Report on Security Incident in Gambling Industry

Internet gambling and online crime go hand in hand, internet gambling attracts quite a large number of online criminals who are hungry for easy money. As from March 2018, I have been the Cybersecurity Manager at The Marble Online casino. Since then, we have had to face many different online threats in the casino but not like the latest. Last Monday, we received a cyber extortion email from an online criminal group threatening to take the casino offline using a distributed denial of service (DDoS) attack unless the casino pays them a ransom of 5BTC. When this happened, we alerted the casino’s IT security team so that they were prepared for a possibly impending DDoS attack and then took no further action.

At the time, best European online casinos did not have an existing system in place for the prevention of this kind of attack. Not long after, four days later, on a Friday evening the DDoS attack was launched against the casino’s online resources and for 30 minutes the casino’s website was forced offline. Consequently, casino users were unable to play for 30 minutes as the casino was unavailable for them. Analysis and investigationLater that Monday, we met up as the cybersecurity team and carried out an analysis of the attack. After much investigation, we linked the attack to the same criminal group that sent the extortion email. Threat actors invest large amounts of time into compromising an environment for malicious purposes. We found out that traffic originated from both Australian and overseas IP addresses.

The analysis also showed that this was a volume-based attack which included UDP floods, ICMP floods and other spoofed-packet floods. The UDP floods targeted the website’s UDP (User Datagram Protocol) packets which flooded random ports causing a repeated check for the application listening to that port. Since no application was found in the endless cycle of requests, this process took over the casino’s website resources, consequently causing it to be inaccessible by users. The ICMP floods overwhelmed the casino’s online resources with ping packets without waiting for replies. This consumed the online casino’s bandwidth resulting a slowdown. Volume based attacks such as this saturate the bandwidth of the targeted resource, the casino’s resources in this case. We have received yet another email threatening a much longer attack unless a ransom of 10BTC is paid to the criminal group.

Brief Assessment of the Risk

High risk profile; Having a large online presence and being a well-known established brand, The Marble Casino was most likely higher up on the criminal’s targets list. In this case, the criminals were clearly motivated by financial gains as they demanded a huge ransom. High risk industry; with online gambling, a tiny downtime disrupts services and user experience.

The Marble casino needs to be online and running 24/7 therefore creating a single point of failure where criminal groups can attack. Users of the casino depend on a consistent and reliable online presence of the casino’s webpages. The potential impact on the business include:

Spoiled Reputation

A DDoS attack could lower customer confidence in the casino’s services and online security and will result in overall reputation damage. A study organized by Corero established that the deterioration of customer confidence is the most damaging consequence of DDoS attacks for online businesses today, ranking it at 42%.

Interruption of Services

Volume-based attacks cause outages of an online service and therefore users are unable to access services. DDoS could take over the casino’s online resources leaving none for its intended users. Cybercriminals may use such attacks to disrupt an online business, such as The Marble Casino by flooding its domain with illegitimate traffic.

Financial Losses

A DDoS attack can cause online businesses to sweat. A casino could loose quite an amount of income when its online services are disrupted, even for a short period of time. Furthermore, a deterioration of customer confidence in the casino due to the attack could make them move to play at the casino’s competitors. This way, the casino’s market share reduces and consequently its profits drops. Steps for the impending DDOS attacka)

Containment

Perform modifications to the casino’s network to contain the attack. Some of the possible network modifications to perform include:

• Distributing the attack traffic
• Shifting to alternative sites or networks using DNS (Domain Name Server)
• Routing traffic targeted on the casino’s services
• Using caching/proxying
• Ending unwanted processes and connections to casino’s servers and routers
• Allowing other communication channels (VPN
• Controlling packet delivery based on session and user details.

Eradication

To do away with future DDoS attacks to the casino, implement Bandwidth blocking and prioritization such as denying connections to the site based on the geographic information, IP and traffic signatures. Implementing traffic scrubbing; Using dedicated devices on the casino’s online resources with high-performing hardware that can support scrubbing algorithms. Place limits on the traffic amount, traffic priority on individual packet types, minimum and maximum burst size. Cyber sinkholing; which involves redirecting traffic (spoofed traffic in this case) from its intended destination to a server of choice so as to reduce unwanted requests to the casino’s web services.

Recovery

Normal state verification:

• Ensuring that the impacted online services can be operational again and that the performance of the infrastructure is back to the baseline
• Verifying that traffic is normal, with no sharp increases. Let some time pass since last attack before the traffic flow is considered normal again.
• Ensuring that there are no collateral damages, handle if any, and plan for the future.
• Rollback; Initiating all suspended services and applications. Launching any mitigation measures and announcing the end of the incident to relevant stakeholders.
• Revert to the original network, with all the relevant changes in place.

Lessons Learnt

The main lesson we can take from this unfortunate incident is the vital importance of having DDoS protection hardware installed at the Internet edge – something that IBM and ABS reportedly believed they did not need. This type of protection is the only way to protect an organization’s entire security infrastructure in the event of an attack. If our customers had incurred an attack like this, they probably wouldn’t have even noticed the attack taking place, and it certainly would not have compromised them from a security standpoint.

