WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Lessons Learned from the MGM Breach

The recent arrest of a teenager linked to last year's MGM cyberattack is a stark reminder that no organization, regardless of size or industry, is immune to the evolving threat landscape. 

The breach exposed millions of customer records and cost MGM tens of millions of dollars, underscoring the importance of proactive cybersecurity measures. 

This incident offers valuable lessons for security professionals, particularly around vigilance, the importance of pentesting, and the need for robust incident response plans. Let's dive into the details of the MGM breach and distill key takeaways to bolster your organization's defenses.

Summary of the MGM Attack

The attackers gained access to MGM's systems through a social engineering attack, specifically vishing. 

Vishing is a type of phishing attack that uses voice calls to impersonate a legitimate organization or individual. 

In the case of the MGM attack, the attackers were able to impersonate an MGM Resorts employee and call the organization's service desk to request access to their account. The service desk employee, unaware that they were being targeted with a vishing attack, provided the attackers with the necessary credentials. 

Once the attackers had access to the employee's account, they were able to escalate their privileges and gain access to other systems on the MGM network. To do so, the attackers breached MGM’s Okta account via the Okta Agent, a lightweight client that connects to an organization's Active Directory. From here, the attackers started scooping password data and were reportedly discovered by MGM. The MGM team reacted hastily by shutting down their Okta Sync servers. The attackers claimed this happened before the attackers started launching ransomware attacks. 

A review of this breach showed an easy-to-deploy social engineering aspect with the vishing attack. However, this was paired with a sophisticated approach by the attackers to set up their own identity provider (IDP) and user database in the Okta system. Okta has previously warned of this vulnerability from social engineering.

Impact of the Attack on MGM: Data Stolen & Operations Paused 

The implications of the breach are wide ranging and still being investigated. Reports show the attackers claimed to have stolen PII from the company and heavily disrupted their operations during the breach. MGM Resorts International's computer system was down for 10 days as a result of the ransomware attack. This shutdown could cost the company as much as $100 million

The company has not confirmed whether any customer data was stolen in the attack, but hackers have claimed to have exfiltrated data from MGM systems. 

Multiple class action lawsuits have been filed against MGM Resorts, alleging that they failed to protect PII data after being advised by Okta about targeted social engineering tactics against the company.   

Key lessons from the MGM Breach

The MGM incident serves as a stark reminder of several crucial cybersecurity lessons:

  • Social Engineering Remains a Potent Threat: The breach highlights the ongoing effectiveness of social engineering attacks, particularly vishing. Attackers are increasingly sophisticated in their impersonations, making it essential to educate staff on recognizing and responding to such threats.

  • Robust Incident Response is Crucial: While preventing every attack is impossible, a well-prepared incident response plan can minimize damage and downtime. MGM's ability to restore systems within ten days, while still disruptive, demonstrates the value of having a plan in place.

    On the other hand, ensuring you have a strong incident response plan in place is important because it helps avoid hasty decisions during a breach. Response plans should have a plan in place for every scenario. Experts point to MGM turning off every one of their Okta instances as a hasty response to this breach that could have been prevented with more planning. For example, tabletop exercises are an important way to plan and prepare your team’s incident response.

  • Defense in Depth is Essential: No single security measure is foolproof. A layered approach, including technical safeguards like firewalls and intrusion detection systems, combined with strong policies and employee training, is crucial for a robust defense. Many companies harden their exterior attack surface, while neglecting their internal network with the proper security controls. Prioritizing internal network controls should be a central part of a defense in depth strategy.

  • Third-Party Risk Management is Key: The incident underscores the need for thorough third-party risk assessments and ongoing monitoring. Even reputable vendors can be compromised, potentially exposing their partners to attacks. Preventing supply chain attacks should be a cornerstone to a security program. The risk of third parties can be mitigated with strong External Attack Surface Management (EASM) or with threat intelligence.

  • Cyber Insurance Can Mitigate Losses: While not a preventive measure, cyber insurance can help organizations recover financially from breaches, covering costs like incident response, legal fees, and potential customer compensation. Explore more about the benefits of Penetration Testing for your cybersecurity insurance

The MGM breach is a wake-up call for all organizations to re-evaluate their cybersecurity posture and invest in comprehensive protection measures. By learning from the mistakes of others, we can strengthen our defenses and better protect sensitive data and critical systems.

Closing 

The MGM breach is a sobering case study of the ever-present risks facing modern organizations. It emphasizes that cybersecurity is not a one-time fix but an ongoing process of vigilance, adaptation, and investment. 

By prioritizing security awareness training, robust incident response plans tested by thorough red teaming services, layered security measures, and thorough third-party risk management, organizations can significantly bolster their defenses against the evolving threat landscape. 

The MGM incident serves as a stark reminder that no company is immune, but with a proactive Offensive Security Testing Platform and a commitment to continuous improvement, we can all work towards a more secure digital future.

State of Pentesting Blog CTA 2024

This content was co-authored by AI. Discover our editorial practices.

Back to Blog
About Gisela Hinojosa
Gisela Hinojosa is a Senior Security Consultant at Cobalt with over 5 years of experience as a penetration tester. Gisela performs a wide range of penetration tests including, network, web application, mobile application, Internet of Things (IoT), red teaming, phishing and threat modeling with STRIDE. Gisela currently holds the Security+, GMOB, GPEN and GPWAT certifications. More By Gisela Hinojosa