For one casino, the protection of their guests, infrastructure, and revenue was their mission. Physical security was implemented, but changes in infrastructure, staff, and technology over the years created uncertainty about the strength of network security and the design of the network architecture. While the casino had experienced minimal issues, an assessment of how their people, processes, and technologies would handle a targeted attack by a concerted threat agent was needed.
The casino engaged Coalfire to perform a complete red team attack. The scope for testing included all physical, social, and logical vectors of attack. Coalfire began the attack by harvesting email addresses of employees from public Internet sources, including social media, press releases, and corporate directories.
Using these email addresses, Coalfire then performed a successful spearphishing attack, gathering a handful of logins and passwords. With these stolen credentials, Coalfire consultants gained access to the internal network via the casino’s VPN. Then, by exploiting vulnerabilities found throughout the network, Coalfire ultimately gained administrator-level access to the environment.
The access gained was not merely technical, and the impact was huge. It was used to access hotel guest information through the reservation systems, and it allowed Coalfire to add points to the consultants’ reward cards that could then be converted to cash. The Coalfire team also gained access to vault and cashier cage computers sufficient to set up a false line of credit and perform wire transfers at will, plus provide complimentary meals and services. Finally, the team demonstrated access – yet stopped short of attacking – the gaming and slot machine networks.
To prevent similar attacks from being carried out by real adversaries, Coalfire provided specific strategic and tactical recommendations that were prioritized and tailored to the environment. Stronger password policies, improved user awareness training, and two-factor authentication were cost-effective recommendations that virtually eliminated the threat posed by external attackers.
Further recommendations also included testing domain and network architecture, developing an incident response plan, and establishing software audit and alert procedures. As a result, they increased the security strength to repel an insider threat and the ability to detect and respond to unknown future attacks.