Buccaneers vs. Chiefs. Tom Brady vs. Patrick Mahomes. Super Bowl LV featured an enticing matchup between two powerhouse teams and two star quarterbacks. But amidst this exciting sports action, there was a game within a game – a match-up with a lot more riding on the line than a trophy: Hackers vs. network defenders.
Major global events attract fans and onlookers, but they also draw in malicious cyber actors who would consider disrupting the event a coup. It could be a prankster doing it for the "lulz," a cyber activist looking to make a statement, a cybercriminal running an extortion scheme or a nation-state sowing chaos.
“High-profile events beget high-profile credibility among hacking circles,” said Jerry Ray, chief operating officer of SecureAge. “State-sponsored actors often use international events as practice against well-funded and modern security measures, or as an opportunity to flex some cyber muscle when allowing for modest attribution with just a pinch of plausible deniability. And when fully attributable, a country may attack for the sake of national pride or retaliation.”
And now, as more vaccines are administered and the world looks enthusiastically to reopen, lessons in how to secure gatherings bring newfound significance.
Game day lessons
Look no further for an example of the threat than the 2018 PyeongChang Winter Games. Russia-sponsored hackers allegedly used their custom Olympic Destroyer malware in an attempt to sabotage the games’ digital infrastructure by wiping data and disabling networks in an act of revenge, after the country was banned from competition for organized doping. Indeed, the National Cyber Security Centre reported that Russian actors similarly intended to attack the 2020 Tokyo games before they were postponed to 2021.
Just days after the Olympic Destroyer attack hit during the 2018 opening ceremonies, Cisco’s threat intelligence division Talos reported identifying malware samples used in the incident. “We should expect to see similar campaigns going forward. Any major event needs to be aware of the risks posed by adversarial intelligence organizations,” said Craig Williams, director of outreach at Talos. “When implementing security policies, all forms of interference need to be considered and mitigation strategies must be created. Ideally, there should be strategies for all types of disruptive events, including IoT systems that may be vulnerable to compromise.”
This lesson doesn’t apply to just major sports championships like the Olympics or World Cup. Global political summits, political party conventions and well-attended conferences are other examples of high-profile, short-term events that require special preparation and a massive scaling up of network infrastructure and security resources. And with health care professionals distributing the COVID-19 vaccine to millions of individuals around the world, these in-person events are on the verge of a major comeback.
Based in Tampa, Florida, ReliaQuest provides customers, including the NFL’s Tampa Bay Buccaneers, with cross-layered detection and response (XDR), collecting and analyzing threat data across multiple endpoints, servers, cloud and on-prem networking environments.
But this year brought an extraordinary challenge, as Tampa played host city to the 2021 Super Bowl. In collaboration with law enforcement agencies and additional private partners, ReliaQuest would be tasked with spearheading cybersecurity for the most watched sporting event in the U.S. This meant securing not only Raymond James Stadium itself, but also the nearby NFL Experience locations, the Yacht Village playing host to luxury vessels, and other official venues in the greater Tampa area during the big game, plus the roughly week-and-half of ceremonies and fanfare leading up to it.
Brian Murphy, founder and CEO of ReliaQuest, told SC Media that the company's Super Bowl responsibilities included protecting employee and volunteer databases, game-related sales transactions, stadium wireless access points, digital advertising, social media feeds, content streams and more.
“When the Super Bowl comes, everything just gets a bigger magnifying glass on it,” said Murphy. Most of the threats are the same, but it's “the volume of things” that becomes more daunting, especially as the attack surface expands.
“Think of the different attack vectors that could be disrupted,” said Murphy. Then consider you’re planning one of “the largest sporting events in the world, where everybody's coming in, and you would expect more people to get access… More media outlets, more connectivity, everybody wants to be a part of it.”
The sheer scale of the threat picture leads to questions of how to prioritize: “With the list of affiliated technology concerns growing exponentially, the biggest challenge is always the delicate balance between securing either the most valuable assets or most likely attack paths within a finite and constrained budget of money and time,” said Ray. “But there’s always a limit to what can be afforded within a given time frame.”
But scale isn’t the only challenge with big events. So is threat variability.
Generally speaking, there are three categories of events, said Brian Zimmer, global solutions director at ePlus. Zimmer previously served on teams that planned or managed the digital security of annual NGO events, as well as the 2012 Republican National Convention.
The first event is one that comes to the host’s own home turf on a set basis, the second is when a host travels to a unique location for an event, and the third is a mega-event such as the Super Bowl.
“It's unique in each of those situations – and the biggest thing is the logistics," Zimmer said. "Getting the people, the process and the technology in place at that location, then scaling up for what is 10x, 100x more traffic, malicious traffic” than normal. There’s no baseline to compare that to, “so understanding what looks normal and responding to what doesn’t, I think that’s the biggest challenge."
"Cybersecurity planning for events, both in terms of scale and complexity, reflects the characteristics of the event itself: country and locale, venue, likely attendees and their posture (in-motion, standing, sitting) or possessions (mobile phones, cameras, umbrellas, coats, backpacks, food), duration, degree of necessary automation (ticketing, gates, climate control, points-of-sale, lighting, sound, pyrotechnics), event components (public Wi-Fi, scoring systems, tooling, equipment), and the more obvious security cameras and security staff communications."
