Head in the Sands: One Year After the Sands Casino Data Breach

On February 10, 2014, Sands Casino properties, which owns the Venetian and Palazzo in Las Vegas, among many other global properties, fell victim to a devastating Iranian hacktivist attack. According to reports, hackers used a basic malware script along with stolen user credentials to corrupt thousands of servers, rendering hard drives unreadable. One year later, similar attacks continue to happen, and it appears we’ve learned nothing from the Sands Casino breach and others like it. What these activities underscore is the need to look beyond point-of-intrusion solutions and focus on where the attack surface exists today – on the network itself – by applying user behavior intelligence to correlate suspicious actions across the entire attack chain.

User behavior intelligence solutions deliver three key benefits:

1. By using data from existing security information and event management (SIEM) or log repositories, user behavior intelligence solutions can detect subtle anomalies in user behavior that indicate if employee credentials may have been compromised.
2. In performing Stateful User Tracking™ and user session assembly, user behavior intelligence can piece together attacker activity, from the systems they access to identity switches to IP address changes.
3. Taking a page from the credit fraud paradigm, user behavior intelligence enables a tier-one analyst to call a user and question them about whether recent behavior was a result of their actions or if their credentials have been compromised.

Based on what’s known about the Sands Casino attack, we can see how user behavior intelligence could have assisted the Sands security team. As is the case with many hacking events, investigators were only able to reconstruct attacker movement after the attack happened by sifting through computer logs. This means the evidence that indicated an attacker was inside the network was already present within the log data, however these alerts were missed (or ignored) since there was no correlation between behaviors.

After mapping the attack, investigators pinpointed ground zero: Sands Bethlehem in Bethlehem, Penn., where hackers first attempted to break into a virtual private network (VPN) through brute force. This has become a common point of entry for attackers, as it’s easy for them to slip past initial security defenses using stolen valid credentials. Fortunately, it seems a security point solution or SIEM detected the sudden surge in failed login attempts. The security response team in Las Vegas had seen this numorus times and treated it as routine by adding another layer of security protection to the accounts being attacked. While this was an appropriate response, attackers bypassed those additional protections by finding an unprotected development server, which on February 1, 2014 became the initial point of compromise.

For the next nine days, hackers used a free downloadable tool called Mimikatz to reveal user names and passwords that had been used to access system resources. Their objective was to identify a credentialed user who had access rights beyond Sands Bethlehem, and they hit the jackpot when they eventually found the credentials of a senior computer systems engineer who had visited the Bethlehem location from corporate headquarters in Las Vegas. Using various stolen credentials, attackers switched identities and escalated privileges to maneuver throughout the IT environment, acting in ways that were wildly different from the normal behavior of the users the hackers were impersonating. But without user behavior intelligence, there was no way for security response teams to identify these activities as abnormal and follow the attackers activities across the entire attack chain. Finally, on February 10, 2014, hackers unleashed the malware that ultimately decimated Sands servers in Las Vegas.

The timeline for the Sands attack was quicker than most, yet there were still nine full days where the Las Vegas security team had no visibility into what the attackers were doing. Enterprises need to accept that a determined hacker will eventually breach a target’s network, which requires a change in how security response is approached. Rather than attempting to block hackers at the initial point-of-compromise – the shortest link in the attack chain – Exabeam focuses on what happens after an attacker bypasses initial point of compromise defences in the middle of the attack chain. User behavior intelligence solutions bring much needed visibility into how credentials are used to enable almost every stage of the attack chain, enabling security teams to determine which network activities are consistent with the owner of the credentials. If the Sands Casino attack has taught us anything, it’s that enterprises shouldn’t bet against the determined hacker. The “house” always looses.