Cybersecurity For Boards & Senior Leadership: Exploring the MGM Hack

In an age where digital transformation accelerates, the spectre of cyber threats shadows every stride we make towards progress. The past 18 months alone have witnessed an unprecedented wave of cyberattacks, marking a new era of digital vulnerability. IBM's 2023 Cost of a Data Breach Report illuminates this dark landscape, revealing an alarming average cost of $4.35 million per breach, a figure that has climbed steadily over the past five years. Yet, it's not just the financial haemorrhage that startles; it's the brazenness and sophistication of these attacks, underscored by incidents like the Colonial Pipeline shutdown, which reverberated through the energy sector, causing widespread fuel shortages and public alarm. These are not isolated incidents but rather harbingers of a systemic challenge, exposing a glaring gap between technological advancement and cybersecurity preparedness. 

Despite a relentless surge of high-profile cyberattacks over the past 18 months – costing companies billions and severely disrupting operations – there remains a startling lack of cybersecurity understanding and prioritisation at the board and senior leadership levels. According to a recent KPMG survey, 55% of CEOs admit they are not fully prepared for a potential cyberattack, while a Deloitte report indicates that only 12% of board members feel highly knowledgeable about cybersecurity risks. This disconnect between the escalating threat landscape and insufficient leadership focus, exposes organisations to potentially devastating consequences.

In this digital age, cybersecurity transcends merely an IT concern, evolving into a critical business imperative.  The recent cyberattack on MGM Resorts in September 2023 starkly underscores this reality, serving as a harrowing reminder for C-suite leaders about the paramount importance of safeguarding digital frontiers. This article aims to dissect the MGM cyberattack, providing insights and actionable lessons for executives to fortify their cyber resilience.

The Incident: A Closer Look at the MGM Cyberattack

MGM Resorts, a titan in the hospitality and entertainment sector, fell victim to a sophisticated cyberattack attributed to factions believed to be the Scattered Spider group and the notorious AlphV/BlackCat ransomware gang. These attackers, employing cunning social engineering tactics, tricked unsuspecting employees into compromising the system's security. The breach led to significant operational disruptions: casino floors saw partial shutdowns, ATMs and slot machines faltered, and the digital lifeline for reservations, the online booking system, was rendered inoperative.

In the aftermath, a grim revelation surfaced — the theft of sensitive customer data, including names, contact information, and in more severe instances, Social Security numbers and passports. The financial toll on MGM was staggering, with estimated losses hovering around the $100 million mark. How did such an attack take place?

Based on available information, here what we were able to piece together:

1. Social Engineering: The Scattered Spider group started the hack by targeting MGM employees, likely through LinkedIn or other social platforms. They gathered information to craft a convincing phishing attack or phone scam, posing as a legitimate entity (e.g., IT support). The employee fell for the trick and divulged credentials or allowed remote access.
2. Initial Infiltration: The hackers used compromised credentials to enter MGM's network. They likely moved laterally and searched for weaknesses in security protocols.
3. Privilege Escalation: The hackers focused on acquiring elevated access. This could have been through exploiting software vulnerabilities or using brute-force techniques to crack passwords. With higher-level access, they could move more freely in the system.
4. Credential Harvesting: Hackers obtained credentials from domain controllers and tools like the Okta sync server, giving them access to other employees' accounts and systems.
5. Data Exfiltration: Over time, the group collected terabytes of sensitive customer data, including names, contact information, IDs, and potential financial records. The data was quietly syphoned out of the network.
6. Deployment of Ransomware: Believed to be executed by the AlphV/BlackCat group, the ransomware was deployed across MGM's systems, encrypting files, and disrupting operations. This is when the attack became fully visible.

Below is a graphical flow of the possible attack at MGM:

While this was happening, you may wonder why the MGM Cyber team did not intervene.  Part of the reason could be that they might have missed the following:

• Training: Employees weren't sufficiently trained on recognizing social engineering tactics. A single employee compromised the entire network and sometimes there may not be awareness that a single employee compromised could enable hackers into the network.
• Patching Vulnerabilities: The hackers likely exploited known software vulnerabilities that MGM hadn't patched quickly enough.
• Network Segmentation: Inadequate network separation allowed hackers to move laterally once inside the system. Properly segmented areas could've limited damages.
• Multi-Factor Authentication: If it wasn't present everywhere, or could be bypassed, it left critical systems vulnerable.
• Monitoring and Detection: Systems may not have generated sufficient alerts or logs to catch the initial intrusion, allowing hackers to operate discreetly.

