What if all the IoT devices in your organization (and deliver revenue and profits) all were shut down for 10 days because of cyber attack? This isn’t a theoretical, it was the reality for MGM over the past few weeks as their slot machines, door locks, ticket payment systems, and other forms of IoT that make a casino operate had to be shutdown because a threat actor had gained a foothold and demanded a ransomware payment in order to let MGM have it’s business back. Here’s some of the questions this massive breach raised, along with thoughts on what the answers should be.
Should MGM have paid the ransom? Off-the-cuff the answer is no, nor should most organizations. While it may have short term benefits, in the medium to long run it makes gaming and entertainment much more of target for threat actors. Also, paying a ransom does not mean that the threat has gone away; the malicious hackers could have left behind the ability to launch future attacks. By not paying ransomware MGM was (perhaps painfully) forced to rebuild all their systems but at least they know they were rebuilt in a secure way. But it is very hard to say that MGM was right or Caesars was wrong (to pay ransom) as we do not know the details each exploit, and while the ransomware group behind the attacks was the same the tactics they used could be very different. For example, it looks like MGM’s IoT infrastructure was heavily impacted (slot machines, access control systems, TITO payment system, etc) and in that situation paying ransom may not have lead to restoring operations any faster.
Did Caesars make a better decision in light of their systems being restored more quickly? Not necessarily since the threat actor group behind these attacks has a wide range of attack methods, thus making a comparison of Caesars to MGM difficult. Their systems may be restored, but are they actually secure? By not going through the pain of rebulding systems from the ground up Caesars may not have fully contained the threat.
Does unplugging slot machines to protect payment and other systems from breach sound like a good incident response choice? Almost always organizations will first focus on mitigation to stop damage to the network, then focus on remediation to fix the vulnerability and repatriate it back to full operational status. Unplugging slot machines as a form of mitigation is a good choice as long as it is quickly followed by other actions including remediation.
Over time more details will be known about the impact of these ransomware attacks, but it’s already clear these were wide-ranging IoT cyber attacks. As casinos are filled with many types of IoT devices and applications this should cause more focus on identifying, containing, and remediating IoT threats more quickly – the 10 days of downtime shows that while MGM was taking the right actions they did not have the right tools and automation to do it quickly.
In summary, the lessons to any enterprise operating IoT devices and applications are many, but here are some of the key ones:
- Focus on being resilient to attacks and have a process to recover
- Don’t pay the ransom
- Use automation to ensure you constantly maintain cyber hygiene on IoT devices
- Extend your efforts on network-based discovery to include application-based discovery; IoT in the enterprise is a combination of devices and applications tightly-coupled together.