Twin assaults on MGM Resorts and Caesars Entertainment have offered an unusual perspective at what happens when two comparable organisations, under similar attack by the same threat actor, use divergent incident response techniques.
Both parties in this case were the victims of a cyberattack called Scattered Spider /ALPHV. Caesars was able to resume operations very soon after engaging in a fast negotiation with the cyber attackers and paying a $15 million ransom demand.
However, MGM firmly refused to pay and only recently declared that its operations had resumed after more than 10 days of operational downtime at its hotels and casinos, costing the company tens of millions of dollars in lost income.
Although it may be tempting to judge which strategy was superior, experts believe that any direct comparison of the Caesars and MGM responses to the incident is oversimplified.
As an example, Rob T. Lee, chief curriculum director and faculty lead at SANS Institute, emphasises that the fundamental idea behind incident response is to strive to make the "least worst decision." And this is typically a difficult choice with both favourable and unfavourable (some would say harsh) consequences.
He explains, "many business decisions can go into that. Only once an incident is over can you see different paths that could have led to different or at least worse outcomes. There is no 'win' in these situations, only decisions that can prevent it from worsening."
Caesars or MGM: Who was right? It's complex
One of those difficult decisions incident responders are pressed to make under pressure is whether or not to pay a ransom after a hack.
It is commonly known that paying a ransom does not ensure data security or system restoration.
Even worse, it encourages more attacks by establishing a market for these cybercrimes. Business risk decisions, however, don't always boil down to black-and-white choices of right or wrong, and expediency is always a factor.
"Caesars' more rapid recovery post-ransom might give the impression they made a better decision," stated Callie Guenther, senior manager of cyber threat research at Critical Start. "From a business continuity perspective, their decision to pay might seem effective."
The chief security scientist of Delinea and advisory CISO Joseph Carson argues that there are other issues at play. Companies that deliberate over their choices may come to the conclusion that forgoing payment makes more sense.
According to his observations, organisations only have a four-day opportunity to reach a compromise with ransomware threat actors before views on both sides harden. After that, ransomware attackers often lose patience and enterprise security teams tend to grow entrenched in their positions.
Another factor to consider is the cost of recovery. If recovery is unsettling but only costs a few million dollars, it may be a better option than an eight-figure extortion payment, Carson added.
