In a seismic wake-up call to the cybersecurity landscape, MGM Resorts International and Caesars Entertainment recently grappled with a massive security breach resulting in operational issues at all their resorts. Masterminded through a social engineering exploit, the attack targeted inherent design deficiencies in Okta’s platform. Thus these vulnerabilities allowed the hackers to access Okta tenants and, from there, launch a ransomware attack. The intricacies of the breach serve as a teachable moment for identity threat detection and response and the value of managed identity security services.
This article examines the pivotal role of continuous identity security management in cybersecurity. Moreover, it explores an often-overlooked realm of tertiary identity issues, highlights the emerging risks for CISOs, and underscores potential financial implications, making a compelling case for investing in managed identity security services.
Unearthing the MGM Breach Attack Path
The attackers spearheaded their attack through a meticulously crafted social engineering campaign to gain access to Okta. This widely-adopted cloud-based identity & authentication solution protects the digital front door to the client’s enterprise applications and data. Okta and MGM have been public about how the solution are adopted.
Okta recently suffered a similar breach where its third-party help desk service providers’ privileged access was compromised to gain unauthorized access to Okta customer tenants and data. Reports and statements suggest that, upon gaining admin access into Okta, Okta’s AD sync capability was compromised using capabilities inherently present in Okta. This allowed for password sniffing, where the attackers were able to identify and capture password events between Okta in the cloud and MGM AD on MGM data centers. Afterwards, the attackers captured more administrative privileges across the organization. Finally, this allowed them to move laterally to implement a ransomware attack.
In response, MGM appears to have shut down connectivity from its on-premise AD sync to Okta in the cloud. This resulted in a number of application authentication issues. In turn, this resulted in widespread operational problems from check ins, room access, and slot machine usage. At its core, the breach exploited a design flaw within Okta’s SSO system through a simple social engineered attack resulting in significant impact.
Managed Identity Security Services: Securing the Identity Perimeter
The MGM and Caesars breach lays bare the undeniable importance of managed identity security services. These digital guardians not only safeguard against Okta-related vulnerabilities but also a number of other crucial identity solutions areas and address an array of identity issues. Identity security operations centers (SOCs), are fortified with:
Identity Controls Monitoring: Employing cutting-edge threat detection and monitoring systems, Identity SOCs remain poised to detect suspicious activities in real-time. Thus they ensure early breach detection, technology misconfiguration and mitigation.
Incident Remediation: In the event of a breach or a misconfiguration that could result in a breach, Identity SOCs unleash meticulously orchestrated incident response plans across the IAM architecture spanning multiple tools, minimizing damage and expediting recovery through forensic analysis.
Identity Security Posture Management & Intelligence: Identity SOCs wield threat intelligence as a beacon to illuminate the evolving threat landscape, empowering organizations to proactively manage vulnerabilities.
Thwarting Privilege Escalation: By scrutinizing user behavior patterns, Identity SOCs are adept at spotting and thwarting privilege escalation attempts, substantially curtailing lateral movement within networks.
Navigating the Realm of Tertiary Identity Issues Through Managed Identity Security Services
Beyond immediate breach response, the MGM and Caesars incident unravels a profound and often overlooked realm—tertiary identity issues. These present CISOs with new risks to navigate:
Vendor Vulnerabilities: As organizations lean on third-party vendors, they inadvertently introduce additional identity-related vulnerabilities. Insufficient vendor risk management can expose an organization to considerable risks.
Shadow IT Security: The unauthorized or unmanaged use of identity-related tools and services within an organization creates an obscure landscape that threatens security. Gaining visibility into and control over shadow IT are critical.
IoT’s Expanding Footprint: The proliferation of IoT devices adds layers of complexity to identity security. Organizations must establish robust access controls and secure IoT endpoints to mitigate risks.
Hybrid and Multi-Cloud Complexity: In an age of hybrid and multi-cloud environments, managing identities across diverse platforms becomes an intricate task. Identity Security services offer a unified approach to tackle this burgeoning complexity.
The True Costs of Cyber Vulnerability: An Appeal to CFOs
Chief Financial Officers (CFOs) would be remiss to overlook the financial implications of cyber vulnerability. Beyond the immediate costs of breach remediation and potential regulatory fines, they must recognize the following:
Reputation Damage: A cyber breach tarnishes an organization’s reputation, leading to loss of customer trust and decreased revenue.
Litigation and Legal Costs: The legal repercussions of a breach can be astronomical, including class-action lawsuits, settlements, and regulatory fines.
