Updated: Sep 18
Las Vegas has been in the news a lot this month, from U2’s impromptu concert of a yet unreleased song on Saturday, Sept 16th, to the plans for the Fontainebleau Las Vegas, which will be the tallest occupiable building on the Strip once built. However, it hasn’t been all good news, given recent cyber incidents involving MGM Resorts and Caesars Palace, two of the biggest players in gaming in Las Vegas.
In the past week, MGM Resorts has been grappling with a significant cyberattack, leading to a cascade of issues across its operations. The attack has rendered ATMs and slot machines non-functional, while room digital key cards have ceased to work, causing considerable inconvenience to guests. The electronic payment systems are down, and even the TV service in hotel rooms is unavailable. The company’s phone lines are reported to be down, and its website was temporarily offline. The cyberattack has forced staff to use pen and paper, leading to long queues at affected properties.
Based on what is reported in Dark Reading and other sources, the criminals behind the attack on MGM used social engineering to gain highly privileged access to MGM’s identity provider (IdP). Bleeping Computer reported that they then used their privileged access to steal passwords and encrypt the data on over 100 VMware ESXi hypervisors.
Earlier this year, Caesars Entertainment also fell victim to a significant cyberattack, and it is believed that the same threat actor was involved. The casino operator was forced to pay a hefty ransom of $15 million to the cybercrime group responsible for disrupting its systems. As detailed in Caesar’s recent SEC filing, the root cause of this incident was traced back to a social engineering attack on an outsourced IT vendor used by Caesars. The attackers managed to deceive an IT help desk into resetting a password, which subsequently granted them access to the company’s systems. This included the loyalty program database, where sensitive customer data was stored.
In both cases, an identity-related breach was the root cause. Although the phrase “identity is the new perimeter” has become de rigueur, the reality is that people, processes, and technology supporting identity and access management (IAM) programs at organizations still need to align with what this actually means. Most IAM programs were built to enable access but are poorly equipped to detect identity misconfigurations, vulnerabilities, and threats. That is why securing identities is now emerging as a key pillar of an organization’s cybersecurity defenses alongside their investments in application, endpoint and network security.
As part of this transition, security teams are now investing in two new areas, identity security posture management (ISPM) and identity threat detection and response (ITDR), as they elevate the importance of securing identities to prevent attacks like the ones that we have seen in Las Vegas this year.
ISPM is about preventing identity-based attacks by surfacing misconfigurations in a customer’s identity stack that make them vulnerable. These include challenges in correctly identifying users across different systems, configuring multi-factor authentication (MFA) incorrectly, and enforcing access via privileged access management by users with privileged access. Reviewing and resolving these misconfigurations must be done on an ongoing basis using ISPM tools since an organization’s attack surface is consistently changing as new identities are granted access and new applications are brought online.
ITDR is about detecting and responding to identity threats with the identity infrastructure as they happen in real-time. ITDR solutions make incident resolution faster for security operation center (SOC) teams by providing full identity context to incidents, allowing SOC teams to quickly determine all identities involved to discover the “who, what, when, and where” surrounding the incident. ITDR solutions can provide these insights even if an identity is not part of an organization’s existing identity directory or working from an unmanaged device.
Contact us if you’d like to see how AuthMind can prevent and detect identity-related cyberattacks with our Identity SecOps platform.