SIN CITY CYBERATTACK | Inside MGM Casino's $100M Hack
They're
not
freedom
fighters.
They're
terrorists
and the
same as
hackers.
You're
doing
something.
You think
that it's
okay,
but on
the other
hand,
you're
making so
many
people
miserable.
Welcome
to
The CISO Signal
The CISO Signal
the true
cyber
crime
podcast.
I'm
Jeremy
Ladner.
Before
we dive
into
episode
five
today,
I just wanted
to take
a quick
moment
to thank
all of
you for
listening.
When
I started
the show
a few months
ago,
it was just
me
writing,
recording,
and
editing
without
knowing
if anyone
would
ever
listen to
the show.
So
the response
has been
phenomenal.
With
thousands
of you
tuning in
and a
bunch of
you even
taking
the time
to
send me
personal
messages
about how
much
you're
enjoying
the podcast.
So please
keep the
feedback
and topic
ideas
coming.
I love
hearing
from
all of you,
and
if you
haven't
yet,
please
be sure
to
subscribe
to
the channel
and
follow us
on
LinkedIn.
Now
for
episode
five
breaching
Sin City.
Welcome
to Las
Vegas.
A mirage
in the
desert.
Built
on sand
and the
fragile
currency
of hope.
It sells
an
illusion
of
perfect
control,
of odds.
Meticulously
calculated
and of
a house
that
always
wins in
the end.
Every
spin of
the
wheel,
every shuffle
of the
deck,
every
dollar
exchanged
under the
lurid
glow of
neon,
all of it
governed
by
systems
both seen
and
unseen.
The
casinos
here
don't
gamble.
They
calculate,
and
they win
until
the day
that they
don't.
In
September
of 2023,
a digital
bluff
called
their hand
and
the house
lost.
This
wasn't an
attack
of code
and malware,
but a
siege of
whispers
and
misplaced
trust.
The
perpetrators
didn't
break
down the
doors.
They used
a phone
call
and an
unsuspecting
employee
to open
them.
Joining us
on this
investigation
is our
seasoned
CISO
co-host
Paz
Shwartz,
CEO of
Persist
Security
and
a veteran
of cyber
defense.
Welcome to
the podcast.
Can you tell us
a
little bit
about
yourself?
I've 25
years
experience
with IT and
cybersecurity,
both
defensive
and
offensive.
I don't think
there is
a system
that
I never
touched
or see
or tried
to find
What is
what's
makes
it
‘tick’
or what
makes
it run.
So
this is
me.
Excellent.
Good
to
have you
with us.
Now
it's time
to roll
the dice
and begin
the
investigation.
We are
in the
midst
of a
ceaseless
war.
Not of
bombs
or
bullets,
but of
breaches,
firewalls
and
silent
incursions.
The targets,
our
borders,
our
banks,
our
commerce,
and the
critical
infrastructure
that
underpins
a free
civilization.
The enemy
is
cloaked
in code,
fueled by
greed,
glory,
and a
desire
for
chaos.
This is
the
story of
the
unseen
protectors,
the
nameless
generals,
the
CISOs,
chief
information
security
officers.
They are
the
guardians
at the
gate,
the watchers
on the
wall.
Ever
vigilant
and
always
listening
for The
CISO
Signal.
So
this breach
is
interesting
for lots
of
reasons.
And at
the top
of that
list,
we get
a real
world,
real time
comparison
between
MGM
resorts
and
Casinos
and
Caesars,
which
were both
attacked
at the
same time
in the
same way,
likely
by the
same
group of
hackers,
except
that
Caesars
chooses
to pay
the
ransom
and MGM
chooses
not
to pay.
As
a
security
leader
working
alongside
the
C-suite,
the board,
and
other key
stakeholders.
There is
an almost
impossible
challenge
to
balance
what's
right
for the
business,
what's
right
for the
guests,
what's
right for
the brand,
and
of course,
what is
right
morally.
When
it comes
to paying
criminals
that are
actively
in the
process
of
extorting
you for
ransom.
How would you
size up
or judge
the difference
between
how MGM
and
Caesars
dealt
with the
situation?