Operational Disruption: Breaches disrupt operations, resulting in lost productivity, revenue, and increased costs for recovery.
Long-Term Financial Impact: The fallout from a breach can have a lasting impact on an organization’s financial health. For instance, negatively affecting stock prices and credit ratings.
The Value of Managed Identity Security Services
Identity and access management form the cornerstone of business operations. Recognizing potential risks and taking proactive security measures is no longer optional. Identity SOCs epitomize the proactive stance required, offering continuous monitoring, rapid incident response, and tailored security solutions.
The MGM and Caesars breach serves as a vivid illustration of our interconnected world’s vulnerability. Yet, it also reminds us that we possess the knowledge and tools to fortify our defenses. CISOs and CFOs must embrace this knowledge. This means acknowledging the true costs of cyber vulnerability, and invest in safeguarding their organizations’ digital fortresses.
The journey to robust identity security is an ongoing quest. Understand identity SOCs, tertiary identity issues, and the far-reaching financial implications. Only then can we can collectively shape a safer, more secure digital future.
Contact an Identity Advisor now and learn how Simeio can craft your bespoke managed identity security service.
Remember that time Target was hacked through an air conditioner? Not “a Target storefront,” but the entire corporation and its customers’ information. The 2013 incident remains a touchpoint in the realm of cybersecurity for its sheer absurdity. A national retailer brought low because of a rattling metal box which was somehow connected to millions of customer credit or debit cards? Objectively funny…and a teachable moment on the merits of intelligent IAM implementation.
The biggest lesson drawn from the Target breach is not that cybersecurity experts were incompetent, but that hackers are smart. So long as a potential entry-point exists, no matter how small, it remains a risk. By unpacking how the breach was carried out and how it could have been prevented, this incident from nearly a decade ago can avoid repetition.
How an HVAC Defeated Target in 2013
So, how did the information of 70 million customers, along with 40 million of their credit cards and debit cards, get pilfered through an HVAC unit? The full roadmap to Target’s data breach is quite extensive and disappointingly didn’t involve a hacker jacking into an air conditioner. Rather, it started from the most common of attack vectors: human error. The hackers phished their way into the systems of refrigeration contractor Fazio Mechanical and installed a trojan. Soon enough, the necessary credentials were theirs.
At this point, the attack focused on Target itself. Target had provided Faizo with unsecured vendor access to their system. This allowed the hackers to infiltrate into Target’s point of sale system. From there, the hackers started monitoring and recording card data from card readers. They even employed a clever NetBIOS trick to steal card data from offline card readers.
The aftereffects from the hack were severe. Besides Target’s $18.5 MN settlement in 2017, the company publicly reported a loss of $202 MN, though some estimates place it as high as $252 MN. Because the attack took place during the holiday season, the attack hit the company especially hard. The attack caused Q4 profits to drop 46%. Target’s CEO stepped down. Affected customers filed over a hundred lawsuits. Even ten years later, the incident remains a black mark on the company, damaging customer confidence in Target’s ability to keep their data safe.
Proper IAM Implementation Could have Stopped the Breach
Only through a comprehensive IAM implementation could the incident have been avoided. By not setting up comprehensive protections for all attack surfaces, even those outside the company, Target was unknowingly counting down to a breach. Unsecured third-party partners leave a critical flank unguarded. A federated security solution, covering the full breadth of identities attached to the company, would leave no gap to find.
True, a mistake in that perimeter could leave open a gap all the same. However, that is why layered defenses are so important. Protected by automated monitoring driven by a robust PAM platform, Target could detect and lock down suspicious activity the moment it appeared. With well-defined policies enforced through adaptive MFA, the hackers could not hope to penetrate far. Additionally, such a system cuts down identity sprawl, which is very important for shrinking potential attack surfaces.
Furthermore, PAM and IGA would have played a further role in halting or at least limiting the damage done when the hackers tried to make changes to the system backend. A well-implemented PAM allows no changes without privileged permission. Even in cases where the security protocols are not so strict, PAM provides invaluable information. By recording the answers to the six critical security questions, the PAM solution enables much better tracking and control of a breach in progress.
IAM Implementation for Your Modern Threats
The landscape of cybersecurity has only grown more perilous in the decade since the Target breach. Though the countermeasures discussed above can prevent a repeat of the incident, experts must anticipate and prepare against future threats. The biggest challenge, especially for retailers, is addressing the compromise between security and efficiency, but recent developments can eliminate that compromise altogether. Identity orchestration enables efficiency through security. Orchestration unifies an identity fabric under a single viewport with comprehensive controls enabled by automation. Within such a platform, security systems work towards efficiency rather than against it.
