cyber resilience framework
Threatonomics

Knowing Your Risk Surface: A Risk-Focused Approach to Incident Response

Focusing on what you stand to lose drives everything in managing cyber risk.

by Laura Hiserodt , Staff Writer
Published

After decades of more damaging and less predictable cyber attacks, modern cybersecurity practitioners have recognized the critical need to incorporate more risk-based approaches to their planning efforts. However, despite the continuing advances within the cybersecurity field, analytics firms are noting record years for cybercriminals and breaches against some of the most well-defended organizations in the world

So, what are we doing wrong?

While controls and audit-based approaches have moved the needle forward, even large corporations struggle to manage the complexities of cyber, especially at a time when highly motivated adversaries, complex digital supply chains, and new advances in AI can challenge even the most well-resourced security program.

If forecasts for cyber risk are accurate, losses will continue to grow as digital transformation initiatives also grow. A grounded approach to security should anticipate and prepare for limiting losses, not trying to stop them completely. This means identifying plausible loss scenarios that could impact the company’s ability to deliver value and then focusing security investments on reducing the probability of these kinds of incidents. This is how organizations identify their tolerance for loss, which is a core foundation of a risk-focused approach. 

A Risk-Focused Approach in Action: MGM and Caesars 

Rather than focusing on the total implementation of a framework or control set, organizations must focus on what is required to continually deliver value to their clients without interruption. This approach is risk-focused rather than controls first and is fundamental to the value-driven risk management strategy that we call Cyber Resilience. 

Cyber Resilience tolerates losses – within limits

This is different from implicit security principles, which seek loss elimination as an end goal. A value-driven risk management strategy requires the CFO, CRO, and CISO to determine what the business can stand to lose. When Caesars Entertainment experienced a data breach in the Fall of 2023, threat actors compromised the personal identifying information of an unknown number of rewards program members. The hackers allegedly demanded a $30 million ransom, of which Caesars purportedly paid half. 

As a counterpart, MGM Resorts was hit with a subsequent data breach and opted not to make a ransom payment. The result was an attack that shut down all of the systems at a dozen of Las Vegas’ most prominent casinos for ten days, with issues including cash-only transactions, downed ATMs and gaming machines, digital key cards not working, and more. To resolve the incident, MGM spent around $10 million on legal and consulting services. However, the impact on their business while the attack persisted led to a $100 million loss in third-quarter revenue.

Both organizations took a risk-focused approach to managing the incident– they looked at their value at risk and leveraged the decision to pay as a business decision that would impact their ability to deliver value. While it is impossible to know what was going through MGM and Caesar’s business leaders’ minds during the incident, they were almost undoubtedly making quick calculations to quantify their value-at-risk, the cost-benefit of paying vs. not paying a ransom, and which scenario fell within their risk tolerance. 

Two Approaches to Risk-Focused Incident Response 

It must be noted that no ransom event is the same: Caesars was notified of ransom demands earlier in the incident cycle than MGM, which most likely influenced MGM’s decision to withhold payment. However, for this exercise, reviewing the fundamental differences between their incident response tactics can teach the general cyber community a lot about calculating, managing, and anticipating losses to their organization’s overall risk surface. 

Caesars opted to pay the ransom after negotiation. They likely calculated the business impact of a downed system and determined that paying a portion of the ransom would lead to the least amount of losses. In this case, they were fortunate; their customer-facing systems were not impacted, and client data was not leaked online

MGM took a different approach and resisted ransom payment. As a result, their third-quarter finances took a considerable blow. However, with a total revenue of $15.38 billion, $100 million in loss is a drop in the bucket. This amount was probably within their loss tolerance, and the choice not to pay the ransom likely stemmed from confidence in their incident response capabilities, an understanding of their value at risk, and a risk-focused approach to loss that anticipated an incident like this. 

Neither reaction– making the ransom payment or resisting– is wrong. Caesars knew that they could reduce business interruption and avoid further losses by making the ransom payment. They calculated the cost of their risk surface and acted to minimize financial loss. MGM did the same; they determined their bottom-line could handle the cost of business interruption and leaned on their investments in cybersecurity to regain operationality. Both organizations determined how much loss they could accept, and proceeded to make decisions based on that calculation. 

A Cyber Resilient Objective 

While calculating how much loss you can accept may feel counterintuitive to the objective of resilience, it is critical for organizations to understand what they can afford to lose. Most cyber incidents cost something, and whether that is paid in the form of incident response, a ransom, business interruption, or reputational damage, the true and probable costs of cyber risk must be anticipated. 

A grounded approach to security should expect and plan for reducing losses, not trying to stop them completely.  This means identifying plausible losses that will severely impact a company’s ability to deliver value to its clients and then focusing on reducing the probability of incidents that can cause them. This focus on being resilient to material losses– instead of any loss– is the core objective of Cyber Resilience.

You might also like

Are You Board Ready? Five Takeaways from Our Panel at RSA

RSA is in the rearview mirror, but we’re still thinking about all the great things we learned by mingling with our peers. We were honored to host an engaged group of attendees as founder Raj Shah moderated a panel discussion entitled “Are you board ready.” Resilience advisor Richard Siersen, Stanley Black & Decker CISO Lucia […]

Resilience Threat Researchers Identify New Campaigns from Scattered Spider

Following their attacks on MGM and Caesars’ casinos, threat actor group Scattered Spider is believed to be behind attacks on multiple companies in the finance and insurance industries. Using convincing lookalike domains and login pages as well as efficiently timed attacks, the group is aggressively targeting a wider array of companies. We have also observed […]

Breach and Attack Simulations: A Proactive Approach to Loss Prevention 

Today’s CISOs and risk managers need to see around corners to proactively reduce risks before they turn into losses. Increasingly, CISOs also answer directly to the board of directors. No matter how tight you think your controls are or how big your budget is, I promise you things are happening in your environment that you […]

Seven Essential Steps to Vulnerability Management: Learnings from the Ivanti Exposures  

In light of the most recent Ivanti vulnerability, the importance of a robust vulnerability management strategy and incident response plan has never been clearer.  The Ivanti vulnerabilities, particularly CVE-2024-22024, unveiled on February 8th, 2024, serve as a stark reminder of the relentless nature of cyber threats. These vulnerabilities, which allow unauthenticated, remote attackers to access […]