I don't
think
that
you can
judge them
even
though
that
if you
will
ask me
as
a person,
I
will never
pay
the ransom,
because
I always
think
that
if you
prove
once that
you are
paying,
they will
try
again.
On
the other
hand,
I put
myself in
the
same shoes
as the
Caesars
hotel
manager
or hotel
CEO
when you have,
I don't
know,
guests
that
cannot do
anything.
You need
to think
for them.
And
if this will
be the
easy fix,
maybe
took the
right
call
to the
to
easy fix
and to
and to
make sure
that
the guests
will
be happy.
And then
let's
go and
deep dive
into
security,
see what
we can
fix, how
we can
improve
our
systems.
Act 1
The
Call That
Killed
The
Lights.
The MGM
empire
stood
as a
monument
to modern
opulence
and
technical
precision,
an
intricate
digital
nervous
system
humming
beneath
the din
of
jackpots
and
cocktail
trays,
reservation
engines,
identity
providers,
surveillance
AI, slot
machine
telemetry,
even the
keycard
access,
all of it
interwoven
and
all of it
fortified.
But on a
quiet
Sunday,
in early
September
of 2023,
that
machine
stuttered.
And the
trigger?
Just a
simple
voice.
It began
as so
many
intrusions
do.
Not
with a
technical
breach,
but a
social
one.
A group
of
cybercriminals
operating
under
the
ominous
alias
scattered
Spider
had been
conducting
a
surgical
reconnaissance.
They
scraped
LinkedIn,
mapped
organizational
charts
and
studied
the human
element
with the
precision
of a
master
poker
player.
They were
preparing
a hand,
not
of code,
but of
competence.
When
the time
came,
the voice
on
the other
end of
the line
was calm
and
impossibly
assured.
It became
the
helpdesk.
Hey, I'm
locked
out
of my account!
The voice
said,
can you
push me
through
an
Okta
Reset?
With
enough
jargon,
enough
urgency,
and a
dash of
plausible
frustration.
They convinced
an
unsuspecting
employee
to
surrender
control.
A single
moment of
hesitation
could
have
stopped it,
but
there was
no
hesitation.
Within
minutes,
Scattered
Spider
was
inside
the
digital
walls
of MGM.
They added
their own
endpoint
to the
Okta
Identity
platform,
bypassing
multi-factor
authentication.
From that
single
foothold,
their
lateral
movement
was
surgical,
swift
and
silent.
They
accessed
internal
systems
that
controlled
digital
hotel
locks,
payment
processors,
and a
critical
back end
infrastructure.
According
to
external
researchers,
they
leveraged
privileged
access
within
Azure AD
and
vSphere
environments.
In short,
they knew
exactly
where
to go
and how
to blend
in.
What
followed
wasn't
noise.
It was a
suffocating
silence.
Slot
machines
went
dark.
Guests
couldn't
check in.
Room keys
deactivated.
Restaurant
systems
froze.
The
sprawling
MGM
empire
ground
to a
halt,
as if
a massive
circuit
breaker
for the
entire
Las Vegas
Strip
had been
flipped.
The
company
initiated
incident
response
protocols,
but
the blast
radius
expanded
with
devastating
speed.
Outages
persisted.
Physical
systems
required
manual
override.
Hotel
staff
returned
to pen
and paper
while
guests
wandered
lobbies
in analog
confusion.
And
behind
the
curtain
investigators
realized
this
wasn't a
one off
intrusion,
it was a
full
scale
hostage
crisis.
Soon,
a ransom
demand
surfaced.
The amount
was
substantial,
though
undisclosed.
MGM
refused
to pay.
Their
decision
triggered
both
admiration
and
agony.
By
resisting
the ransom,
they also
prolonged
the pain.
Recovery
became
a months
long
grind.
Critical
systems
had to be
painstakingly
rebuilt,
not just
restored
...
Customers
vented.
Revenue
evaporated,
and the
company
projected
losses
exceeding
$100 million dollars
$100 million dollars
All of it
stemmed
from a
single
act of
persuasion.
No exotic
malware,
no
zero day
exploit.
Just
a phone
call.
The attackers
had
exploited
the most
human
parts
of the
infrastructure
trust.