In that same vein, enterprises must consider and work to implement remediation strategies. Security-minded IAM implementation provides for both auditing and for hemming in breach events. Constant flagging and data collection cuts back on the hassle of satisfying regulatory compliance. Additionally, by implementing a recovery strategy, enterprise security personnel react to emergencies much faster than if they were scrambling for a response. Be wary of complacency and aware of your enterprise’s limitations. An internal security solution can only get you so far. Bad actors can exploit the slightest vulnerability in your perimeter. As such, your best bet for avoiding potentially ruinous breaches is expert IAM implementation.
The best identity service is smart about enforcing your policy for third parties. It implements a robust IGA and PAM with active monitoring. Finally, it bundles all these critical solutions into a comprehensive identity orchestration platform which aids in better user experience as well as heightened security. Pursuing the best possible IAM implementation keeps enterprises and their customers secure. If they don’t, they might well find themselves “Targeted.”
The past few months have been embarrassing for financial cybersecurity. A zero-day vulnerability in the widely used MOVEit data migration software allowed the ransomware group Cl0p to perform a far-reaching SQL injection attack. The group has named 55 firms as victims so far, most notably three of the “Big Four” accounting firms who handle 80% of all financial audits in the US. These are Pricewaterhouse Coopers, Ernst & Young, and, most recently, Deloitte. Add to this the 8 to 11 million Maximus identities compromised, and this is shaping up to be the largest file-transfer attack in history. Identity-based vulnerabilities lie at the heart of this issue; IAM solutions are the answer.
As the targeted companies grapple with the fallout from this incident, an uncomfortable question arises. What could have been done to prevent the attacks? What is the plan for future prevention? By examining what made this breach possible, cybersecurity experts can direct their time and budgets towards the IAM solutions which are most likely to prevent a repeat down the line.
What Made the MOVEit Attack so Successful?
The Cl0p group has a well-established MO: global targeting of international consulting firms. The gang is an RaaS (Ransomware as a Service) “provider.” As such, their MO focuses on probing enterprises for vulnerabilities and viciously attacking any holes they find. Even with the bug patched and further access cut off, they don’t just take their ball and go home. They will simply get to work to finding another opening. Furthermore, so long as a potential exploit exists, it’s just a matter of time before some group takes advantage. The mere fact that the backend system allowed for SQL injection was always going to be a fatal flaw. Limited internal cybersecurity teams cannot account for every possible vulnerability.
Because the backend database was open to non-authenticated users and unmoderated edits, Cl0p was able to input SQL injection. The vulnerability appears whenever a database allows customer, B2B, and B2C users to input data without limitations or validation. MOVEit allowed a query to be input into databases without the protection of limitations and parameters. Therefore, the hackers could plug any code in to disrupt the systems and open a direct line into sensitive data.
In essence, the hackers slipped in through an unprotected part of the fence upstream. Thus, they got access to everything down the river.
IAM Solutions Could have Blunted or Even Prevented the Attack
Michael Bickford, Solutions & Advisory Director at Simeio, states that “enforcing PoLP could have helped immensely. The data used to start the injection came from somewhere, most likely an identity that didn’t get locked down.” He explains that if permissions had been in place it would have been much harder to get into the backend. The lesson from this incident is clear: IAM solutions need to span the whole of an identity fabric to be effective. Additionally, you need strong authentication not just for people, but for systems and machines as well. If the affected enterprises, or MOVEit itself, had had a unified IAM solution, there would have been no avenues for attack.
A mature IAM solution also accounts for the possibility of a breach even in the face of all these safeguards. The damage done would have been significantly lessened if competent remediation methods were in place. Affected companies should have been notified the instant their backend was queried. Better yet, an automatic policy enforcement system could have instantly locked access as soon as it suspected a violation. Unfortunately, at the stage the victims reached, everything became a matter of hindsight.
Cybersecurity must be proactive, constantly and consistently anticipating and heading off likely attack avenues. IAM solutions focus on the core identities at the heart of digital vulnerabilities, scoping out the parameters of an enterprise and its needs. Theoretically, regular updates and audits test those parameters. Clearly the tests didn’t go far enough in the case of these victims. An ounce of prevention, in this case a federated IAM solution spearheaded by an expert IAM service, would have saved 55 pounds of pain.