Changing circumstances surrounding an event can also alert the dynamics of the threat picture. For instance, said Murphy, precautions related to the COVID-19 virus meant there would be lower on-site attendance this year at official Super Bowl venues and smaller gatherings at other public places such as local bars, while viewership on phones and personal devices were likely to go up. “It's just understanding that change of landscape for us,” said Murphy, who noted there was a lot of noise and chatter this year around “how to stream the Super Bowl for free.”
But perhaps the most critical challenge of all, Murphy opined, is ensuring collaboration between parties. That’s why communication was critical between his team and physical security experts, the NFL, the Buccaneers, government law enforcement, the City of Tampa and more. “The number one failure point, in my opinion, is collaboration… if all those groups don't work together, and show and share,” he said.
Developing a game plan
Managing big-event cybersecurity requires an entirely different playbook that handling day-to-day security at a static location. For that reason, your process and technology must have “the right elasticity and dynamic nature” to respond in agile fashion, said Zimmer.
This requires ample planning and foresight – months’ or even years’ worth of preparation – as security teams identify the vulnerable points along the attack surface and anticipates threats that might come their way.
Ideally, security teams should monitoring conversations leading up to the event, monitoring dark web chatter and trends. “Sometimes these things like start as, ‘Hey, wouldn’t it be cool if…?’ said Murphy. “And that can be: ‘Can we impact the scoreboard?’ or ‘How do we publicize… the injury report before a game, or some personal information? Or get access to certain players’ portals and social media?”
Indeed, there are a lot of potential scenarios to think through.
“We start with the things that have happened in the past, and then we allow our imaginations to run away with us a little bit,” said Murphy. “You've got to think a little bit evil to be good in cybersecurity.”
One scenario that Murphy warned not to overlook is a social media breach or hijack that damages a player’s reputation before a big event. This brings to mind NFL offensive tackle Laremy Tunsil, whose stock dropped in the NFL Draft after a hacker accessed his Twitter account posted a video of the prospect smoking from a bong.
Perhaps a future attack “leverages or exploits legitimate websites, apps or emails created by the event organizers, [that are] widely accessed by millions worldwide or a targeted subset in one region,” said Ray. Or maybe the attackers want to “affect a betting line.”
“Of course, the most frightening attack… are those that aim to curtail or dismantle security at the event venue as a precursor to a physical attack,” Ray continued.
This is where prioritization comes into play.
“The first question we ask is, ‘Okay, what's most important to protect? What are we most worried about? And let's unpack it from there,’” said Murphy.
Then it’s a matter of scaling the network security and infrastructure to match the size of the threat. In ReliaQuest’s case, the key was maintaining visibility into all the identified potential attack surfaces to keep an eye out for red flags. Central to that strategy was the company’s XDR offering.
The foundational principle of XDR is “getting access to that relevant security data, wherever it is,” whether on-prem or in the cloud, said Murphy. “We want to be able to see it… get access to it, take action on it and report on it, regardless of where that lives.
The entire time, the relevant data stays where it originates. Users “only pull back the actionable data that you need at the time you need it,” and then they can let it go. “This allows us to be more responsive, more athletic,” providing the agility and elasticity that Zimmer was also advocating as a key attribute.
As the big date arrives, it’s important to practice incident response drills to simulate potential crisis situations that might arise and test out your game plan.
“It is extremely beneficial to run both tabletop and red team exercises simulating an attacks against an event,” said Williams. These can help identify weak points and issues an attacker may discover which have gone unnoticed. As part of these exercises, after-action reviews should be held so that strategies can be refined.”
“The question one must determine is how aggressive your playbook needs to be,” he continued.
Calling an audible under pressure
As the PyeonChang Olympics demonstrated, you can’t stop every attack. Therefore, you also need to develop a business continuity and disaster recovery plan if something goes awry.
“Continuity or contingency planning for cyberattacks is arguably the most important component of event cybersecurity,” said Ray. “With infinite permutations of attackers and their possible attack vectors, the assumption has to be that the most critical systems, such as payment, personnel, communications,or security, will be breached somehow. Anticipating that and having a backup or failsafe isn’t just a nice add on. It’s as essential as whatever has been put in place to prevent the most critical or vulnerable systems or components.”
“For example, consider events where proof of identity is essential, such as a presidential debates or testing for state bar exams,” Ray continued. “A necessary task will be to secure a central database, as well as any laptop or handheld device to access it, that lists the personally identifiable information of the attendee to match against proof of ID. But that security plan is not nearly complete until a backup system for ID verification has been put in place and tested as a viable alternative.”
So in the end, what kind of attacks did ReliaQuest encounter? Murphy wasn’t at liberty disclose specific details. However, he said “we saw… a lot of your standard phishing campaigns and aggressive phishing campaigns...And there was a lot of exchanging of access to view or get into the event.”
Ultimately, there were no major cyber or physical security incidents reported.
“Obviously you had that streaker that got free around the field. If that's the worst thing that happened, then that was a win,” said Murphy.
But did Murphy at least get to enjoy watching the Buccaneers win the Super Bowl? Or was he too engrossed in his own game of offense vs defense?
“There is always that in the back of your mind. You can't enjoy it too much and that's just security,” said Murphy. “Some of the biggest events and venues, you're excited that you're a part of it. But then you also know that we've got to be diligent and on our toes. So there was a good healthy mix of checking both scores: checking the score on the scoreboard and then also checking in with the team and seeing how things were going.”