The
helpdesk
employee
had no
malicious
intent,
but under
pressure
with the
right
cues,
they made
the wrong
call.
And in
so doing,
they opened
the gates
to one of
the most
impactful
breaches
in
hospitality
history.
So this
attack
has this
cinematic
Ocean's
11 heist
element
to it,
which
makes it
entertaining
to talk
about,
for sure.
But
obviously,
if you're
the CISO
responsible
for MGM,
you're
not
laughing
and
shoveling
popcorn
into your
mouth,
imagining
George
Clooney
or Julia
Roberts
waltzing
through
your
casino.
There's
some very
real
world
ramifications
of this
from a
security
perspective,
and
that is
immense.
And
that has
got to
be
terrifying.
If you're
sitting
in that
chair,
what's
the one
part
of this
cyber
attack
that
you just
can't
stop
thinking
about
or
playing
over in
your mind?
Not
verifying
the request
that was done?
If
somebody
called me
and will
ask me
to reset
the
password.
You know,
it's
different
because
we are
a small
organization,
smaller
country,
and it's
easier
to
control
these
things.
They have
to be
a
different
way
to verify
that
you're
talking
with the
right
guy.
Now,
there is
so many
techniques
like
spoofing
from a
different number
and
back it
up with
a
or a
text
message
or email.
And you
know,
every cyber
event
needs
to be
think
back.
If you're
thinking
this
back,
you said,
how
come
the CISO
of this,
this
organization
didn't
give any
clearer
directive
how to
verify
somebody
over
the phone?
If you assume
that
you're
talking
with
somebody,
you need
to make
sure
that
you're
talking
with the
right guy.
So
if you're
calling
me
and say,
listen,
Guy, I'm
talking
from
the I.T.,
I have
this
problem,
blah,
blah,
blah.
I
need you
to reset...
I'm
sorry.
Who are you?
Where are you
calling
from?
And
all this
standard
verification
is the
problem
itself
because
it's
all information
that is
available
outside.
You can find it
in
LinkedIn.
You can find it
in any
OSINT
trip that
you take.
You can find
who is he
reporting
to?
what
is his
phone
number?
Where
does he
live?
where
is his
office?
And
this is
something
that
reduces
the level
of stress
when you’re
calling
the
victim
because
he thinks
that
you know
him.
This is
one of
the
things
that
the CISO
was
supposed
to know,
that
this is
public
information.
You can find
it
all over
the place.
You need
to have
a
different
mechanism,
how you
verify
if you're
talking
with
the right person.
So
it seems
to
be more
and more
common
in high
profile
cyber
attacks
that
hackers
try to
cloak
their crimes
in some
sort of
noble
Robin
Hood
type of
claim,
like the
casinos
are not
playing
fair.
So we,
as the
great
global
citizens
that
we are,
are going
to rob
from
the rich
to
teach them
a lesson.
And
they are
the evil
capitalists
and
we are
the
activists
fighting
the good
fight.
What's
your take
on that?
Come on
they’re
hackers.
And
if there is
one thing
that I
learned
in my
myan years
of
experience
in this
world,
hackers
don't
have
a conscience
They don't
really
have
a conscience
If they had
a conscience
that will never do this
because
you cannot
say,
okay,
we done it
because
of the
MGM
corporate
and the
casinos
and the
stocks
and
whatever.
But
eventually
the
hurting,
the old lady
on the
wheelchair,
that’s
trying
to get
into the room
because
she
needs her medicine.
So
you cannot
manipulate
us like
this.
It's like
saying
on
terrorist
that they
are
freedom
fighters.
They're not
freedom
fighters,
they're
terrorists.
And the
same with
hackers.
You are
doing
something.
You think
that it's
okay,
but on
the other
hand,
you're
making
so many
people
miserable.
Act 2
The Gamble
The Gamble
Welcome
to the
inner
sanctum
of
the breach.
The smoke
filled
back room
where
reputations
were
wagered
and a
digital
empire
was
rolled
by the
faceless
voice
cloned
ghosts
of
Scattered
Spider
in
the weeks
before
the
attack,
MGM’s
cybersecurity
posture
was a
fortress
of
silicone
and code
firewalls
stood
sentry.