Preventing Future Attacks Through IAM Solutions
Bickford has a few tips for companies who wish to avoid a similar fate. He recommends that enterprises “Keep all vendor software up to date. Put in firewalls with an Intrusion Detection System (IDS). Institute network segmentation to mitigate where penetrations can reach. Apply access controls and PoLP, even for system accounts. Use endpoint protection on devices and software through tools like Beyondtrust and Cyberark, or managed services that leverage those tools. Carry out threat intelligence training across the entire organization.
Oftentimes, application owners don’t know their own vulnerabilities. Only your own enterprise can ensure that connected systems are up to security snuff by enforcing your policies upon your partners. Having a comprehensive security policy across third party vendors are very important. A strong PAM solution allows for your highest levels of controls (exactly the sort targeted by Cl0p) to be monitored and managed from a single pane. Other solutions, such as IGA, help ensure that sensitive databases are only accessible by selective identities. Additionally, such systems help curate orphaned accounts, which are vulnerabilities in themselves. IAM solutions like CIEM provide additional controls and security around your clouds. This keeps the entirety of your attack surface buttoned up.
By investing in appropriate IAM solutions including PAM, IGA, and CIEM, your enterprise stands a much better chance of avoiding a calamity similar to the MOVEit breaches. Because, as bad as the Cl0p attack is, it is only the worst file-transfer attack…so far.
The AT&T data breach of March 2023 should serve as a lesson in the dangers of relying upon siloed security solutions. As easy and popular as it is to point and laugh at the multibillion megacorp faceplanting into a humble pie, the truth is more granular. Siloed security, wherein disparate policies and systems are applied to a pool of identities, are nothing less than a wall of Swiss cheese. While the parent company is very much responsible for the burden of security, the vulnerability is part of an endemic misunderstanding about siloed security.
The Folly of Siloed Security
The AT&T breach resulted from oversights in a marketing firm the telecom company uses in its outreach programs. This exposed the Customer Proprietary Network Information (CPNI) of 9 mil users. This included names, email addresses, account numbers, and phone numbers. While this can also be a teachable moment on not always ticking the “let us collect information on you” box, it also demonstrates how broad corporate attack surfaces have become. Even if the central corporation has the best internal security on the planet, it takes just one authorized third-party vendor to endanger vital information.
AT&T alerted the relevant federal agencies in the wake of the breach. They offered the customers an option to add extra security to their password free of cost. However, this “fix” does not really address the underlying vulnerability. AT&T is still relying upon the “we’ve totally fixed it this time we swear” security of an outside vendor. If the problem is to be well and truly solved, it requires an overarching change in how AT&T handles their risk posture. Nor is AT&T alone in their vulnerability among telecom companies. Just recently, T-Mobile suffered their 8th data breach in less than 5 years.
So many identities get juggled back and forth without any centralized policy governing their usage. Little wonder that these breaches are becoming a recurring trend. Major companies contract out a service to an outside firm. That firm has a gap in their security. That gap is exploited to gain access to the big fish. Remember the hacked HVAC unit that brought Target to its knees? Or the insurance-services provider used to get into the sensitive personal data of Keybank clients? A data breach affecting 9 million customers (enough people to comfortably populate Virginia) has become close to routine.
The Security of Federated Identity Management
The reliance upon siloed security must be shed if companies wish to avoid the same fate. A federated identity solution encompassing AM, CIAM, IGA, and PAM provides the platform from which your enterprise can escape the dangers of third-party vulnerabilities. With detection and remediation enabled by automatic systems and role-based access management, you take the first steps toward responsible security.
Establish this basis of proper identity management. Then start scaling it out to cover your partners as well as your clients and internal users. In addition to the enabling your enterprise, your identity solution lets you expand out your security measures across your full identity fabric. This includes the security of your third-party service providers. Have their identities interact with your company on your terms. Thus, you swiftly detect and investigate any discrepancies and red flags.
Unfortunately, only a full-scale identity transformation, with the defense of your identity fabric as a driving consideration, can span across an attack surface of multiple enterprises. Implementing such a sweeping digital transformation is possible on your own. However, solutions are far more likely to be both successful and cost-effective when staged by a trusted IAM Service Provider. Enterprises with the foresight to reject siloed security and invest in federation enjoy fewer breaches and more options for remediation.
The slightest mistake can offer cybercriminals a pathway inside, even when the doors to your data seem well guarded. The focus is not only keeping hackers out but assuming that they will attack and will eventually make it inside the walls of the fort. It is a hard truth that many companies have had to learn.
