Organizations Must Update Defenses to Scattered Spider Tactics, Experts Urge
The Scattered Spider hacking collective has been making headlines this year with its highly effective and novel tactics, leaving organizations vulnerable to attacks. According to experts speaking during the Gartner Security & Risk Management Summit 2025, it is imperative for organizations to update their defenses to tackle the techniques employed by this group.
Focus on Identity Tools and Controls
George Glass, associate managing director at risk advisory company Kroll, highlighted the importance of identity tools and controls in protecting against Scattered Spider's tactics. "Applying identity protection that is more mature than username and password is very important," Glass said. This includes ensuring all software-as-a-service (SaaS) applications are connected to single sign on (SSO). Additionally, using number matching MFA codes can make it harder for attackers to capture sensitive information.
Detection and Response
Detection and response are also heavily linked to identity, according to Glass. Security teams should ensure they are able to quickly detect if a user is using tokens in an unusual way. Furthermore, introducing "friction" into processes can help tackle social engineering tactics used by Scattered Spider.
Countering Third-Party Attacks
Scattered Spider's attacks typically involve targeting victims' technology vendors, such as SSO and other identity providers, to gain access to systems. As a result, organizations must ensure they are working effectively with their vendors on countering any third-party attacks.
"I have vendors that will text me and say 'hey check your email, we've been breached and this is how it affects you'," said Debbie Janeczek, global chief information security officer at ING. "If you don't have that partnership, you won't get the immediate flag that you need to look at something."
Monitoring Disclosed Incidents
Janeczek also advised firms to closely monitor disclosed incidents affecting other organizations, understanding the tactics employed and updating defenses accordingly. "You have to watch the tactics, techniques, and procedures (TTPs) for yourself," she noted.
Case Study: How Scattered Spider Operates
In a case study provided by Glass, Kroll was able to stop an attack by Scattered Spider on one of their clients. The attack began with the threat actor calling the target's IT helpdesk, claiming to be an employee who was locked out of their account.
Step-by-Step Attack
- Threat actor calls the target's IT helpdesk, claiming to be an employee who is locked out of their account.
- The password is reset, and Scattered Spider seeks to bypass the user's multifactor authentication (MFA) using "push notification fatigue" - bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications.
- After gaining access to the account, the attacker quickly changes the devices MFA codes are sent to.
- The attacker then moves to gain access to sensitive systems on the network, leveraging further social engineering techniques.
Key Takeaways
Kroll was able to stop the attack before the threat actors gained access to the victim's system. The key takeaways from this case study are:
* Scattered Spider does not deploy malware and other tools until absolutely necessary. * They steal sensitive information, including LastPass login tokens, to compromise access keys. * A close relationship with vendors is crucial in detecting potential incidents quickly.
Conclusion
In conclusion, organizations must update their defenses to tackle the tactics employed by Scattered Spider. This includes applying identity protection that is more mature than username and password, ensuring all SaaS applications are connected to single sign on (SSO), and introducing "friction" into processes to tackle social engineering tactics.