The recent cyberattack against MGM Resorts grabbed headlines and sent shockwaves across the industry. MGM struggled to get systems back online after widespread outages affected several of its operations including physical access and their core systems. Much of the reporting on the incident focused on how MGM’s best in class security stack was infiltrated by hacker group Scattered Spider leveraging Bring Your Own Vulnerable Driver (BYOVD). BYOVD is a post-exploitation technique. To leverage BYOVD, an attacker must already have access to the user's system. Microsoft has previously blogged about Improving Security with the Microsoft Vulnerable and Malicious Driver Reporting Center, with details about how adversaries are leveraging legitimate drivers and the drivers security vulnerabilities to run malware.
To those of us in the cybersecurity industry, the attack called attention to one of the most important technology domains of identity management to properly understand and manage access and authentication controls which again supports the new axiom of “Identity Is The New Perimeter”. The hack of MGM began with a vishing (voice phishing) breach of the company’s IT help desk. By impersonating employees and requesting access to their accounts over the phone, the attackers were able to sidestep end-user verification and deploy a ransomware attack after gaining administrator rights. Many analysts have become fixated on the idea that MGM could have prevented the incident if only it had been using better “best in class” security without taking a holistic security based zero trust approach.
However, this is inconsistent with the facts. Point Product Security Isn’t the Answer! We have seen major attacks over and over from organizations with a “best in class security stack”. The hackers gained access through social engineering. Simply adding more point products to a growing pile of security solutions is not the answer — and suggests a widespread misunderstanding of the scope, scale and effectiveness of the adversary.
We need to secure data like we physically secure Hospitals. Consider a hospital. Here, the primary asset — the patient — is shielded from threats like infections and unauthorized access. The patient, much like a server in an organization, is the sensitive VIP entity. At the hospital, stringent security checkpoints ensure there’s no direct access to these patients without thorough vetting. Similarly, in a well-secured enterprise, utilizing a platform based zero trust approach, ensures no direct access without rigorous checks.
A modern hospital’s three-step protocol offers a compelling analogy:
Identity verifications: Security personnel meticulously checks your ID or badge, whether you are a patient or employee
Patient scan: This is a check for potential threats, ensuring patients aren’t carrying harmful pathogens that can infect others.
Repeat verification: When patients and visitors move into the hospital areas to or patient zones, they undergo checks, ensuring constant security validation and verification.
This hospital protocol can be translated to the cybersecurity realm:
User Authentication: Using tools known as identity providers and complementing with multifactor authentication or passwordless mechanisms, such as phone verifications or FIDO2 keys ensures users are genuine.
Device Integrity Check: Much like medical scanning and identity checks when entering a hospital, organizations must scan their data transfers between sensitive servers and services to ensure hijacking is not occurring, while providing consistent verification and validation of identity and need for access.
User Integrity Check: Does the user / patient still need their prescribed medication or have their conditions changed? Organizations must implement a Zero Trust approach to their Security Program.
By utilizing modern security architectures, standards, and a platform-based holistic security approach with Microsoft security products such as:
- Microsoft 365 Defender - XDR | Microsoft Security
- Microsoft Purview - Data Protection Solutions | Microsoft Security
- Microsoft Sentinel - Cloud SIEM Solution | Microsoft Security
- Microsoft EntraID- Cloud Identity Solution | Microsoft Security
Hospitals can ensure that their systems are well-protected against cyber threats. The integrated Microsoft security suite offers robust solutions for identity control, XDR, and the leading AI enabled security focused Copilot to supercharge security operations, helping to prevent incidents like the one that affected MGM Resorts and keep themselves cyber-healthy.