Endpoint
protection
hummed
like a
low
frequency
choir.
SIEM
dashboards
glowed
like neon
prophets,
predicting
everything
but
what mattered
most.
The
illusion
of
control
was
almost
perfect,
and yet
what
unraveled
them was
not a
sophisticated
zero day.
It was
something
older,
simpler,
more human.
It was
misplaced
trust,
abused,
manipulated
and
imitated.
It began
with
a phone
call or
perhaps
several.
The
precise
number
remains
uncertain,
shrouded
in NDAs
and the
silence
of legal
documents.
But
what is
widely
reported
is this
Scattered
Spider,
an
advisory
group
whose
members
are
reportedly
so young
they're
still
mastering
algebra
and
drivers,
Ed, used
social
engineering
to
impersonate
MGM
employees.
Their
target
was the
helpdesk,
the often
overlooked
portal
into the
heart of
any
enterprise.
From there,
it was
a swift
surgical
campaign
of
lateral
movement,
privilege
escalation,
and
credential
theft.
Administrative
credentials
became
skeleton
keys to
the
Kingdom.
The
method
was a
hauntingly
modern
take
on an
old crime
‘Vishing’
or voice
phishing,
with a
terrifying
twist.
In some
accounts,
they were
not just
impersonating
but
imitating.
Leveraging
AI
assisted
voice
clones.
They
took the
digital
ghosts
of real
employees
and used
them
as an
unknowing
accomplice.
The result
was a
symphony
of
silence.
Slot
machines
were
dark.
Hotel
room
doors
stop
responding.
Point
of Sale
terminals
stalled
like
rigged
roulette
wheels.
Digital
check
ins
collapsed.
Guest
queuing
at a
state
of analog
confusion.
An empire
of
entertainment
reduced
to static
and
unsettling
quiet.
Across
Las Vegas
Boulevard,
a
different
hand was
being
played.
Caesars
entertainment
was
breached
at nearly
the same
moment,
likely
by the
same
group,
but
Caesars
chose
a quieter
path.
Allegedly,
they paid
the ransom
a
reported
$15 million dollars
$15 million dollars
Their systems
barely
flinched,
their
guests
barely
noticed,
and their
shareholders
remained
calm.
MGM, by
contrast,
refused
to pay.
Was it
pride?
Corporate
policy?
Or maybe
a
calculated
risk?
The
motivations
remain
speculative,
but
the outcome
was not.
Analysts
estimate
MGM's
losses
reached
an
estimated
$100 million
dollars,
not
just from
systems
downtime,
but
from the
trust
eroded,
the brand
damaged,
and the
relentless
stream
of
questions.
And yet,
for all
the
headlines
and
shareholder
angst,
the most
chilling
image
may be
this... a
casino
floor
gone
dark.
No bells,
no whirrs
no
whistles
and no
winners.
Just a
silence
that scream
of loss.
In the
end,
the most
valuable
chip in
the
digital
casino is
not data,
but the
human
element.
And
in this
particular
game, it
was
always
in play.
We love
making
this
podcast,
and
we really hope
that
shows in
the care
and
quality
that
we invest
in it,
and
we would
really
appreciate it
if you
could
take
a moment
to like
and
share it
with your
fellow
security
professionals,
as well
as
dropping
us
a comment,
letting
us know
what
stories
and
guests
you'd
like
to have
on the
podcast
in future
episodes.
Now
back
to the story.
So
what is your
biggest
fear
when you
see a
breach
like
this?
What kind of
damage
they can do
with what
they
already
got?
Okay, so
let's
say that
they
got into
reception
and
they know
the
names
and
addresses
and
signatures
of all
the guests
that
was in
this
hotel.
And G-d
forbid,
the
credit
card of
somebody else
if
they're
not
using PCI
as a proxy.
What kind of
damage this can
cause?
Now, keep
in mind,
this was
two years
ago.
Maybe
they
still
have
some kind
of
information
and they didn’t
release it
yet.
Let me
throw you
back
to the
breach that
later on
they
discovered
that
they have
so many
hashed
password
and
everything
else.
