6 November, 2023 | NOV DEC 2023

Cybersecurity: There's honesty among thieves

Tony Anscombe, Chief Security Evangelist at cybersecurity company, Eset, speaks to Gambling Insider about the recent cyber attacks at MGM Resorts and Caesars, whether they were related, how casinos handle hackers and what companies should do to prevent infiltration from cyber criminals

What kind of cyber attacks were the MGM and Caesars episodes? 

Some of it in the marketplace is speculation but if you look at the claims by certain groups – not by MGM – as only MGM really knows what happened to them, but the claims from the other group responsible claim it was a socially engineered attack.

This means it was phishing a voice through various social means i.e. you get a phone call and unfortunately, hand over credentials and there’s a lot of information out there on individuals and you can find out who somebody works for; you can build a profile and make it sound very legitimate unfortunately, when these types of attacks happen.

It’s not the first time we’ve seen it, as I recall, the Twitter attack several years ago to an administrator happened in that way, so, unfortunately, it’s human behaviour and people are just playing on that. 

You can have an awful lot of cybersecurity technology involved, but when something slips through…

Do you think Scattered Spider and ALPHV are working together? Because that has also been speculated as well, obviously not confirmed, just speculated…

Again, I can only join that speculation and say it would seem odd to make claims like that if it wasn’t you and typically cyber criminals in a case that’s that prominent, they do typically like to claim it.

However, saying that, I think Colonial Pipeline put a stop to part of that as well, because you can go and attack a commercial company like a casino, an entertainment group, but if you are attacking critical infrastructure or a hospital, you might be a bit more reserved in coming forward. 

You’ll get political influence and law enforcement will come after you with political influence, and it might just be a little bit more stronger than attacking a casino for example.

Do you think the MGM and Caesars attacks were related? 

It would seem to be a strange coincidence for them not to be related in some way, but it could be related just by the fact that if somebody has breached one casino, then even another cyber crime group might sit there and go, ‘Oh, let’s give casinos and entertainment groups a try.’

You must have the procedures in place, have the security in place and run simulated scenarios and make sure you’re using the latest technologies

So I’m just saying, are they related by the same group? Not sure. But are they related? It does seem to be a strange coincidence… Two within a few weeks? 

What will the hackers do with the data? Because they retrieved an overwhelming amount of data. Will they hack the customers? What’s the plan with the data? Do they plan to sell the data?

Typically, they try to ransom the data back to the victim that lost it i.e. back to the company whose data it was. And if the company isn’t going to pay, that data then becomes the value in the cyber attack. So they’ll either sell the data on, which is most probable, or what I think people don’t always appreciate in these instances is there is not typically just one group involved.

For example, somebody might have done the reconnaissance to find the right person in the company to breach something and somebody else might come along and do the actual incursion and exploit vulnerabilities. 

Whereas for ransom, a service group might come along behind it and provide the services for encryption and exfiltration. I think there’s groups of people who specialise in different things. Are they the experts at campaigning or abusing that data, causing identity theft or creating phishing scams against those users?

Probably not. There’s probably another group somewhere else that has teams of people who are specialised in phishing emails that are tracked. You have to think of this like business, in the same way that we do business online. 

At your company, you’ll have somebody that’s a specialist in email tracking, a specialist in websites etc, so I think it’s much the same scenario. But if you had an MGM account, firstly if you’re using the same password somewhere else, please go change it, but people should be cautious because you’re likely to see emails coming to you that look  like they’re from MGM.

And at the same time, MGM may well be emailing you to turn around and say that there has been a breach, so you’ve got to be really cautious of which ones are real and which ones are not.

The good thing is to marry the content with content that’s online. So if MGM is sending you an email about a breach notification, the details of the breach notification probably are replicated on their website.

For example, if you’re a Californian, then breach notifications are actually held by the State Attorney General as well. So you can actually go look them up in some other states in the US as well.

Why do you think Caesars paid the ransom? And what does it mean for other casinos if one pays the ransom? 

Interestingly, with the MGM one, I think you’re looking at somebody that had a clear policy and a clear procedure. If we experience this cyber incident, then we start shutting down all systems, and then we slowly bring systems back online in this priority order; and it would appear that they had a practised policy and procedure.

In the same way that when you get on a plane, you hope the avionics on the plane aren’t attached to the public WiFi you’re using in the back

If somebody isn’t as confident in their policy and procedure or somebody further up the chain, who maybe is outside of that typical operational bit; i.e. a Board member for example, turn around and say, well, for $15m it’s just not worth worrying about. Just pay it. 

They’ve probably got cyber liability insurance as well as cyber risk insurance. So there’ll have been a discussion with their insurers about whether they’d be covered because of how the incident unfolded.

The insurer might be on the hook depending on how that unfolded for part of the operational cost of the business as well. So if that’s the case, the insurer may well have turned and said it’s good for us to pay, or good for us to fund whatever percentage is their part of it.

Cyber insurance is expensive, but bear in mind an insurer would have provided forensic teams, they would have provided a negotiator and the negotiator would have probably already known how to deal with that particular group.

Who are the contacts within that group? Then being able to validate that it is the right group that you’re paying and you’ll get decrypted or your data will be deleted. 

So there’s an entire industry sitting on the sidelines if you’re on that cyber insurance side. Personally I think it kind of feels wrong, ethically, there’s something in me that says you shouldn’t be paying in that way, but I also understand that businesses need to keep operating. 

