Jim Broome
It’s not a matter of if but when an organization will face a cybersecurity incident. Incidents like what happened to MGM Resorts after the ransomware groups ALPHV/BlackCat and Scattered Spider brought systems down for days, causing severe strains on revenue due to disrupted productivity, lost business during downtime, attorney fees, and remediation costs.
While insufficient information has been disclosed to understand the full extent of the MGM Resorts breach, in recent years we have directly witnessed a significant shift in the tactics employed by highly coordinated threat actor groups, such as ALPHV/BlackCat. These groups are increasingly prioritizing targeting infrastructure over endpoints during our incident response engagements.
What can organizations do to prevent becoming the next headline? Here are five areas to watch out for.
Enhance help desk procedures to include video chats and photo IDs to verify the authenticity of requests
The 2023 Data Breach Investigations Report by Verizon unveiled that in 74% of the reported breaches, a human factor played a role, whether partially or entirely, in causing the breach. The term “human element” encompasses various situations, ultimately pointing to human involvement in creating a vulnerability, whether it’s deliberate or accidental.
In this particular instance, the threat actor reported that they monitored LinkedIn profiles to identify potential targets and then infiltrated the organization by vishing or “voice phishing” the IT help desk. They have been known to employ social engineering tactics targeting individuals with answers to validation questions commonly used by the help desk.
Relying solely on text or email, or even voice calls, is no longer sufficient. ALPHV/BlackCat and other threat actor groups have even resorted to employing voice impersonators, making it challenging to discern their true identity based on accent or voice characteristics.
Organizations should update help desk procedures to include measures like video chats and photo identification for verifying the identity of individuals seeking assistance.
Choose multifactor authentication features wisely
Multifactor authentication should be enabled whenever possible, but be sure that your organization is choosing its policies and procedures wisely.
In particular, ALPHV has been known to leverage SIM-swapping techniques by investing as much as $1,500 to $2,500 per targeted employee to swap their phone number to a device they could control. SIM swapping occurs when the device tied to a customer’s phone number is fraudulently manipulated. With this technique, a bad actor can successfully authenticate as the employee if the organization still allows text messaging for multifactor authentication.
Of the organizations that have suffered from this successful exploitation, the one commonality is that a majority of the victims are T-Mobile subscribers. While all carriers have issues preventing these types of account thefts, T-Mobile has experienced numerous data breaches, providing threat actors with ample information to impersonate legitimate customers in brick-and-mortar stores and facilitate SIM-swap attacks.
Limit access privileges of help desk personnel
General help desk personnel should not possess access to modify or reset privileged access accounts within the organization. Highly privileged accounts should only be modifiable by a limited number of people in your organization. Work from home did not do us any favors with operational procedures; however, help desk procedures specifically warrant attention and rectification to update controls around the handling of privileged accounts.
Additionally, cybersecurity awareness training for all employees plays a vital role in preventing cyberattacks. Human error is often a significant factor in successful attacks, so educating employees about their roles and responsibilities in maintaining security is critical. Regular training sessions can help raise awareness about the latest threats, teach best practices for safe computing, and foster a security-conscious culture within the organization.
Implement network segmentation
Based on the currently available information about the MGM Resorts breach, it appears the threat actors successfully gained access to multiple network areas that ideally should have been isolated from each other. The critical question here is how or why the threat actors managed to achieve such success in infiltrating networks that were supposed to be segmented.
Additionally, if your corporate backup solution is easily accessible to you, it’s equally accessible to threat actors who can delete the backups during a ransomware attack.
Investing in 24/7 security detection and response capabilities increases an organization’s chances of detecting unusual activity between networks. You can establish a 24/7 security detection and response program either by maintaining an in-house security team or by partnering with a trusted managed security services provider. Continuous monitoring of your organization’s ecosystem allows for timely identification and response to suspicious activities.
Conduct ongoing testing of your environment
One of the key challenges in dealing with state-sponsored cyberattacks is the highly coordinated nature of these threat actors. They possess sophisticated capabilities and can launch attacks on multiple fronts simultaneously. This activity makes it essential for enterprises to have a well-defined and well-practiced security response plan. Conducting regular tabletop exercises can help identify potential gaps in response times and procedures, allowing you to address them proactively before a real attack occurs.
Organizations can also conduct ongoing testing of their environment through a security services vendor. Third-party security services vendors are helping organizations navigate the evolving threat landscape, technology deficits, and environment visibility, as well as staffing a 24/7 in-house security operations center (SOC). Many internal security teams struggle to keep pace with the threat environment. Augmenting teams with 24/7 experts can increase the speed and effectiveness of response.
ISC2, in their annual Cybersecurity Workforce Study, highlighted a significant disparity between the growth of the cybersecurity workforce and the escalating demand for cybersecurity professionals. Despite the addition of more than 464,000 workers in the past year, the workforce gap has expanded at a rate more than twice that of the workforce itself, with a year-over-year increase of 26.2%. This gap underscores the urgent need for more professionals in the field.
For organizations struggling to bridge the skills gap and retain cybersecurity talent, opting for managed security services can be a more practical alternative to traditional hiring.
Regular vulnerability assessments, penetration testing, and security audits help identify potential weaknesses or vulnerabilities that could be exploited by attackers. Remediation of these discovered vulnerabilities should be prioritized and completed routinely.
The landscape of cybersecurity continues to evolve, and organizations must be proactive in their efforts to protect their valuable assets. Recent incidents, such as the breach at MGM Resorts, serve as stark reminders of the potential consequences of inadequate security measures.
Comment