Hacking in TV and movies is presented like a battle. Fingers fly across keyboards as characters shout to each other in impenetrable jargon, warning of incoming attacks and celebrating victories.
But about the only thing Hollywood gets right about attacks is the stress. Instead of fingers flying over keyboards, most breaches I’ve helped defend from are slow-motion accidents. Defenders are perennially behind the eight ball, trying to track down attackers who are two steps ahead. Critical decisions are passed around and take too long to make; contractors offer excess data but no direction; and the insurance company wants a say in everything that happens so that they can minimize what they have to pay out in damages.
When an attacker is able to get a hold of valuable information, it’s rarely because of their astounding skill. It’s because the victim’s organization has major gaps in its cybersecurity posture, compounded by ineffective incident response, which allows the attacker to retain their access far too long.
To dispel the myths and help you prepare for a better response, I’m going to walk you through how an attack works in the real world these days.
Due to confidentiality, I can’t walk you through an attack we helped a client successfully defend. So instead of focusing on a single attack on a single company, I’ll walk you through an amalgam of attacks we’ve responded to by a single attacker: Scattered Spider.
Scattered Spider is a cybercrime group that is primarily financially motivated (as opposed to nation-state threats that have different objectives). Scattered Spider has been active since 2022 and is known for high-profile attacks — like the one on MGM Resorts and Caesars Entertainment in 2023.
Generally, cyber attacks move through ten stages, which I’ve outlined below. I’ll take you through each one, leaning on my experience defending against Scattered Spider, to share concrete examples of what each step looks like*.
*The Scattered Spider attack below is a fictionalized amalgamation of real examples.
The first step of a cyber attack is to find a crack in a company’s armour and sneak in. This can happen through:
While there are a variety of ways to gain initial access, Scattered Spider’s MO is to find somebody whom they can social engineer. That could be through social media, like LinkedIn, or even through your own help desk.
A member of Scattered Spider contacted an outsourced help desk requesting a password reset. The attacker claimed to be an employee who was travelling, needed urgent access to information, and had forgotten their password. To ensure that they could also get past multi-factor authentication (MFA), they also claimed to have lost their phone, causing the help desk to allow them to register a new device for MFA.
Because the help desk (a) wasn’t integrated with the rest of the company, (b) was trained to help the person on the other end, the help desk operator obliged them.
This gave the attacker their initial access into the target’s network.
Now that the attacker has an access point, they’ll leverage it to establish command and control in your network.
Typically, this is done by running a program to establish a network connection back to the attacker’s network. This connection is often made using legitimate communication protocols, such as HTTPS or DNS, to carry the attacker’s malicious data and commands.
With access to a valid user account that they gained by tricking the help desk, Scattered Spider logged into computers on the target network and executed scripts to establish a persistent connection back to their “command and control” infrastructure. Since the connection itself looks like a legitimate HTTPS or DNS request, it isn’t necessarily identified as being malicious and is not blocked.
Once some control is established, attackers move to ensure persistence. This way, a rebooted machine or blocked packet is less likely to sever the ties they’ve created through the first two steps.
Scattered Spider has historically done this by maliciously using legitimate remote access tools.
With the access Scattered Spider obtained from the help desk, they were able to log into computers on the target network and install AnyDesk to establish their own backdoor, giving them persistence in the network.
The next step is to elevate permissions so the attacker can increase their access and more fully explore and control your environment.
At this point, their goal is essentially to find a way to increase their permissions to give them access to more data and/or administrative control of critical systems such as Active Directory or Entra ID.
Scattered Spider did this by leveraging a password vault that didn’t require MFA to access sensitive administrative passwords. This insecure deployment allowed Scattered Spider to steal administrative credentials from the safe using only the Windows credentials they stole from the help desk.
Once in the password vault, they had full administrative access to a variety of critical infrastructure systems, such as VMware and Microsoft Entra ID.
Once they obtained administrative access, Scattered Spider established another, more pernicious persistence mechanism. They set up automation to repeatedly add federated identity providers to the organization's Entra ID environment, causing it to trust all identities in Scattered Spider’s own Entra ID environment. This technique is more subtle and less easily detected, and, by continually establishing new federated connections, they trapped their targets in a game of whack-a-mole to try and eradicate them all.
In a typical attack, a group will move through this step and the next two (steps 6 and 7) in a cyclical fashion.
This starts with exploring the environment to see what kind of data is available and if there’s anything they could use to force an organization to pay them money. They’ll also probably look for information about the organization’s insurance to tell them how much they can ask for ransom.
Once one system is fully explored, they’ll move on to other systems to look for the same type of information.
As the attacker moves from one system to the next, they’ll steal passwords as they go, increasing their access to new environments, which they will then explore.
