In the continued wake of the Covid-19 pandemic and the shift to remote work, there has been a remarkable surge in the adoption of cloud technology on a global scale. In just three short years, a staggering 94% of companies have embraced cloud services, leading to a substantial increase in the storage of sensitive data, with approximately 60% of all corporate information now residing in the cloud. Fuelled by technological innovations and advances in AI, Gartner anticipates a substantial growth in worldwide public cloud services, projecting an expansion from $604.9 billion USD in 2023 to a remarkable $1 trillion by 2026. It might come as a surprise to learn that businesses now depend on more than 1,295 cloud services, including platforms like Microsoft Teams, Google Suite, and Dropbox, to maintain connectivity and ensure uninterrupted, smooth operations. This exponential growth has turned the cloud landscape into an alluring and expansive target for cybercriminals. So enticing in fact, that 9 out of 10 companies report experiencing at least one cloud-related security incident annually, with nearly half contending with multiple attacks. And, the situation is expected to worsen. As we look to expand services in the cloud ecosystem, we must build in cloud resiliency.
Disasters, Disruptions, Attacks – Oh My!
Resilience in the cloud is about the ability of cloud-based systems and services to withstand and recover from disruptions, ensuring uninterrupted operation during attacks and adverse conditions.
In the context of disaster recovery, cloud resiliency offers a lifeline to organizations. By distributing data and applications across multiple geographic locations and data centers, the cloud minimizes the risk of data loss or service interruption in the event of a disaster, such as natural calamities, cyberattacks, or hardware failures. This redundancy and data replication safeguard critical information and applications, enabling businesses to recover quickly and maintain essential functions.
Cloud resiliency is also a linchpin of business continuity planning. It facilitates the seamless continuation of operations, even in the face of unforeseen challenges. The cloud's scalability and flexibility enable organizations to adapt and allocate resources as needed, allowing them to respond effectively to changing circumstances.
Ultimately, cloud resiliency empowers businesses to stay operational and responsive when confronted with disasters, disruptions, or attacks, enhancing their overall resilience and survivability. It is a foundational element in ensuring that businesses can weather storms, both metaphorical and literal, and continue to serve their customers without significant interruptions.
Taking place over a number of days, the recent sophisticated cyberattack affecting some of the most iconic casinos and hotels along the Las Vegas strip–the Bellagio, Mandalay Bay and the Cosmopolitan and another half-dozen MGM Resort properties–serves as a cautionary tale of what can go wrong when organizations fall short in safeguarding their corporate digital assets. MGM Resorts has been forthcoming with some of the details of the attacks, the aftermath, and where their security efforts fell short, allowing us, (cybersecurity and IT professionals, and employees and business owners), a better understanding of what happened. An event we can all learn from.
Clouds of All Shapes and Sizes
MGM Resorts differs significantly from smaller businesses in scale and complexity, but they do share common cloud-related needs and challenges, such as flexibility, scalability, and tools necessary to manage data, ensure security and compliance, control costs, and have a drive to innovate. We see this particular attack as a relatable and valuable lesson emphasizing the importance of enhancing and testing cloud resiliency, business continuity, disaster recovery, and incident response plans on regular intervals.
Following is a summary of the attack pieced together from what has been reported–an overview on the impact to MGM’s business and customers, and important considerations for every modern business operating within the cloud ecosystem.
Attack Summary
The threat actors involved in the attack located a company employee profile on LinkedIn and then used Social Engineering techniques to deploy a 10-minute Vishing phone conversation with MGM’s Help Desk to convincingly impersonate the employee and gain login credentials. They had obtained super administrator account access to MGM’s cloud solutions which were tied into on-prem systems. The attackers worked fast to gain domain controller access where they located the credentials needed to penetrate MGM’s main operations causing outages. Once inside the network, the bad actors focused their efforts laterally to compromise the company's Okta cloud-based platform, specifically the Okta Agent that provides identity and access management and multi-factor authentication services and were able to exfiltrate corporate credentials and customer loyalty data. The cyberattackers then exploited a feature connecting Active Directory and Okta gaining access to the missing passwords; this gave the threat actors the escalated privileges needed to launch Ransomware and encrypt 1000 ESXi hypervisors. With digital assets in hand and encrypted operations, the threat actors opened communication for the ransom demand of $30M USD. Spoiler Alert: In alignment with cybersecurity advisors and their cyber insurance provider, MGM Resorts refused to pay the ransom.
