The MGM Grand/Caesar’s breach is the most exhaustively covered cyber event in recent memory. Even the attackers published detailed explanations of how they did it. There was, however, one question still needs answering: What happened during the 15-minute phone call between the attackers and a low-level helpdesk worker who opened the gates for the attack?
Over the past few weeks since the breach we talked with several experts and cybersecurity companies pieced together a potential scenario. What we discovered is a glaring problem facing large organizations, in particular, that can serve as a lesson for enterprises large and small.
Compliance is not enough
MGM Resorts International (MGM.N) was completely compliant with security regulations. It has spent millions of dollars on security technology and services, much of it with security giant Okta. Investigations to date have shown MGM was completely compliant with data regulations to protect the personal information of customers and employees. The problem is it wasn’t enough to stop a well-planned social engineering attack using LinkedIn research.
(Note; we reached out to MGM and Caesars several times but there was no response.)
Two criminal organizations, Scattered Spider and Black Cat are claiming responsibility for the attack. Whoever it was, they spent months profiling security employees and contractors at MGM, Caesars Entertainment (CZR.O), and three other unnamed Okta clients, according to Okta. The research set the groundwork for a massive social engineering effort across the entire 17,000-customer base of Okta.
“The social engineering conversation convinced the worker to reset the MFA factors in the targeted account,” said an Okta spokesperson. Okta has published a blog post on their investigation that described what the threat actors did after the phone call, but not what the substance of the call was.
The criminals published an extensive blog post explaining how they use Linkedin to identify a “super administrator” from Okta and using the information freely available on the social medium presented themselves as the Okta employee. Then they identified the help desk worker as the weak link.
Training is crucial
“The attackers did their homework,” said Ryan Healey-Ogden, director of cybersecurity solutions at Click Armor. “It was a phone call to a level one help desk that was probably off-site. I believe it was even overseas. They knew the help center was slightly disconnected from the organization itself, which tends to be less secure. How did they pull it off? Classic social engineering and a lot of charm.”
Healey-Ogden explained that an effective “vishing” attacker doesn’t rely on panic or intimidation. They are friendly, professional, knowledgeable, and engaging. They compliment their target, mention how hard their job is, show gratitude for the help, and promise a glowing review
The primary defense against this tactic is employee training, he said, but that is just the beginning. The training has to be ongoing to “make sure it sticks.”
Almost 90 percent of all cyber attacks begin with a social engineering aspect, according to KnowBe4. Proper training could stop most attacks. But the folks at HYPR have a different take.
Training takes you only so far
“Oh Lord, come on, we’ve been trying to do that in industry for three decades,” Bojan Simic, CEO of HYPR, an authentication start-up. “In this particular case, whoever it was who was on the help desk, the training didn’t stick because they didn’t care. They get paid minimum wage, they just want to get through their day and they just want to do it with as little pain as possible. They do not care, so it’s never going to stick.”
HYPR’s technology doesn’t allow an individual to decide, unilaterally, to restore credentials, which is a major flaw in OKTA’s system. To reset multi-factor authentication the user goes to a website and enters their email address. It verifies their phone number through an SMS code and then asks to verify their location. Only then does a worker on the Help Desk or their direct manager. That follows with a video chat in the HYPR application for real-time face recognition to validate the identity.
“That way, an adversary pretending to be an Okta super administrator or an MGM employee, would be found out immediately,” Simic explained.
The upside of the HYPR system is that it can’t be bypassed or overruled by a low-level IT worker, as Okta’s was. The downside, however, is that HYPR’s system is only available for Okta and Azure users, so it’s only for large enterprises. Small to medium enterprises (SMEs) are in the cold, once again. So as much as Simic downplays the success of security training, it remains the best first line of defense for SMEs.
What can we learn from this?
First, while training is not a fool-proof solution, it can significantly remove a lot of threats. Zero Trust is a buzzphrase that a lot of companies use, and there is no such thing a zero-trust technology as long as it can be bypassed by a single person through social engineering. As a security philosophy, it has a much greater impact. No matter how polite, professional, and friendly someone is, unless they can absolutely prove who they are, it’s time to harness the inner Gandalf and say , “You.. shall not… pass!”
Second, Simic said lowering the social engineering variable, which HYPR does to a great degree, but also, when you are a linchpin in a system’s security, it makes sense to reduce your digital footprint. The threat actors were able to glean a lot of information about super administrators from their LinkedIn profiles before they began their attack. Security training should cover that aspect from the beginning.
Third, saving money is all well and good, but offshoring security authority to minimum wage workers for an offshore company is probably a very bad idea, according the Healey-Ogden.
Simic agreed. “if you’re going to have an offshore help desk, allow them the bare minimum access. A concept of least privilege has to apply.”Fourth and finally, realize that the battle never ends and there are holes in every security solution. Even the HYPR product, which seems to be very well-thought-out, will become a target of threat actors because that’s the challenge. Security is vigilance.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.