So once
they are
in,
you don't
know
where
it will
end.
The fear
is that
they will
take
something
that I
already have
and
they will
try to
manipulate
later on.
Okay, so
let's
examine
the
breakdown
with the
help desk
a little bit
closer.
I want you
to
imagine
that MGM
calls
you in
as an
expert
to train
and
advise
their
in-house
team
after
the attack.
Where
would you
focus
your
attention?
Are we
talking
about
helpdesk
processes,
company
culture
and cyber
threat
awareness,
maybe
some more
advanced
threat
training?
Or some
combination
of all?
...
It's a
combination
of all.
It's
a combination
of all.
First,
I think
that any
kind of
major
corporate
needs to
train
for
social
engineering.
Now,
I know
that
today's
training
is
different
than what
we used
to have.
And
maybe
in IT
you say
let's
go back
to basic.
And I
think
basic
is good.
Let's
leave
all the
technology
and
phishing
campaign
and
whatever
because
it's not
going
to work
like this.
In
today's
world
is going
to be
a
combination
of
several
things.
For
example,
in
persistent
we're
doing
phishing
campaign,
but
we are
doing the
phishing
campaign
after we
give
our clients
the milestones
to know
what is
a social
engineering
attack.
We are
sitting
with them
for two
hours,
show them
how
we can
break
into this
phone,
and
how can I
manipulate
them
from the
personal
side,
from
their
personal
phone,
to do
something
to
help me
to get
into
the company?
So
this is
one of
the basic
steps
to do
the training
and to do
the
training
good.
The
second
thing is
to find
some kind
of a
mechanism
that
will give
the help
this or
the
support
the option
to 100%
recognize
who
they're
talking
with.
If it's
an
employee
number
that's
supposed
to be
classified.
If it's
a token
or any
kind of
of a
system,
that will
give them
the option
to verify
that
they're
cooking
with the
right
person.
Even
today,
when we
are
spoofing
phone
numbers
and
we are
calling
somebody
and we
present a
different
number
on the on
on
the phone
where
we are
calling,
if you will
call
back.
Even
today,
there is
a way
that
I can
manipulate
this...
‘follow me’
or other
things
that that
can
throw him
back
to me.
So
you need
something
else.
You need
something
like
maybe a
personal
key.
You know,
it's all
coming
back to
basics.
Personal
key.
Even
think
about it.
Even
Microsoft
‘passwordless.’
It's not
‘passwordless’.
It's
a physical
key.
So we all
going
back to
basics.
If you have
something
that is
running,
don't
try to
change
it.
So
this is
exactly
this.
Find
a way
to
identify
the person.
If it's
a physical
key,
if
it's an
employee
number
or
something,
this cannot
be public.
And
when you're
training
them
and say,
okay,
this is your badge
and
you have
your
number
in here,
you cannot
post it
online.
You
cannot
give it
to
anybody
else.
It's
like your
Social Security.
And this
will
help you
to
identify
who
you're
talking
with.
Act 3
Cashing Out
Cashing Out
The
breach
was
public,
the damage
visible,
but
the most
devastating
effects
were
the ones
no sensor
could
detect.
The fear,
the
uncertainty,
and the
slow,
creeping
erosion
of
confidence.
For MGM
resorts,
the
aftermath
wasn't a
sprint,
it was a
staggered
crawl
through
reputational
quicksand.
Headlines
rolled
out in
waves,
each more
damning
than the
last.
Systems
down,
customer
data
compromised,
casino
floor
frozen
social
media was
a digital
theater
of the
absurd,
with
videos
of slot
machines,
looping
error
messages
and
frustrated
guests
waiting
in
unmoving
lines.
The
digital
magic
of Vegas
turned
suddenly,
brutally
analog,
but
beneath
the
hashtags
lay a
deeper
truth.
The breach
was a
blueprint,
a proof
of
concept,
a
flashing
neon sign
to every
criminal
group
with a
laptop
and a
grudge
that
this was
how
it could be
done.
Social
engineering
wasn't
just
alive,
it
was thriving.
The human
layer of
defense,
long
considered
the
weakest
link, had
once
again
proven
its
fragility.
