Dive in with us! We invite you to present a scenario where ConsoleWorks, when correctly deployed, can detect, inform, and eliminate the MGM threat. We’re confident in our solution and eager to prove its capabilities. Let us be your partner in safeguarding your environment. Arrange a demo or a technical discussion today. Rest assured, you’ll be speaking with our expert engineers, not sales representatives. Share your top 3-5 concerns, and we’ll replicate them in our lab to showcase our solution. And if, after an hour, you’re not convinced? Our CEO will treat you to lunch at your preferred dining spot. Challenge us to prove our case !!
Prevention and Mitigation
Imagine you are in Las Vegas, enjoying a vacation at one of the famous casino resorts. You have just won a big jackpot and are ready to celebrate. But when you try to check out of your room, you find out that the hotel’s computer system is down. You can’t access your reservation, your loyalty points, or your winnings. You are stuck in limbo, along with thousands of other guests who are facing the same problem.
This is not a hypothetical scenario, but a reality that many guests at MGM Resorts faced on September 10, 2023, when the company was hit by a major ransomware attack that took systems offline in locations across Las Vegas. The attack left guests locked out of their rooms and unable to transact both on site and through the MGM mobile app. Eventually the affected casino hotels had to process transactions manually. It is expected that this incident will have a material effect on its operations as it continues to deal with the fallout.
MGM Resorts was not the only casino company targeted by threat actors in recent weeks. On September 14, 2023, Caesars Entertainment disclosed that it had suffered a data breach that compromised the personal information of many of its loyalty program members, including their Social Security numbers and driver’s license numbers. Caesars paid about $15 million in ransom to the attackers to prevent them from releasing the data.
These attacks have drawn scrutiny from the FBI, the Cybersecurity and Infrastructure Security Agency, the Nevada Gaming Control Board, and the Nevada Governor. They also highlight the need for more cybersecurity professionals and better security practices in the casino industry.
It also begs us to say, the weak point was the human response, fooled or tricked by the threat actor to perform a privileged function to allow the threat actor in by resetting credentials. Therefore, no technology could actually prevent this hack. I would argue however, that with a fully deployed ConsoleWorks REACT solution, the threat actor would have tripped over so many monitoring points and associated alerts with automated responses enforcing business policy, I cannot imagine how they could have succeeded. I know, go ahead, Challenge ConsoleWorks. Let’s use our lab to let you come after the lab or asset in the lab, whether its IT, OT or IOT. I’m good for a great discussion and demonstration.
In this blog, we will explore how ConsoleWorks, a cybersecurity and operations platform that provides secure remote access to IT and OT devices, could have prevented or mitigated these attacks using its features and benefits. We will also discuss how ConsoleWorks aligns with the Zero Trust approach, which is a security model that assumes no trust for any entity inside or outside the network perimeter.
How ConsoleWorks could have prevented or mitigated the MGM attack
The MGM attack was carried out by an affiliate of the notorious ransomware group ALPHV, also known as BlackCat. The threat actors claimed to have infiltrated MGM’s network on September 11, 2023. A supposed social media feed claimed they said threat actors had access to MGM’s Okta environment, which is a cloud-based identity and access management service. ALPHV also claimed to have access to their Azure tenant, which is a cloud-based platform for hosting applications and services. In addition to access the claim was that data had been exfiltrated from MGM’s domain controllers, which are servers that store user accounts and passwords.
ConsoleWorks is a cybersecurity and operations platform that provides secure remote access using Role Based Access Controls (RBAC) and Priviledged Identity Management (PIM) for IT and OT environments. If ConsoleWorks, as platform, had been deployed in their environment the scenario could have been prevented or mitigated in several ways. Lets explore the capabilities for prevention ConsoleWorks provides relative to this scenario.
Secure Remote Access : To significantly bolster security measures, ConsoleWorks takes a proactive stance by implementing a Protocol Break and embracing a Zero Trust system with role-based access control (RBAC) and multi-factor authentication (MFA). In this case ConsoleWorks would have been integrated with OKTA as an Identity and Access Management (IDAM) solution. This proactive approach effectively thwarts threat actors who rely on social engineering tactics to bypass security protocols or gain access to credentials, thereby preventing the transmission of malware and viruses into the critical environment. The absence of end-point asset credentials poses a formidable challenge for these malicious actors. It is important to emphasize that ONLY ConsoleWorks would have access to OKTA, eliminating the need for the user, or in this case ALPHV, to request an unauthorized reset of OKTA credentials. Moreover, if a threat actor were to attempt an unauthorized reset of MGM OKTA credentials with the capability to escalate privileges within OKTA to become a “Super Admin”, ConsoleWorks detect the activity and and present the system owners with risky activity ALERTS. In reality, the opportunity to gain access to OKTA credentials would be very slim, as access to OKTA would only be applicable through the ConsoleWorks platform and not by end users. If the integration between ConsoleWorks and OKTA were somehow modified by a threat actor, again, this change event would be detected and would be a clear indicator that something is amiss and necessitates immediate attention. As a recap, ConsoleWorks integrates with OKTA as an IDAM solution not the user and the platform uses the credentials for identity validation only. The User would never have escalated privileges that would provide the threat of account creation, modification, or privilege escalation. ConsoleWorks would create the necessary sessions based on business authorized ROLES. Furthermore, ConsoleWorks records, monitors, and risk score the end user activities in real-time. ConsoleWorks. Users ONLY ever need one credential and that is to authenticate to ConsoleWorks where identity validation occurs through access control lists (ACL), password complexity, and/or through the use of multi-factor authentication, as is the case with the OKTA integration. ConsoleWorks meets NIST, ISO, DOD and many other government standards as a Cyber Security Platform
Baseline Configuration Monitoring : Through the implementation of automated configuration monitoring on managed endpoints, ConsoleWorks can effortlessly maintain a comprehensive record of the system’s configuration. This includes details such as who made changes, when these changes occurred, and the specific commands that were used. This advanced functionality allows for a thorough understanding of the approved configuration both before and after any human interaction takes place. By comparing the approved values with the current values at the end of a user session, ConsoleWorks ensures the utmost accuracy and security. In the scenario involving MGM, ConsoleWorks would have promptly identified any modifications made to the reporting of monitoring tools on the system, as well as any newly installed software. As a result, it would be equipped to provide a detailed log of the session undertaken by the perpetrator involved in the MGM incident. This not only strengthens the security measures, but also enables effective password management, patch gap analysis, missoperations, and event remediation in the native language of the assets. With ConsoleWorks, IT and OT systems can remain consistently updated, secure, and fully compliant with industry standards and regulations.