In security, we often talk about the importance of a layered defense. But that chain is still only as strong as its weakest link -which is typically people. A quick examination of the news makes it clear that social engineering and compromised credentials remain at the center of many successful attacks against enterprises. Protecting identities and access, particularly in the age of cloud computing and distributed workforces, is as vital as ever. Multifactor authentication (MFA) is often heralded as a defense against unauthorized access, and rightly so. Still, recent breaches have shown that a bit of social engineering can be its undoing.
Imagine the scenario: an account is protected by MFA. Each time an employee authenticates, the person is sent an MFA login approval request. A hacker, armed with that user’s credentials, keeps attempting to log in. As a result, the victim is continually bombarded with MFA approval requests. Perhaps out of a mixture of annoyance or confusion, the user clicks approve. Just like that, the threat actor is in.
The moral of this story is not that MFA is ineffective at reducing risk—it is that defending against today’s attacks requires a comprehensive approach to securing identities.
Push Notification Attacks
Despite MFA providing an extra hurdle, threat actors are still able to circumvent it through push notification attacks. These threats are also called MFA prompt bombing or fatigue attacks. In these incidents, a threat actor uses a script to attempt to log in to an account over and over. As a result, the victim is essentially spammed with MFA notifications that the attacker hopes will eventually get approved.
These threats can be mitigated by taking different approaches to MFA that add friction to the approval process. For example, having a user enter a passphrase adds a level of security by being less guessable than a password. Succumbing to MFA fatigue is no longer simply clicking a button. Instead, the passphrase would have to be entered. Likewise, techniques such as biometrics or a challenge where the user must enter a number provided in the MFA notification into an app to complete the process add an extra step that could prevent an individual from causing a breach.
Layered security
Other defensive measures can reduce the risk of these attacks as well. In some scenarios, multiple login attempts were detected, determined to be suspicious due to the volume being sent during a short timeframe, and blocked automatically. Adaptive Access Solutions exist that provide these capabilities. What if an attempt to download or exfiltrate data is uncovered and blocked due to integration between a SIEM solution and data loss prevention technology? These capabilities represent security layers that, when properly stacked on top of each other, provide a cohesive defense that raises the barrier of entry for hackers.
Enforcing the principle of least privilege wraps a further layer of security around your data. The number of privileged accounts should be limited, and those privileged accounts that do exist need to be identified and closely monitored for suspicious activity. Underpinning these capabilities should be a network architecture limiting attackers’ ability to pivot around the network if they get inside. Many organizations are beginning their Zero Trust journey with a focus on just-in-time privileges and zero-standing access. The idea should be to provide all users and services with no more than the necessary amount of access for the time it takes them to accomplish their tasks. The three principles of zero trust – verify explicitly, use least privilege access, and assume a breach will occur – is a key to laying a solid foundation to secure and protect accesses.
Privileged Account Management
Implementing best practices also provides compensating controls. According to reports, the hacker behind one of the recent incidents found the company’s network share that contained some PowerShell scripts. One of these scripts had admin user credentials for the Thycotic privileged access management platform, which was used to extract login secrets for internal services such as Gsuite, AWS, and other internal privileged accounts. While most organizations have the right approach to implement a privileged account management solution, in one incident, the admin account of the privileged account was left in a clear text file. This is poor credential hygiene and underscores the importance of not checking the box of having the tool but using the tool effectively. This must be done by having good security processes which ensure it will not add to the minefield of challenges we already face, as was the case for one of the recent breaches.
Human Factor
Technology and employees will still fall victim to social engineering even when you have all the right technology, and the right processes. Organizations must carefully consider the MFA implementation that works best for their users. Additionally, reinforce that strategy with a mix of security awareness training, and a defense-in-depth approach focused on securing identities and access. Organizations can build a stronger defense system by leveraging identities as the primary control plane to build an efficient and effective cyber strategy – early warning, good isolation, and (when needed) eviction of threat actors. Of course, one of the best ways of protecting passwords is by removing them from the equation. By choosing to take the journey of using making decisions which allow your userbase to use passwords less until you can become Passwordless is by far the most effective way of putting this challenge behind us.
The number of identities that organizations manage is witnessing exponential growth – 98% of organizations experiencing this trend and 84% of organizations (2022 Trends in Securing Digital Identities report) enterprises suffering identity-related breaches between 2021-2022. What is more alarming is that breaches are becoming a norm, but does it mean it should be acceptable?