The attackers
didn't
need
zero days
or elite
malware.
They needed
voices,
convincing
ones with
a few
phone
calls,
a handful
of
details
and a
well-practiced
script,
they
broke
through.
Because
someone
on the
other end
believed
them.
In the
postmortem,
that
detail
was more
chilling
than any
technical
vector.
It worked
because
it was simple.
And so
the real
fallout
wasn't
just
financial,
though
that too
was staggering.
MGM's Q3
earnings
took
a hit.
Analysts
forecasts.
Cybersecurity
insurance
premiums
climbed.
And
lawsuits
loomed.
Class
actions
were
filed
alleging
negligence
in
safeguarding
customer
data,
and the
SEC came
knocking.
Shareholders
demanded
answers,
regulators
probed,
and every
boardroom
conversation
now had
a new
elephant
at the
table,
asking
questions
like
how do
we make
sure
we're
not next?
Meanwhile,
in quiet
corners
of the
internet,
Scattered
Spider
basked
in infamy
forums
and
Telegram
groups
whispered
their name
with a
reverence
usually
reserved
for
mythological
figures.
These
were no
longer
mere
teenagers,
they were
cyber
folk
heroes.
Symbols
of
audacity
in
a world
governed
by trust
and
guarded
by call
centers.
Caesars,
who had
chosen
the
ransom
route
remained
largely
unscathed,
at least
publicly,
but
that route
carried
its own
moral
hazard.
Pay once
and
you may
be
targeted
again.
The
message,
however
unspoken,
was
received.
Sometimes
the cost
of
silence
is lower
than
the cost
of
resistance.
And
what of
the
public?
They
watched
from
their
phones,
unsure,
where
to place
their
anger,
at the
hackers?
At the
corporations?
Or
perhaps
at the
creeping
realization
that no
system,
no matter
how
sophisticated,
is truly
safe?
What once
felt like
isolated
incidents
now
feels
like an
unending
tide
washing
up
against
the
digital
shores of
daily
life.
This
wasn't
just a
breach,
it was a
high
stakes
hand
and MGM
was the
unsuspecting
mark.
The attacker
didn't
play
the game.
They played
the player.
And when
the chips
fell,
the house
didn't
just take
a hit.
It
teetered
on
the edge
of the
abyss.
Okay,
let's
stick
with the
helpdesk
for a
second
here.
Do you think
that most
organizations
are still
underestimating
the level
of
potential
threat
that
their
helpdesk
represents?
Yes.
It's
like it's
like a
supply
chain
attack.
You know,
I saw
a graph
about
the person
that is
more,
let's
say,
they have
more
chance
that
somebody
will do
social
engineering
on them
in
a corporation.
And
this would
start
with
the CEO,
then
the Finance
and
then the IT.
And
if you think
think about
it.
The CEO...
it’s
because
he's
taking
the
decision.
He can say
what
to do.
The Finance,
they’re holding
the money
and
the key
to
the money.
And IT,
They're
holding
the key
to
everything.
This is why
they are
the most
targeted
people in
organization
when it's
social
engineering.
So
the CISO
is supposed
to know
this
and to
make sure
that
you will
give the
right
training
to them.
It’s
not have
to be
by the
way,
spoofing
or
vishing,
it
can
be
a
deepfake
in
a video
call.
Give them
the tools
to
make sure
that
they can
confront
it.
Do you
remember
the moment
you first
heard
about
the MGM
breach?
What
was your
initial
reaction
or take
away
as a CISO?
If
there is a doubt,
there is no doubt.
And
this is
something
that I
was
sitting
and
thinking,
how
come it
was
so easy
to go
over the
security
mechanism
that
they put?
and
how come
they
didn't
think about
if
somebody
will try
to
impersonate
to
somebody
else?
I even
remember
back then
when
I was
leading
IT
and
we have
a contractor
or
something
else.
This is
pre
two
factor
authentication,
pre MFA
and these
kind of
things.
I always
had a
certain
password
between
the company
that
I work
and the
vendor
that I'm
working
with,
that
nobody
will
track
impersonate
to
somebody
else.