It is possible that MGM's cybersecurity team did everything right, and the hackers still got through. Cyber defences are never foolproof. Hackers are constantly adapting and becoming more sophisticated.  The MGM attack emphasizes that cyber threats are constantly evolving and that even large companies with substantial resources can be vulnerable. It's critical for businesses to continuously invest in security (leverage new cybersecurity technology like SSHepherd etc), train employees, and maintain a proactive, multi-layered defence strategy.

Unpacking the Lessons

The narrative of MGM's breach is but a single thread in this vast, intricate tapestry of cyber insecurity that stretches across industries and borders, compelling us to confront an uncomfortable truth: in our digital fortresses, the gates stand wide open. The MGM cyber saga is replete with lessons, each a cornerstone for crafting a robust cybersecurity strategy. Here are pivotal takeaways and strategies for C-suite executives:

# The Social Engineering Threat

• The MGM attack accentuates the peril of social engineering. These schemes, leveraging psychological manipulation, prey on human vulnerabilities to breach security. 
• Actionable Insight: Organizations must prioritize training programs that empower employees to recognize and thwart such attacks. Incorporating regular drills, security briefing and awareness sessions can significantly mitigate this risk.  The costs of training employees and senior leaders to be able to identify red flags fast, would far outweigh the potential losses from a threat materialised

# The High Cost of Data Breaches

• The financial ramifications of the MGM breach are a stark reminder of the economic stakes involved. Beyond the immediate financial losses, the reputational damage and erosion of customer trust can have long-lasting consequences. 
• Actionable Insight: Investing in advanced cybersecurity measures is not an expense but a safeguard against potentially crippling financial and reputational fallout. New stealth-based cyber security technology like SSHerpherd and other technology that is far more advanced, is worth investing into

# The Imperative of Transparency

• MGM's approach to promptly disclose the breach was commendable. In times of crisis, transparency becomes a pivotal trust-building tool with stakeholders. 
• Actionable Insight: Develop a communication strategy that ensures swift, transparent, and honest disclosure to affected parties, reinforcing trust and commitment to customer protection.

Strategic Cybersecurity Enhancements

C-suite leaders must view cybersecurity through the prism of strategic business resilience. Here are key strategies to bolster defences:

1. Robust Cybersecurity Solutions: Deploy state-of-the-art stealth-based cybersecurity software, firewalls, intrusion detection systems, and encryption protocols. Regularly update these defences to outpace evolving cyber threats.
2. Incident Response Planning: Craft a comprehensive cyber incident response plan detailing swift and efficient actions to minimize damage. This plan should be regularly updated and rehearsed with key stakeholders.
3. Regular Security Audits: Conduct periodic security assessments to identify vulnerabilities. These audits should inform the continuous evolution of security measures.
4. Fostering a Security-conscious Culture: Cultivate an organizational ethos where every employee is a cybersecurity sentinel. Regular training and awareness initiatives can reinforce the importance of vigilance and responsibility.

Conclusion: A Call to Action

The MGM cyberattack narrative is a clarion call for C-suite leaders to recalibrate their cybersecurity strategies. In an era where digital threats loom large, the imperative to protect digital assets and customer data is paramount. By embracing the lessons from MGM's experience, leaders can not only shield their enterprises from similar fates but also foster a culture of resilience and trust that stands as a bulwark against the cyber threats of tomorrow.

In the journey towards cybersecurity excellence, the MGM case study is not just a cautionary tale but a blueprint for strategic action. The saga of the MGM cyberattack transcends a mere cautionary tale; it heralds a pressing imperative for boardrooms across the globe. In an era defined by digital threats that are as pervasive as they are pernicious, the stewardship of cybersecurity is not just a matter of technical diligence but a cornerstone of strategic leadership.

This is a clarion call for board members to pivot from passive oversight to active engagement in cybersecurity governance. The stakes transcend financial loss, reaching into the realms of trust, reputation, and long-term viability. As leaders, the urgency to fortify our digital domains against the spectres of tomorrow demands more than mere acknowledgment—it requires a wholesale cultural shift towards cyber resilience. 

Let the lessons of MGM serve as a stark reminder and a rallying cry: to invest in cybersecurity is to invest in the very scaffolding of our future prosperity. It's time to marshal our collective resolve, resources, and ingenuity to erect defences as robust as the threats are relentless and adopt new technology that enables your critical servers to be protected. 

The journey toward cybersecurity excellence is fraught with challenges, but for those willing to lead, it offers the invaluable prize of safeguarding our digital age. The time for action is now. For C-suite executives and board leaders, the message is clear: the time for robust, proactive cyber defence is now. Let this incident be a catalyst for change, spurring us to adopt a more vigilant, informed, and strategic approach to cybersecurity.