End Point Password Management : Because ConsoleWorks stores the session generating credentials for remote access to assets and can rotate those passwords automatically, the user needing to connect to the asset only needs to be authenticated to ConsoleWorks and would never have access to escalated privileged accounts. In this incident the OKTA credentials hi-jacking could have been prevented and the impact reduced as the critical asset would have not been reachable through a user endpoint. ConsoleWorks would be the intermediate system between a user and the critical asset and would broker all sessions and activities. The only integration of OKTA would be between ConsoleWorks and the MFA provider to authenticate the validity of the user connecting to the platform through HTTPS.. This separates the user from the credentials the generate connectivity to critical assets one more layer. As mentioned previously, ConsoleWorks would provide even further mitigation as in this case the comporomised credentials would be logged, the activity would be evaluated and automatic mitigation, based on business policy could be deployed based on our REACT solutioning. Furthermore these activities could be reviewed as everything the user is doing down to the key stroke actions are recorded and retained. As an example of automated mitigation, here is a sample of opportunities:
- Create and Event or Alert to the Security Operations Center (SOC) that a critical activity was taking place by an interactive user.
- Never send the users command to the endpoint if it were identified as a command outside their scope of permitted activity
- Disconnect the users’ sessions and tag them as a threat, alert the SOC and tag the device the user was acting on to prevent forensic information from being corrupted.
- or pretty much any other business policy required such as preventing north, south or east, west movement and requiring a timed wait between changing endpoints.
Risk & Vulnerability Scoring : Think about it, Risk Scoring is generally approached from a single point solutions perspective, thus each score is only a part of the story. Let’s step out and say none of those scores consider scoring risk from a holistic perspective, where each of those point solutions are aggregated as individual sensor, feeding information to a human response platform. The Human, Device, and the Human Activity is scored and layered on top to produce real-time reaction or response to human activity and operational state of a device or application being influenced.
Finally add the CRITICAL part which is real-time scoring of a user’s command set on the device to understand their activities risk to the device and its operation. Send all of the above to the SIEM or SOC that aggregates and correlates network activity and human activity down to the keystroke, command, and a wholelistic situational awareness exists that provides a true real-time risk score. In continuing this path, this provides the capability to take data and transform it into useable information that Incident Responder can take action on.
Situational Awareness : By actively monitoring, logging, and promptly reporting all activities performed on managed assets in real-time, organizations can significantly boost their ability to swiftly detect and respond to potential cyberattacks. This proactive approach not only alerts security teams promptly of any suspicious or unauthorized actions but also enables the creation of a detailed forensic record of the incident, capturing even the smallest details across diverse endpoints. Additionally, by effectively aggregating and intertwining all log files, organizations gain valuable situational awareness and ensure compliance with regulatory and cybersecurity best practices. In the case of MGM, ConsoleWorks would have provided the necessary audits and logs for every command issued and response received, empowering MGM visibility into what the threat actor did from start to finish and knowledge of what and how to remediate the affected systems. This comprehensive solution would even include the crypto keys utilized to encrypt the files on the machine, resulting in savings of up to 15 million dollars! Is anyone from MGM reading this?
Secure File Movement : Apparently, in the MGM incident, the threat actor had outside access from the infiltrated systems to be able to download files and their toolset. ConsoleWorks could have prevented that activity. ConsoleWorks strictly forbids, without approval, change tickets, and scanning for virus and malware the ability to do file transfers across its platform. If the Threat actor wanted to bring in their toolset, they would have had to download the toolset to a ConsoleWorks “Dirty” folder on the ConsoleWorks platform, and then get another person with higher authority in MGM to authorize the file transfer. Even if an authorization of a file transfer through ConsoleWorks were to occur, ConsoleWorks would initiate a malicious code scanning activity to detect embeded virus’s and/or malware before placing the file(s) into a “Clean” Folder. Only after the file is in the “Clean” folder can the user now transfer the file to the critical asset. This adds another security checkpoint in the defense-in-depth approach and could have been another prevention in the case of the MGM incident. The key part here is the business policy and separation of duties to bring the files inside the enclave.
This case study could probably go on and on about how ConsoleWorks would have prevented or mitigated this attack with many more risk mitigating controls the platform has to offer. However, it could take days and we want to be respectful of your time. We invite you to reach out to us to find out more and even challenge us on our prevention and mitigation claims. We would even be happy to back our claims up through a demonstration of the platform to you.
We Thank You for your time and its an honor to get your comments, suggestions or guidance – please feel free to leave comments.
Remember, a BLOG is a written version of my consciousness at the time, I don’t remember if I slept last night or was just out all night, so please any disagreements should be with me, not the Company. But again, we ask you – challenge us to prove it, I am pretty sure we can do that in SPADES!! get it, lol!