And I
was
amazed
how
big effect
they had.
Let's
say that
they already
hack MGM
Okay,
they will
try to go
to
the finance,
they will
try to
go to
the file
server.
But
they didn't.
They
stopped
the operation
of this,
this
hotel,
this
resort.
And it's
all
because
one
stupid
phone
call,
nobody
even
checked
what
this guy wants
and why
he's
calling
and think
about
maybe
let me
call him
back.
Let me
try to
call to
the IT
support
from
the number
that
I know
and we
as
a company
even
in
Persist
we are
we are
expert in
social
engineering
and
there is
so
many ways
this you
can be a
by
vishing
or
a phone
call or
text
messages
or
anything
else.
And
most
of the
time it's
even
combined
several
different
tactics.
So
I will call
and then
I will
text or
I will
somebody
else.
But
the major
rule is
always
if
you have a doubt,
call them
back.
If you're
getting
this in a
text
message,
close
the text
message,
open
the app,
or call
the person...
Or... and
you know,
as we
go down
streams
it’s going
more and
more
difficult
because
today
we have
AI and
we have
deepfake
and
we have
other things.
So it's
very,
very
challenging.
Paz
Thank you
so much
for
the conversation.
I really
appreciate
it.
It was
great
talking
to you.
Thank you
so much.
And now
our
conclusion.
Winners & Losers
Winners & Losers
Winners & Losers
When
a city
built on
deception
falls
for a lie,
the irony
writes
itself.
But the
truth
behind
the MGM
breach
isn't
poetic.
It's
procedural
because
breaches
rarely
begin
with
alarms.
They
don't
announce
themselves
with
blinking
red
lights
or
cinematic
break
ins.
They
start
quietly
with
overlooked
policies,
with
rushed
training,
with a
culture
that
trusts
too much,
too
quickly.
And
when the con
lands,
what
matters
most
isn't
what
you've
built,
but how
you
behave.
MGM
responded
with
urgency.
They
isolated
systems,
called in
experts,
and owned
their
failure
in public
view.
They didn't
pay
the ransom.
They took
the hit.
Financially.
Operationally.
And
reputationally.
Their choice
became
a statement,
...for
better
or worse.
Caesars
responded
differently.
They moved
quietly,
paid
swiftly,
and
resumed
operations
without
public
spectacle.
Their choice
became a
blueprint
for
better
or for
worse.
These are not
good
versus
evil
decisions.
They're
risk
matrices
rendered
in
real time
and in
a world
where
attackers
move
faster
than
policies
evolve,
both
responses
reveal
something
uncomfortable.
Even
the most
mature
organizations
are
vulnerable
not just
to
breaches,
but to
indecision.
For
CISOs,
the question
is
no longer.
If
the breach
comes,
it's
what kind
of breach
narrative
are we
prepared
to
author?
Will
it be
one of
delay,
damage,
and denial
or of
poise,
precision
and
recovery?
Because
in the
end,
cybersecurity
isn't
a
department.
It's
a discipline.
It's
the instinct
to ask
twice
and to
verify
once
more,
to slow
the chain
of trust
just
long enough
to see
what's
hiding
in its
links.
And maybe
that's
the
uncomfortable
legacy of
what
happened
in Vegas.
Not the outage,
not the ransom,
but
the stark
reminder
that we
aren’t just
defending
networks.
We're
defending
decisions.
Decisions
made by
people
with
passwords,
by teams
with
priorities,
and by
businesses
with
everything
to lose.
And all
it takes
is one
voice.
Not
shouting,
not hacking,
just
asking
politely.
And so we
must
remain
vigilant
and
always
listening
for
The CISO Signal
The CISO Signal
All
episodes
are based
on
publicly
available
reports,
post-mortems
and
expert
analysis.
While
we've
done
our best
to insure
accuracy,
some
cybersecurity
incidents
evolve
over time
and
not all
details
have been
confirmed.
Our
goal is
to inform
and
entertain,
not to
assign
blame.
Where
facts are
unclear,
we've
used
cautionary
language
and
we always
welcome
your
corrections.
Thanks
for
listening
to
The CISO Signal
The CISO Signal
