167. IR You Feeling Lucky?
Here are a few highlights from each article we discussed:
- Both MGM and Caesars systems are back online after tens of millions in losses later following an attack by the same threat actor
- Just starting with the basics, what happened?
- This was a pretty big take by these actors who were able to come away with a multi-million dollar ransom payment (from Caesars)
- Involved several of the things we all worry about with authentication bypass with some AI – all the features of modern concerns
- Able to disrupt operations for a number of days
- The casinos in Vegas, in general, have very good security and it would be easy to say they don’t do this job very well, but that would be a mistake
- All the major casinos and probably even minor ones are getting hammered all the time with access attempts, so it’s a big deal two of the biggest ones got hit at the same time
- What do we know about this group?
- Scattered Spider has a variety of different names: UNC-3944, Scattered Swine, and Muddled Libra
- Financially motivated threat actor group that’s relatively new
- Been active since May of 2022
- They have targeted a variety of different organizations, but it’s all financially motivated
- Early attacks were aimed at telecom organizations, but aside from casinos, they show interest in critical infrastructure
- They’re really good at social engineering
- They’re also good at impersonating IT personnel to gain unauthorized access
- Sadly, they’re racking up some wins
- Are they naturally gifted with social engineering skills given their young ages, or do they practice and educate themselves to get good at it?
- We’ve talked before that the underground economy mirrors above ground. It’s possible that this group is really good at psychology and studies it, but we can’t know for sure
- One of the things that has been pointed out is the youthfulness of those in Scattered Spider and they seem to be recruiting teens – there’s not a lot else known about the group yet, but that likely will come later – not seeing it so far though
- Caesars had paid the $15 million in ransom, and MGM refused. What are the pros and cons of paying vs. not paying?
- You could do a case study, and we’re sure someone will, about the contrasting responses between MGM and Caesars to this problem
- It’s fascinating because it’s happening at the same time with the same threat group
- Much of the security posture of these two organizations is probably similar, but the responses were different and how they got themselves back on their feet – the debate will rage on forever
- The pro that Caesars would point to is that they got back up and running faster and in the long run for Caesars, $15 million is a minor cost
- BUT there is the big picture consideration MGM considered. Paying encourages more ransomware and reinforces that business model works, and you’re giving money to terrible people – all cons of paying the ransom
- We also know that paying the ransom doesn’t guarantee getting your data back or getting back up and running. In this case, it did work, but it’s not always guaranteed
- This debate will never be formally settled
- We’ve seen legislation that make it illegal to pay threat actors
- Fundamentally, this is a dilemma that Tim says he’s glad he doesn’t have to make that call
- Ian will ivory tower it – he is not in favor of paying the ransom
- He’s in favor of federal legislation of making it illegal to pay the ransom
- If you’re handing tens of thousands of dollars to these actors to fund further activities, that’s a moral and ethical dilemma – he says this as an operational person and knows the sweat and stress that comes from one service being down, but he thinks paying the ransom for only the possibility of getting up and running quicker is no deal at all. He’d rather have the money go to a Mandiant or another incident responder and have them pull it in. Tim can’t fault that position – he hates seeing the ransom get paid, but again, is really glad it’s not he who has to make the decision
- The hardest hypothetical for Tim in this scenario is a hospital setting – if lives are at stake, that’s the hardest decision to make, but he’s equally in favor of legislation to make it illegal to pay ransoms
- Cisco acquires the analytics and security company, Splunk, for a $28 billion with a B dollars
- Has this been a rumor that this has been in the works for a while?
- In February, the Wall Street Journal reported that Cisco made a takeover offer of more than 20 billion dollars, though there were denials that the companies were in active talks at the time.
- It’s also worth noting that the mergers and acquisitions market looked a LOT different in February than it does now – borrowing costs have shot up, so M&A financing is a lot more difficult 7 months on
- But at the time, reporting also noted Cisco had a market value of $230 billion dollars and more than $20 billion on hand in cash and short term investments, so a little less painful for them than most
- What’s the major benefit of a company like Cisco acquiring Splunk?
- On the financial strategy side, Cisco’s sales are or primarily center around hardware; switches, security appliances, similar rigs, and subscriptions related to those. They’ve repeatedly evidenced desires to shift revenue streams more toward software, and enlarge the subscription portion so their annual recurring revenue looks good
- On the security side, this is another chess move in the Security Platform Wars we see play out in the infosec M&A field. Splunk is easily the biggest and best game in town when it comes to security and log observability and sense-making. Combining that with Cisco’s networking chops, especially providing some native out-of-the-box functionality with their products in an age when corporate VPN services are a particular target for compromise, is a natural win. Same with the idea of network intrusion detection, which is a big part of those aforementioned platform wars
- And at the risk of sounding like Ian’s selling something, both companies should keep in mind that there are multiple threat actors specifically targeting the mergers & acquisitions space these days, so they’d better stay frosty. He’s got a long-running project using DomainTools Iris to watch both sides of some emerging M&A actions and boy howdy does the water get murky quick
- The article we’re referencing from Spiceworks mentioned that Cisco investors were not happy with the deal
- The price announced is definitely a premium – it’s a little surprising Cisco is pushing through with a $28 billion deal in the current environment, and given Splunk’s – sort of astonishingly – had some earnings misses over a few years, Cisco shareholders are probably worried the price is too high and the financing too onerous
- But it’s a huge, bold move around platform ownership at a time when most other companies don’t think they can afford huge, bold moves. And it’s for a company with a great, dominant product. So Ian’s on the fence about that one
- This is just speculation, but how will this impact .conf?
- Ian’s guess is that scale and scope will change, first of all. Splunk’s Dot conf is about one quarter to one third the size of Cisco Live. Also it’s probably easy to guess that Cisco integrations and related sessions will take a more prominent role
This Week’s Hoodie/Goodie Scale
To Pay the Ransom, Or Not Pay the Ransom
[Ian]: 8/10 Hoodies
[Tim]: 7/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!