare them for worst-case scenarios. In today’s day and age, this needs to be prioritized.
Transparency is vital
One of the biggest contrasts between the MGM and Caesars hacks was how each of them disclosed information to the SEC. The MGM 8-K filing provided little beyond MGM’s original press release statement, whereas Caesars was very thorough in providing details about the incident in its 8-K filing. MGM’s brevity was likely due to its case being under an ongoing investigation by the FBI, but whatever the reason is, it underscores that there’s a wide spectrum when it comes to transparency.
While federal agencies are not required to report cyberattacks to the SEC – unless the attack impacts the securities markets or if the agency is subject to SEC regulations – they do need to determine the level of transparency they’ll exhibit following a cyberattack. In some situations, federal agencies are better off sharing as little information as possible at the outset as it can put them and others in greater danger. However, in many cases full transparency is vital to restoring order.
Firstly, transparency helps build trust with the public. Of course, how you communicate with the public can make a huge difference in how they receive your message. Done correctly, citizens will more likely trust the government’s ability to protect them. Secondly, transparency shines a light on the incident and makes it difficult for criminals to hide in the shadows. While the rewards of attacking a federal agency are high, the chances of getting away with it are low when the agency is detailed and transparent. Lastly, transparency can prevent other agencies from falling victim to the same type of attack. The more open an agency is about what happens to them, the more other agencies can learn and better protect themselves.
The unfortunate reality is that major cyberattacks will continue for the foreseeable future. While that can be disheartening, federal agencies have a responsibility to keep educating themselves, so they can best prepare for future, more complex attacks. Whether it’s a group of attacks on public companies or other federal agencies, each of these horrific events can serve as an opportunity to improve defenses. Some lessons can be learned in the short term, as is the case with the MGM and Caesars hacks at this juncture, while other lessons may be learned several months or years after an attack occurred.
The big takeaway, no matter the attack, is that cybersecurity is constantly evolving. There will always be new wrinkles added to the mix, but that doesn’t mean that old, reliable tactics are no longer relevant, especially if those tactics can circumvent the latest technology. If all employees are well educated, prepared to expect the unexpected, using phishing-resistant MFA, and are clear about how transparent the agency is going to be once an attack happens, they can contain damage and continue to keep our nation protected.
Jonathan Trull is Chief Information Security Officer and Head of Solutions Architecture at Qualys, an American technology firm based in Foster City, California, specializing in cloud security, compliance and related services.