Sometimes attackers will repeat steps 5-7 many times. For example, they steal a password to gain access to a new system that, in turn, grants them additional access to new networks and data, where they may steal another password that grants them access to yet another new network or system, and so on.
Once they had full access to the environment through the password vault, Scattered Spider identified the target that was of greatest value to them, VMware. VMware often hosts the majority of an organization’s servers, meaning that administrative access to VMware enables an attacker to access data across all servers, often including backups, and also to easily automate the deployment of ransomware to encrypt all the servers.
If the attack is successful, somewhere in the cycle of moving through steps 5, 6, and 7, they’ll gain access to data that is valuable to the organization. That may be data they don’t want to be made public (like intellectual property), data that’s essential for operations, or personal identifiable information (PII).
Scattered Spider is known for working to gain access to SharePoint sites, credential storage documentation, VMware vCenter infrastructure, backups, and instructions for Virtual Private Networks so they can retain and expand their access.
From the password safe, Scattered Spider stole the credentials for VMware administration. Then, they logged into the centralized source of data, essentially becoming the system admin.
Once they have access to information they’ve identified as valuable, attackers will copy and upload the data to their own systems, and most often, encrypt the original data on the target’s network.
With access to the VMware management console, Scattered Spider encrypted all of the virtual machines.
The final step in any attack is that the attacker will find a way to profit from the infiltration.
This can include:
Scattered Spider demanded a ransom for the encrypted data, offering to give their target the ability to decrypt the data for a fee.
Each of these steps has to go just right for an attack to succeed, which is good news for your organization. All you have to do is disrupt one step, and the attack will break down.
All organizations have cybersecurity controls designed to prevent attacks, but there is no such thing as perfect protection. Therefore, most organizations have a variety of additional controls to detect attacks in progress that have bypassed their preventive controls. Whether attacks are detected by these controls, or simply by the loss of functionality when ransomware is deployed, what happens next, the incident response, is critical in determining the impact and the cost to the organization.
Some organizations lack basic incident response plans. Many others have plans, but those plans have not been updated, and more importantly, have not been well tested and do not take into account the myriad of factors, including newer technologies and systems, departures of critical staff resources, and the influence of third parties such as insurance companies that can influence success.
This often leads to a response where critical activities either take too long or are completely missed, leading to prolonged outages, loss of data, and greater overall impact to the organization.
Even when organizations have incident response plans, we frequently see failures of execution during incidents. All too often, analysis paralysis, lack of clarity around who makes key decisions, an unwillingness to make those decisions, or difficulty executing next steps cripple the response.
During Scattered Spider, I’m often asked for guidance by the victim. In the example above, where Scattered Spider has taken control of the victim’s VMware environment, the technical steps to defend from it are quite simple:
This prevents any further damage and locks the attacker out of the platform that they were using to coordinate their entire attack.
Those three steps can be accomplished in five minutes. But most victim organizations aren’t able to act that quickly.
Instead, it can take organizations days to implement it because nobody is willing to take responsibility for either the decision to initiate action or to direct the next steps.
The bureaucracy, an inability to make decisions, finger-pointing, passing of the buck, and an overload of information allows the attacker to persist for days, greatly increasing the impact and delaying the recovery.
This sort of failure is more common than you would think.
In a large organization with many different teams, it is vital that somebody both decides and acts, regardless of who would normally be in charge of the systems in question.
The main issue I see over and over again in organizations’ responses is their lack of preparation and practice, just like the example above. It is one thing to have a plan, but ensuring that the right actions are taken, at the right times, requires a leader who can make decisions and direct actions, and a supporting team that can provide the necessary input to support those decisions, and then carry them out effectively.
Typically, one or more of the following things is true.
That’s why it’s so important for organizations to go beyond simply purchasing tools.
We help our clients optimize their security architecture, from tools to incident response plans, so that they can break the chain of attack of groups like Scattered Spider.
Not everyone in the room during a breach is working for your organization.
We work with our clients as a breach coach, helping them make the right decision for them at every step of the breach.
We know our customer.
We work with many of them on a long-term basis. We have contacts we’re regularly in communication with. And, in most cases, we're local, so we can send people there physically.
That ongoing relationship means we’re already in our clients' environments. We know their tools and how to leverage them to break the chain of an attack and help the organization recover well.
In fact, some of our clients still have iON employees on-site years after an incident. We’re there ensuring a mass password change doesn’t end up in another breach, or handling the logistics of swapping out every laptop in the company so their employees aren’t overwhelmed.
Are you confident that you are prepared for the worst? Give us a call, and we can help you prepare. If today is the day you’ve dreaded and you need help dealing with an incident, leverage our experience to make sure that you are making the right decisions at the right time.