As DDoS attacks target a full spectrum of security risks, it’s important to defend your entire security infrastructure and data against potential threats. Be ready to respond. A proactive and robust cybersecurity strategy that is clearly communicated across your organization is your company’s best defense against cyberattacks. Designing and implementing an incident response plan is a critical component to an effective cybersecurity program.

One reason Dyn was able to mitigate the attack quickly is that they had a response plan ready. The hackers in this incident designed and deployed a unique attack approach, and Dyn was still able to stabilize the breach before it destroyed the company. Your company’s cybersecurity strategy must incorporate the ever-evolving nature of cyber threats. Focusing too narrowly on specific incidents could hinder your company’s ability to respond.

CFOs need to ensure that their companies are prepared to react to new methods of attack by running “what-if” scenarios and testing response capabilities. Your company may not always be fully prepared for the attacks being conceived, but by testing your controls you can reduce your recovery time and cost.

On the other hand, it’s important not overcomplicate your response plan. Including recovery steps for all possible scenarios will result in a complex document that won’t enable employees to act quickly. Instead, your plan should focus on recovery scenarios specific to your critical business data, functions, and supply chain. Focus on building an incident response program that is able to work in multiple scenarios, accounting for people, places, procedures, and communications.

Invest in people, not just technology. Dyn clearly had a team of experienced professionals in place to resolve an attack that could have destroyed their business. Every company, big or small, can take a similar approach to fighting cyber criminals. CFOs are spending millions of dollars on software and technology to protect their businesses from cyber crimes, and they should be investing more money in training their own people. Human error is the leading cause of cyber crimes, according to Verizon’s 2016 Data Breach Investigations Report. Training employees about the dangers of cyberattacks must include more than just sending around a list of dos and don’ts. Get more creative.

Consider using gamification for training exercises to present real-life scenarios to employees. One way to accomplish this is by having “pretend” hackers try to obtain proprietary information from your employees. If your office doesn’t properly react, the experience could end up a great lesson for everyone. For example, you don’t want your employees clicking on suspicious links in emails, so you train them to forward suspicious links to the security team.

Then you send test phasing email to see what they do. When a user responds correctly they are rewarded by being placed in a drawing for a $100 gift card, winner drawn quarterly. How to implement the playbook to ensure impacted stakeholders are aware of and committed to the steps you have recommended. Be clear on the purpose of engaging with stakeholders. The purpose will underpin the entire approach, influencing who will be engaged, how they will be engaged and what to engage on.

Involve the right people: To identify the right stakeholders, it should be clear why there is a need to engage them and what the scope of the engagement will be. Who needs to know? Who has an interest? The answers will ultimately determine the composition of the target group of stakeholders. Consider also the risks to implementation if particular stakeholders are not engaged.

Use a fit-for-purpose approach: There is no one-size-fits-all approach to engaging stakeholders—each interaction should be tailored. Stakeholders have different expertise, objectives and capacity to engage with government. Don’t assume that what worked for one situation will work for another. Often a mix of approaches will be needed and you may need the flexibility to adjust your approach quickly.

• Manage expectations: Stakeholders should have a clear understanding of how their contributions will be used and the degree of influence their input will have as approaches to policy design and implementation are formulated. When stakeholders’ expectations cannot be met, anger, frustration or cynicism may result, which will affect the current and future relationship with government.

The purpose of the engagement and the role of participants, including how their input will be used, need to be clear from the beginning.

• Use the information: Engagement is not just about collecting information. It involves a process of responding to information to shape and improve the quality of the initiative. Information from stakeholders may also indicate whether the engagement approach itself needs to change. Greater organisational benefits will flow if you share lessons learned from engagement across the agency, particularly where your agency regularly engages with the same set of stakeholders on a variety of issues. Map your stakeholders Identify all the stakeholders that will have an impact or influence on the initiative, as well as those who are affected by it. Narrow this list down to identify groups and subgroups of stakeholders, and record what their interests are and their level of influence and impact. This stakeholder mapping will inform your engagement plan, which should be a living document that evolves during the initiative. Mapping also allows for better tailoring of engagement methods.

Plan the Engagement

Think strategically about the engagement and be clear on why you and your stakeholders want to engage, what the issues are, what you want to achieve and how you will know if you’re successful. Incorporate this thinking into your engagement strategy to help ensure the approach focuses on material issues and effectively targets the right stakeholders. Develop an engagement plan that outlines the methods, timeframes, roles and responsibilities. The plan should pull together all elements of engagement from beginning to end, providing a pathway to guide team members through the engagement approach. Invest time in developing contingency plans for key engagement risks to help reduce delays.

Use a Mixed Approach

A mixed approach provides flexibility to manage the differences in relationships between stakeholders, allowing either a light-touch engagement or deeper partnerships where they are needed. This approach may include activities to inform, consult and collaborate with stakeholders and use a combination of tools such as discussion papers, public forums, one-on-one discussions and social media.

Learn from Others

Tailoring an approach doesn’t have to mean reinventing the wheel. When planning, find out who else has undertaken a similar engagement and take the opportunity to share information and harness the skills and experience that already exist. This path can foster innovation and help make the process more efficient and effective for both government and stakeholders. Knowing the ‘vibe’ and outcomes from recent engagement with similar stakeholders can also help you prepare for what other issues may be raised and how they should be addressed, and avoid going over old ground with the same people.