Transcript
In this age of misinformation and disinformation, it's very difficult to cut through the noise. And I know personally on my side, I am subscribed to an enormous amount of cyber news on a day-to-day basis. And one of the names that keeps popping up that I've been super interested in is Scattered Spider. And early on when we were putting this show together, we pinged Ray and said, hey, you know, I'm wondering if there are any kind of threat actors that uniquely go after identity as a way to wreak the maximum amount of havoc. And he said immediately the first group that comes to mind is Scattered Spider. Now he did make a note, this organization doesn't call themselves Scattered Spider. That's a name that those of us in the ecosystem, I think CrowdStrike in particular has put on them. And he made a good point. This is a loosely organized group compared to some other threat actor groups that we have, but they are very effective at going after a specific playbook. Now we keep talking about Ray. For those who haven't seen the show before and are wondering who that cold open was, Ray Ulmerle is the field CISO for Covert by Veeam. And he is an industry expert. He is a multi-time ransomware survivor at his various organizations, including a Fortune 500 company. He is also CISSP certified. He's been recognized and is an absolute professional in his field. And he really is that sage wisdom that so many of us go to as we're trying to learn about this space because he has that site security arm. We have the IT arm and together we're bringing these stories to life. Now I had a great chat with Ray last week talking about Scattered Spider and really trying to analyze their movements a bit more when it comes to identity. And when we say identity, we're talking about Microsoft 365, Active Directory and Enter ID, how you identify a user within your infrastructure stack, your cloud stack. It's safe to say that identity becomes that connective tissue that provides context and trust throughout everything we do. And when that trust is broken, it can be incredibly harmful and detrimental, especially when you're in an active attack. So let's go ahead and roll back another clip of Ray telling us a bit more about Scattered Spider's movements. And once inside, these Scattered Spider threat actors often pivot to cloud identity systems like Enter ID. Evidence from our incident reports indicate they may elevate privileges, modify your identity policies, tamper with audit visibility, effectively redefining who the environment believes is in control. At that point, every login and MFA prompt must be treated as potentially untrusted. And once they've established this identity persistence, they exploit those collaboration platforms to blend in. Our investigations have documented attackers using legitimate accounts to access Exchange, SharePoint, OneDrive, even Teams. And this includes forwarding mail, creating OAuth apps and quietly staging data for exfiltration. Result is an erosion of trust in shared workspaces and communications. Now, this leads to, however, the most disruptive component of their attack, which is really about prolonged containment and eradication. In order to sever command and control, rebuild assurance, remove this entrenched adversary, organizations frequently must segment networks, rotate every privileged and service account and reissue credentials from a clean route. These deliberate time-consuming steps can extend recovery timelines days, weeks, or even longer, but they're essential to restoring confidence in our identity-driven systems. And Scattered Spider really proves that when identity itself becomes the battleground, recovery isn't about decrypting files, it's about rebuilding trust. Until identity layers are reestablished and verified, no other layer can be considered secure.
