I have been waiting to write anything on this for a little while. Ultimately everything in here is purely my opinion as an outsider. I think there is always something that can be learned when these things happen, but I do try to be respectful of people since no one is immune from this (no matter how much effort is put forward).
Overview
Overall this ended up being a Social Engineering attack to start it seems. It seems as though an external IT vendor was hit which allowed the group to pivot in. Not a super complex hacking path but one that turned out to be super effective.
Trust
Overall in any organization trust is pivotal. It seems as though the way that this happened was by using their Okta instance. Finding an employee with high enough permissions and compromising them through Okta allows for a smooth attack vector. This provides the appropriate authentication pieces to allow someone through. Plus once you get one person, if you can get into the right systems, you can begin to find more people.
This shows that overall these companies have to put trust in everyone. Trust to be vigilant and trust that there is proper training in the case of external vendors.
Why does any of this matter?
I think it is always important to talk about these. Not to point a finger but to just understand and to find additional Social Engineering attack vectors. Many of these attacks are not accidents but are planned for months prior. So while we look at the immediate what needs to happen there is some that we need to review leading up to the time.
As annoying as security training is it is important. It is important to be updating it and using breaches like this to better inform and ensure that these trainings are up to date appropriately.
In the end
In the end, Caesars ended up paying the ransom whereas MGM took rebuilding everything. Both are options and I’m still not sure that one is better or worse than the other. Both of them can be justified purely based on a different point of view. I will commend both companies for ensuring that no one ever missed a paycheck. While this was terrible and stressful they did ensure to take care of their employees.