customer experience was largely unaffected while MGM ’ s operations were clearly disrupted , many industry observers wrote that Caesars made the “ smart ” decision .
Ignoring the ethical implications of paying off a ransom demand , this viewpoint seems short-sighted . Even if business insurance will cover the cost of the ransom in this incident , Caesars future premiums are sure to skyrocket , its credit rating may drop ( increasing borrowing costs ) according to Moody ’ s Investor Service , and the company has set itself up as a popular , profitable target for future attacks .
In addition , Caesars received nothing of substance for its payment , as it indicated in its SEC filing : “ We have taken steps to ensure that the stolen data is deleted by the unauthorized actor , although we cannot guarantee this result .”
In my 2020 article I wrote , “ A ransomware attacker ’ s dream victim is one who pays up and who stays silent ,” and that is exactly what Caesars has become . Caesars ’ silence doesn ’ t just threaten a future attack on itself , but because all of these cyberattacks across many industries are interconnected , funding these criminals , giving them time and money to produce more exploits , it enhances the threat to companies in every industry .
And MGM ?
It isn ’ t entirely fair to compare the Caesars and MGM attacks , because it is unlikely the cybercriminals were able to infiltrate the two networks equally , and further , much of the MGM disruption was self-inflicted , shutting down its own systems as a preventative measure , according to a press release it submitted to the SEC .
It is also possible that Scattered Spider failed to access MGM ’ s player database , and chose to resort to operational disruption as a secondary tactic in order to coerce the company to pay a ransom .
Certainly , the ensuing chaos and offline systems , whether self- or externally inflicted , were embarrassing and cost MGM quite a lot of revenue , and its credit rating may also be negatively affected , but if it avoids paying a ransom , it would probably recover confidence among analysts more rapidly , and be less likely to be targeted going forward , as the profit motive is severely lessened . If it is eventually learned that attempts to steal MGM ’ s customer data were not successful , that should restore confidence among gaming customers as well .
What can other casinos learn from these incidents ?
The most obvious thing would be to study the social engineering tactics used by Scattered Spider and ensure all infosec and IT personnel are fully aware of proper procedures for evaluating and reporting suspicious phishing tactics , rather than falling victim to them .
Seeing that Okta has been a common vendor in numerous attacks , any casino using its services should be in constant communication regarding its response and strategy . It is also essential to stop putting off difficult conversations about internal configurations and vendor selection . Still running SQL Server 2012 ? Time to upgrade . Still supporting Internet Explorer because a vendor ’ s UI requires it ? Get a new vendor . Internal networks using obsolete TLS protocols ? Might as well not be using any security at all .
Have your backup and recovery procedures been tested recently ? Are your databases encrypted at rest ? Are all operating systems fully patched , and hardware drivers updated ? Can external partners get access to high-value resources ? Does your work-from-home solution introduce additional attack vectors ( according to security rating firm Bitsight , remote-office networks are 3.5 times
16 Global Gaming Business NOVEMBER 2023
Have your backup and recovery procedures been tested recently ? Are your databases encrypted at rest ? Are all operating systems fully patched , and hardware drivers updated ? Can external partners get access to high-value resources ? more likely to have malware installed )?
Further , these attacks demonstrate that there is no reliable way to outsource threat assessment and prevention to an external firm . Other hard conversations revolve around accurately assessing the quality of IT personnel , and whether compensation packages are adequate to attract and retain talented , motivated network engineers and technology experts .
It is easy to spend millions on consultants and services , and perhaps they can help identify some threats or disclose weaknesses within your network , but there is no substitution for in-house expertise and constant vigilance and education . As an example , Palo Alto Networks published a 2021 case study on its website , claiming that Caesars is protected by Palo Alto ’ s “ Prisma Access ” solution . Whether Palo Alto was still working with Caesars in August 2023 is not known , but it is a certainty that enterprise-scale products such as these are not inexpensive . A Forrester Total Economic Impact Study estimated $ 13.3 million in costs over three years to deploy a comprehensive Palo Alto solution .
Are cloud servers more secure than in-house ?
Every network deployment is unique , and therefore , generalizations don ’ t apply to everyone . Mandiant , however , noted that Scattered Spider “ is particularly adept at using privileged access to cloud environments to establish persistent access to victim environments ,” noting access to Azure cloud identity providers placing malware in victim-owned AWS S3 buckets . Okta , which we ’ ve discussed , is a cloud service . Alarmingly , the Group-IB report states that other cloud service platforms such as Mailchimp were breached , allowing cybercriminals to create password reset emails from legitimate Mailchimp addresses and servers , making it extremely difficult even for cautious , guarded infosec operators to recognize a malicious message .
Final takeaways ?
Threats against widespread computer networks like those at casino resorts are constant and ever-evolving . Just when cybersecurity teams build up defenses against the methods and the tools used by the Scattered Spider group , a new attack with a different methodology is likely to arise .
Monitoring cybersecurity incidents across many industries is vital , as is employing engineers and technologists with demonstrated expertise . Coinbase and Twilio and most of the others largely fended off similar attacks without prior warning or knowledge of these attacks , while a year later , even after Scattered Spider ’ s tactics were widely circulated , both casino companies failed to defend themselves .
The industry also needs regulators to take cybersecurity and personal information as seriously as they do gaming operations . The NGCB , to its credit , adopted new regulations in December 2022 which , in part , require disclosure of cyberattack investigations . However , the new rules do not specifically state whether such disclosures will be made public . It is strongly recommended that the board insists on public disclosure , and that regulators in other states follow this lead .
Andy Goldberg ( andy @ cfnine . com ) is a database , technology and analytics consultant dedicated to making casinos smarter and more efficient . He specializes in database marketing automation , custom API programming , building innovative reporting tools and dashboards , revenue forecasting , and reducing VIP player churn . His consultancy , Centerfield Nine , is at cfnine . com .