MGM, Caesars Cyberattack Responses Required Brutal Choices

  /     /     /  
Publicated : 23/11/2024   Category : security


MGM, Caesars Cyberattack Responses Required Brutal Choices


Tens of millions in losses later, the MGM and Caesars systems are back online following dual cyberattacks by the same threat actor — heres what experts say about their incident responses.



Twin cyberattacks on MGM Resorts and Caesars Entertainment have provided a singular view into what happens when two similar organizations, under similar attacks by the same threat actor, pursue contrasting incident response strategies. 
In this instance, both were victims of a 
Scattered Spider /ALPHV cyberattack
. Caesars quickly negotiated with the cyberattackers, and handed over a 
$15 million ransom payout, 
which allowed it to proceed with business in relatively short order. MGM meanwhile flatly refused to pay, and just
 announced that its operations have been recovered
after 10+ days of casino and hotel operational downtime (tens of millions of dollars in lost revenue later).
While its tempting to make a judgment as to which approach is better, any direct comparison between the Caesars and
MGM responses to the cyberattack
is an oversimplification, experts say. For instance, Rob T. Lee, SANS Institutes chief curriculum director and faculty lead, emphasizes that the core principle of incident response is trying to make the least worst decision. And this tends to be a complex decision that always has a positive and a negative (some would say brutal) set of outcomes. 
He notes, many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no win in these situations, only decisions that can prevent it from worsening.
Whether or not to pay a ransom following a cyberattack is one of those no-win decisions incident responders are forced to make under intense pressure.
Its well documented that paying a ransom does nothing to guarantee data security or system recovery. Worse yet, it encourages future attacks by creating a market for these cybercrimes. But business risk decisions dont always turn on clear-cut choices of right vs. wrong, and expediency is always a consideration.
Caesars more rapid recovery post-ransom might give the impression they made a better decision, says Callie Guenther, senior manager of cyber threat research at Critical Start. From a business continuity perspective, their decision to pay might seem effective.
However, Joseph Carson, chief security scientist and advisory CISO at Delinea explains that there are other complexities at play. Companies who take a while to mull their options may decide that not paying makes more sense. In his experience, he says organizations only have about a four-day window to negotiate with ransomware threat actors before positions become hardened on both sides. After that, ransomware attackers tend to become frustrated, and enterprise security teams get dug into their position as well.
Theres a sunken-cost bias, security researcher Jake Williams added. The further away from the incident they (cybersecurity response and recovery teams) get, the more entrenched they get in the recovery.
Recovery costs are another consideration, according to Carson. If recovery is painful, but only costs a few million, that might be a better choice compared to a an eight-figure extortion payment, he adds.
Evaluating both
MGM and Caesars overall incident response
broadly, Guenther explains that Caesars reaction shows that keeping operations running was the priority, while the MGM response demonstrates that the organization is willing to endure short-term financial pain for long-term cybersecurity gains.
MGMs choice not to pay the ransom, despite financial losses, might stem from a broader perspective on the implications of ransom payments, Guenther says. The duration of their disruption might also reflect a comprehensive internal review and restoration process, ensuring all threats are fully mitigated.
Caesars incident response, she adds, by comparison was decisive.
However, paying a ransom, while providing immediate relief, carries long-term considerations, Guenther adds. The speed of their recovery post-payment suggests they had robust backup and restoration processes in place, but it also raises questions about their preventative measures leading up to the attack.
Experts widely acknowledge that both Caesars and MGM incident responses were capable under difficult circumstances and mitigated more widespread damage.
In terms of Caesars ransom payment, Andrew Barratt, vice president at Coalfire, points out what a fraction the $15 million extortion payment is in the larger scheme of the organizations overall revenues.
Caesars payout works out to be around a 0.1% hit on their year-prior revenue, and that probably wouldnt even make their earnings call if it was another type of cost amortized over the period, Barratt says.
He adds that MGMs 10-day recovery time stacks up well against other organizations, in his experience.
While it seems to have dragged on, Ive seen incidents take upwards of a year to get fully resolved, and 10 days is not a terrible response for an organization with the complexity the MGM inevitably has, Barratt adds.
Cybersecurity hygiene, system architecture, tools, and available talent pool aside, SANS Institutes Lee points out incident recovery is ultimately about as predictable as a pull on a slot machine.
Just because Caesars recovered better might not have anything to do with the ransom payment, Lee adds. You cannot judge success based on the outcome — they just might have been, using a Vegas term, luckier.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MGM, Caesars Cyberattack Responses Required Brutal Choices