Identity, authentication the first line of defence

When defending against Scattered Spider, hardening identity verification and authentication practices are of the utmost importance, said Mandiant.

The gang has proven highly effective at using social engineering techniques to impersonate users contacting its victims’ IT helpdesks, so as a first step, helpdesk staff will need additional training to positively identify inbound contacts, using methods such as on-camera or in-person verification, government ID verification, or challenge and response questions.

Security teams may also want to look into temporarily disabling, or enhancing validation, for self-service password resets, and routing both these and multi-factor authentication resets through manual helpdesk workflows for the time being. Employees should also be made to authenticate prior to changing authentication methods, such as adding a new phone number.

Security teams can also implement additional safeguards such as requiring changes to be made from trusted office locations, or using out-of-band verification, such as a call back to an employee’s registered mobile number, before proceeding with a sensitive request.

It may also be worth considering taking steps such as banning SMS, phone call or email as authentication controls, using phishing-resistant MFA apps, and using FIDO2 security keys for privileged identities. Ultimately, said Mandiant, the goal should be a transition to passwordless authentication if possible.

More widely, non-IT staff should be taught to avoid relying on publicly available data for verification, such as dates of birth, or the last four digits of US Social Security Numbers.

Identities of victims irrelevant

With no US retailers yet publicly named as victims of Scattered Spider’s campaign, Nic Adams, co-founder and CEO at 0rcus, a security automation platform, said the identities of victims were largely irrelevant given the commoditisation of the threat chain.

“Whether DragonForce, Scattered Spider or a shared affiliate ring executed the intrusion is irrelevant,” he said. “Who the hell cares? An overlap in TTPs proves the industrialisation of compromise. Threat actors don’t need advanced exploits. Simply put, organisational blindness to behavioural anomalies, lax identity workflows, IT helpdesks that treat social engineering as a customer service moment. I call this the breach-point. Continuing to focus on malware or ransomware only further validates trust flow mismanagement.

“Phishing, cred abuse, Cobalt Strike, LOTL movement, SystemBC tunnels, Mimikatz extractions, data staging to MEGA is now a commodity kill chain,” said Adams. “What came after was orchestration: full access, lateral expansion, data exfiltration, selective encryption, ransom leverage. The payload was just a press release because the campaign had already succeeded long before that binary detonated.”

He called on organisations to start thinking like threat actors. “The next breach will follow the same path,” said Adams. “One-click, credential, absent defence layer. Another billion in market cap evaporated.

“Organisations that survive what’s coming will be those that embed threat logic at the protocol level, assign root access to operators who know what adversaries build, and stop misleading everyone by asserting compliance equals control. You can’t outsource this. You can’t automate this. You either build with black hats or remain target practice for those who take the hint.”

M&S insurance claim likely to top £100m

Back in the UK, reports today (14 May) suggested that M&S’s insurers may find themselves on the hook for as much as £100m following the ransomware attack, with Allianz and Beazley particularly exposed.

According to the Financial Times, the claim would likely cover lost online sales and data breach liability losses following the theft of customer data from the retailer’s systems. M&S has already lost tens of millions of pounds as a result of the cyber attack, which has left its food supply chains in disarray.