Impact to Business
• Financial Impact: The attack resulted in a substantial financial impact estimating a $100M USD cost to their businesses, a 10-day computer shutdown, and an additional $10 million in one-time remediation expenses for technology consulting services, legal fees, and expenses of third-party cybersecurity advisors, as well as data protection and credit monitoring services for the victims. While that is a hefty bill to disclose to investors, MGM has reported that they expect their cyber insurance policy to cover the financial impact of the attack. The downtime loss of future hotel, restaurant, and experience bookings has not been estimated.
• Operational Disruption: Due to the extent and complexity of the attack the MGM response team chose to shut down essential parts of their operations to safeguard critical information and applications and prevent further attacks while the investigation was underway. This affected multiple systems integral to resort operations across the twelve properties. The digital room keys, slot machines, parking systems, ATMs, restaurants, spas, and the company's websites and booking systems were affected. Hotel guests and travellers were inconvenienced by the shut-down. In the initial hours of chaos, customers were temporarily locked out of their rooms, unable to cash in on gambling returns, had no resort amenities available, no access to cash on property, and limited communication from hotel operators.
• Data Compromise: Personal data, including names, contact information, gender, date of birth, driver's license numbers, as well as Social Security numbers and passport numbers–of customers and employees–were compromised, with a present looming threat to leak the data on the Dark Web.
• Reputational Damage: The chaos and confusion experienced by thousands of customers and employees resulted in damage to brand reputation and public trust. While the impact is hard to measure, it will certainly be felt for years to come. Triggered outrage and rumours circulating across the Internet expressing distrust, conspiracies, and negative reviews continue to have a ripple effect, and is sure to affect future bookings and the resort’s financial forecasts. MGM is an industry leader in hospitality, understanding the importance of an elevated customer experience and how satisfaction, recommendations, reviews, and customer loyalty play a huge part in their business success.
The MGM Resorts cyber attack serves as a poignant reminder of the importance of cloud resiliency and the impact to your disaster recovery and incident response capabilities. While no organization can completely eliminate the risk of a cyber attack, we’ve gleaned the following lessons from this specific incident:
Early Detection: Swift response played a crucial role in mitigating the damage at MGM Resorts. Properly configured prevention and detection tools, and well-configured cloud security settings are pivotal in minimizing the impact of cyber threats. Integrated cloud-based logging, web application firewall tools (WAF), and finely tuned alert systems are essential components, while endpoint analytics tools help identify the root causes of issues, enhancing the strategy for early detection and prevention. Despite their critical importance, organizations often underestimate or overlook these settings, inadvertently leaving vulnerabilities in their security posture. It is imperative for organizations to recognize and prioritize the implementation of these security measures to safeguard their digital assets effectively.
Operational Resilience: A resilient cloud infrastructure is crucial for an organization to effectively endure and recover from disruptions. The operational challenges experienced by MGM Resorts, specific to the critical infrastructure sectors, underscore the need for such resilience. In light of the scale of the cyberattack, the 10-day recovery period, while challenging, could have been much worse. One recommendation for improvement would be to integrate resiliency within their crucial Operational Technology (OT) systems, such as the hotel door lock systems crucial for guest and employee safety, ensuring they (1) incorporate redundancy, (2) feature localized fallback mechanisms (e.g., several badge systems include local batteries and caches of currently authorized tokens), and (3) remain physically isolated and air-gapped from unrelated corporate business systems. While this might introduce added complexity, it can be mitigated through thoughtful design and processes. The outcome will be enhanced business continuity, increased safety (preventing lockouts, unauthorized access, or being trapped), and reduced vulnerability to future cyberattacks on the business systems.