And what does it mean for all of the other casinos that end up in this situation afterwards? Would you say, if one pays a ransom, they all have to? Or would you say that all individual cases deal with it differently?

I hope it wouldn’t influence them. Let’s be clear, if they did, the amount of money would probably only escalate upwards. So I think that might be a barrier as well; but I think it depends on the attitude of the Board, the attitude of the security team and management team within each individual organisation. 

One of the things that the US Securities and Exchange Commission (SEC) did was put a ruling in so that public companies in the US are asked questions of whether they have cybersecurity people on their Board.

Now, while it’s not a mandatory requirement from the SEC, the fact the SEC asks the question, may well mean some of these companies - and this is only a recent happening - have got cybersecurity people within their Board or cybersecurity knowledge within their Board. 

And I think that would help as well in an incident, because you’ll have greater understanding at Board level of exactly what’s going on and potentially, a Board member even getting involved in the operation and overseeing part of it. So I think it really depends on each individual company. 

Also, how can the casinos make sure the hackers keep to their side of the bargain? So they’re saying, ‘we’re going to return your data for $20m’. How do they know they won’t run off with the money and the data? 

That’s where those negotiating brokers step in because they typically understand how that process works and how that plays out. Now, one thing I think we don’t always appreciate about cyber crime, the dark web, the whole general piece that we think is that 'dark back of the garage entity’.

And it’s not, let’s be clear, it’s not a back of the garage entity. If you and I went on the dark web now and looked to purchase data from a data breach, what you’ll find is that I’ll be offered escrow so somebody will partially release the data to me; I’ll be able to validate the data, my money will be held in escrow and then once I confirm the transaction and the data is good, the money will come out of escrow and go to the cyber criminal who’s holding the data. 

My point is, there’s honesty among thieves. There’s actually a business process behind this that makes it the kind of thing that if you pay the ransom and they don’t stick to their side, one of these groups would be ending their reign.

If somebody paid and they failed to unencrypt, then bear in mind it’s not the next company that would need to know that, it’s the negotiators and the cyber insurance industry that probably have that core information to hand. So they know how that situation would go.

For example, if you were a big casino, would you pay the ransom? With your knowledge? 

No. But I say that off the bat. If I was to own a casino, I’d make sure that we had good policies in place and that we tried and tested them on a frequent basis. So that you know what’s going to happen and you know the down time and everybody’s aware of how this plays out.

However, I’m going to caveat that and turn and say, if I was the CEO of a hospital and somebody took control of my ICU unit and somebody’s life was at risk, yes, I’d pay the ransom.

Is there a potential that the hackers could re-hack? If they’ve got a way in, could they do it again and again?

Typically, if somebody’s been attacked, they get attacked again. Every company is being tested at some stage; a company of that size is going to be a target. However, a company of that size will also have, well I hope, an excellent cybersecurity team and excellent technology in place.

The ones that I think find it challenging the most are those medium-sized businesses that struggle to get good cybersecurity people involved, as it’s expensive and there’s not enough resources in the industry to go round. I think some of those smaller companies suffer.

Do you think casinos should be somewhat unhackable? Is there a way to be unhackable, or is it always a small percentage that you could potentially get hacked? 

As you’ve seen in this MGM case, human behaviour steps in and there’s potential there to be hacked. Nobody has an impenetrable network or system. It’s a bit like saying ‘is there a piece of software that doesn’t have vulnerabilities?’ Well, yeah, there’s software that hasn’t got any vulnerabilities, but it’s just because we don’t know about them yet, it doesn’t mean they’re not there.

Typically, if somebody’s been attacked, they get attacked again

It doesn’t mean somebody won’t exploit it at some stage. And that’s true of casinos as well. However, I don’t know factually, but I would make the assumption that there’s an awful lot of segmentation in a casino’s business.

In the same way that when you get on a plane, you hope the avionics on the plane aren’t attached to the public WiFi you’re using in the back. Casino systems are not related to the hotel reservation system and I’m 99% sure they’re probably not.

With one of the attacks, they targeted the hotel rooms though didn’t they?

Yeah, but that may well be part of the policy and procedure of ‘actually, we’ve been attacked on this segment right now, shut everything down and bring things back up in a strategic fashion’. It doesn’t mean the attacker got to those parts.

You may be better off switching off everything, investigating where the attack took place, where the attacker has been, where the lateral movement through your networks has been and then bringing up the segments that haven’t been touched. 

Lastly, can you give some tips on what casinos and people in general can do, to stay safe from hackers? 

Well, two-factor authentication is obviously a strong element. Because if somebody’s trying to breach credentials, or breach a method into the network, then that two factor authentication however, even though many users don’t like it is valuable and is a huge protection. 

And it should be app-based, not SMS-based, but also you have to make sure you’ve got policy and procedures in place. Make sure you are running simulations of cyber attacks and make sure you’re actually prepared for it. Silly things, like have you got a list of the people that need to be contacted offline? Did you print it out? 

Because the first thing that you lose access to is the list of people that need to be contacted. But, you must have the procedures in place, have the security in place and run simulated scenarios and make sure you’re using the latest technologies.

In a company that size, you need to have a SOCK (socket secure), it needs to have good threat intelligence systems, you need to have EDR (Endpoint Detection and Response) on the end points collecting all the data, because it’s not just about malware, it’s about the incursion.

It’s about understanding where the cyber criminal went, what points they touched and where they may have left another route in. Once they’re in, the first thing they do is put another route in.