Identifying and preventing breaches from cybersecurity threat actors

Cybersecurity incidents are continually on the rise, and the impact they have on companies of any size can be devastating. Boards members, leaders, and executives must understand the risk that a cybersecurity incident, like a network breach, would pose to their business.

Of course, to understand how best to protect your organization from potential breaches, you must understand how cybercriminals act and what their attacks look like. In this short blog, we will cover the anatomy of a cyberattack through the lens of recent Scattered Spider activity, and offer key questions your leaders and your security team should be asking to determine what risks exist.

Anatomy of a cyberattack: Learning from Scattered Spider

The increasing use of Software-as-a-Service (SaaS) platforms and remote work, where everything is accessed over the Internet, has of course led to a reliance on user credentials, i.e. IDs, passwords, and multifactor authentication factors (MFA) for security.

Now cybercriminals and other threat actors are increasingly leveraging social engineering to gain initial access via compromised credentials.

Social engineering is the process of manipulating or tricking humans into providing access to usernames and passwords, systems, information, or other valuables.

One group of threat actors known primarily as Scattered Spider specializes in social engineering attacks. This group has been attributed with recent ransomware attacks at Ceasars Palace and MGM resorts in Las Vegas, high profile incidents at retail stores like the British retailer Marks & Spencer, and most recently attacks on insurance companies and airlines in the USA.

In recent high-profile cases, the threat actors have masqueraded as legitimate employees and tricked service desk and IT personnel into resetting credentials including MFA configurations, thereby allowing the infiltrator access to systems.

Many threat actors—including Scattered Spider—have also have tricked users into clicking on links that lead to replicas of websites used to authenticate or change passwords. This has allowed these crafty criminals to capture credentials which are subsequently used to access systems and move laterally through the target environment and elevate privileges (i.e. gain admin-level access to systems) before launching ransomware payloads to exfiltrate sensitive information and encrypted data.

Users are quickly denied access to systems and business operations slow to a halt. This is usually followed by ransom demands, with the threat of information leaks and other extortion measures to coerce payment.

Read more: The cost of a ransomware attack

Key questions to ascertain cybersecurity gaps

Obtaining answers to the following questions will provide insight into how good your defenses are and how resilient your organization would be when—yes, when, not if—a threat actor breaches your defenses.

While we recommend a holistic maturity assessment and a formal ongoing cybersecurity program to manage risk to your business, these questions will provide a high-level understanding of your cybersecurity positioning.  

1. Do we have a formal cybersecurity program and is it validated by an external party?
2. Have we completed an in-depth implementation of zero trust principles of zero trust?
3. Do we have a record or register of cybersecurity risks to our organization?
4. Have we tested our restoration capabilities, and do we know how long it would take us to restore if everything was encrypted during a ransomware attack?
5. Do we have any systems that do not require MFA using a physical token or application?
6. Have we reviewed all our procedures and self-help systems to ensure individuals are verified before helpdesk or support staff make changes such as password resets?
7. Do we have an inventory of all our systems, and do we know where our mission critical data is stored?
8. Do we know if our systems are optimally configured for security, especially those managing identities, passwords, and MFA devices? (This is known as hardening systems to reduce the attack surface area.)
9. Do we know where our vulnerabilities are, and which systems are most vulnerable?
10. Do we have ransomware resilient backups i.e. either air-gapped or on immutable storage?
11. Do we have a plan to pay a ransom, or have we decided against such a measure?
12. Do we have a cybersecurity education and training program?
13. Do we have 24×7 monitoring of all our IT assets including an endpoint detection and response capability?
14. Do we have an incident response play book and have we tested it?
15. Do we have cybersecurity insurance and access to incident response specialists?

Our team also provides assessments to help you answer these questions and establish the right cybersecurity plan.

Next steps: Identify threat actor behaviors and fortify your organization

If you do not feel confident about your cybersecurity stance after asking these questions, we recommend bringing in external support or additional staff to remediate the risk as soon as possible. We also recommend basing all work on a reputable cybersecurity framework such as, but not limited, to NIST CSF, HITRUST or ISO 27001. This will allow you to measure your maturity as you progress across governance, identity, protection, detection, response, and recovery domains.  

The bottom line is that multiple layers of defense and recovery plans are not only necessary, but vital, to protect your organizations from threat actors.

What else can you do?

Look to examples like Scattered Spider, assess how they behave, and engage in cybersecurity practices that rise to your defense against similar attacks. If you ever need help, the CBTS security experts are ready to support you.

Read more: Defending against digital deception