Additionally, A well-crafted and frequently audited incident response plan in alignment with business continuity and disaster recovery (IR/BC/DR) strategies is pivotal for promptly restoring essential business systems while minimizing customer impact in the event of a disaster. A crucial element of a robust cloud-specific BC/DR plan involves maintaining a backup system that replicates the cloud environment, facilitating uninterrupted business operations. For example, the capacity to automatically switch from a primary "Availability Zone A" to "Availability Zone B" in case of a failure, along with well-defined triggers or manual processes, can mitigate potential downtime.
Data Protection: Safeguarding sensitive data is a fundamental principle of cloud security. MGM Resorts' proactive response to the breach, which included offering identity protection and credit monitoring to the affected individuals, highlights the critical nature of preserving customer information. It is imperative to extend data protection measures not only within the primary operational environment but also across backup environments, ensuring comprehensive coverage throughout your cloud ecosystems. Network segmentation and robust access controls play a pivotal role in minimizing the consequences of lateral movement within the cloud infrastructure. By implementing these cloud security measures, organizations can effectively shield their sensitive data from potential threats and uphold the integrity of their digital assets.
Continuous Improvement: Ongoing assessments, including regular penetration testing, are essential for identifying vulnerabilities and refining security strategies. This includes conducting Tabletop exercises with various scenarios like malicious attacks, Virtual Private Cloud (VPC) peering attacks, malware, cloud compromise, natural disasters, etc., during which documented processes are meticulously evaluated. Recognizing gaps and weaknesses and learning from these experiences is crucial, but most important is putting a plan in place to close the gaps and mitigate risk. The MGM attackers exploited a recently reported vulnerability within Okta’s cloud-based solution. It was only weeks before the MGM attack that Okta provided the indicators of compromise and known IP addresses of this vulnerability to their clients so they could update cloud security tools to protect their network and systems. It is unknown if MGM had adequately updated the detection, prevention, and monitoring security tools in place to trigger an alert. Either way, it’s an important lesson for organizations to have a comprehensive understanding of what tools and capabilities are available within their cloud environment, not only know, but also understand how to use them and what the values are with services they provide in supporting responses to an incident or disaster. In addition, industry-specific compliance standards and frameworks are constantly evolving to reduce the likelihood of security incidents and vulnerabilities for organizations, as well as adapt to the rapid changes in technology, specifically cloud technology. Keeping compliant ensures a robust cloud security posture, effective response to emerging threats, and the continued success of incident response and disaster recovery strategies in the dynamic cloud environment.
Cyber Insurance: MGM Resorts claims the $100M USD loss of revenue will be compensated by an adequate cyber insurance policy. Whew! It’s true, having a good policy in place in case of disaster is important, but it’s not so simple. Cybersecurity Insurance writers require organizations to meet stringent security requirements and to show proof that they are doing everything possible to mitigate risk before approving eligibility for coverage. No matter the policy–for a cloud-native start-up or a long-established enterprise leveraging cloud technology–organizations must be cloud resilient and adhere to the security measures mentioned above for early detection, operational resilience, data protection, and continuous improvement.
Resilience Brilliance
Cloud Resiliency empowers businesses to stay operational and responsive when confronted with disasters or disruptions, enhancing their overall resilience and survivability. It is a foundational element in ensuring that businesses can weather storms, both metaphorical and literal, and continue to serve their customers and stakeholders without significant interruptions.
Let’s take the lessons from the MGM Resorts cyberattack and aim for clearer skies in the world of cloud security.
Let us know how Online’s Cloud Security Services team can help your business incorporate cloud resiliency into your tech toolkit. We’d be happy to answer any questions you have.
Send us your thoughts// connect@obsglobal.com
