In today’s rapidly evolving cyber threat landscape, financial institutions face an increasingly sophisticated array of adversaries. Among these, Scattered Spider is one cybercriminal group that acts with precision, persistence, and proficiency in exploiting vulnerabilities within large corporations and their IT infrastructures.

This group has garnered attention not just for its disruptive capabilities but also for its targeted approach toward enterprises, including pivotal players in the financial services industry. The recent advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) underscores the severity of the threat posed by Scattered Spider, painting a picture of an adversary adept at leveraging social engineering, ransomware, and data theft for extortion.

Scattered Spider: Behind the web

Scattered Spider specializes in obtaining privileged access credentials to infiltrate organizations, leveraging tools like the BlackCat/ALPHV ransomware alongside its social engineering tactics like phishing and impersonation. These techniques can be carried out via email, SMS, phone calls, and in some cases online meetings. All of these methods are focused on gaining access credentials to the customer estate (their entire network both on-prem and in the cloud), as well as elevating existing credentials already obtained via these methods.

Security best practices for employees

When dealing with cyber attacks that feature credential access threats, it’s best to foster a heightened sense of security among employees. Additionally, the rapid involvement of internal security teams will be crucial for attacks that succeed with user error. From an employee level, here are some best practices when you're facing a potential social engineering attack: 

  • If you get a strange request via any channel — like someone asking you to move money or provide access to a system — stop and question it. 
  • Review these attempts with your peers before moving forward. 
  • Be especially wary of any unexpected and out of the ordinary requests from senior execs or support personnel. In reality, no one needs your credentials to do their jobs, ever.

Shattered Spider’s typical attack tactics involve ransomware and will encrypt and sometimes steal vital data from an organization before demanding hefty ransoms for decryption keys. For financial institutions — which rely heavily on trust, integrity, and the seamless operation of their IT systems — such attacks can have catastrophic consequences, eroding customer confidence, and potentially lead to significant financial and reputational damage. The attacks levied by Scattered Spider and other threat actors highlight a growing reality: no entity is immune. 

Elastic Security: Modernizing SecOps

In the face of operationalized threats like Shattered Spider, financial institutions require robust, intelligent, and adaptable cybersecurity solutions. Elastic Security supports this battle with AI-driven security analytics, boosting practitioner productivity and reducing risk. The solution elevates the skills of every analyst with generative AI insights woven throughout the UI — enabling users to better combat tactics employed by groups like Scattered Spider. Some of the key components include:

  • Advanced SIEM and TTP detections: By integrating SIEM TTP detections tailored to the known MITRE ATT&CK tactics employed by Scattered Spider, Elastic Security provides financial institutions with the capability to monitor their digital environments for specific threats in real time, ensuring rapid detection and response. By leveraging prebuilt rules, teams can immediately start detecting suspicious activity and swiftly adapt to emerging threats.

  • Search quickly and iteratively: Elastic’s new piped query language ES|QL (Elasticsearch Query Language) transforms, enriches, and simplifies data investigations. With incredibly fast search — and query output in full sight — analysts can draw closer to their target with each successive pipe, changing how they pursue threats and strengthen detection.

  • User behavior analytics (UBA): Elastic Security’s UBA capabilities allow for a nuanced analysis of behavior patterns among privileged account holders. By establishing a baseline of normal activity, Elastic can swiftly identify and alert on deviations, whether they stem from unusual access times, locations, or methods, offering an early warning system against infiltration attempts.

  • Firewall rule auditing: Elastic Security aids in the auditing and management of firewall rules, identifying overly permissive or outdated policies that could serve as entry points for attackers like Scattered Spider. Through meticulous review and refinement of these rules, financial institutions can enforce a more secure network perimeter.

  • Reinforced network segmentation: In the wake of the COVID-19 pandemic, many financial institutions had to rapidly adjust their network policies to accommodate remote work. Elastic Security supports the re-establishment of stringent network segmentation, crucial for isolating and containing potential breaches, thereby minimizing their impact.

  • Robust disaster recovery planning: Recognizing the importance of resilience, Elastic Security emphasizes the need for comprehensive disaster recovery plans, including the maintenance of offline, encrypted backups of critical data. Such measures ensure that, even in the event of a successful attack, financial institutions can quickly restore operations with minimal disruption.

  • Automated incident response: Through integration with automated response platforms like Tines, Elastic Security enables financial institutions to react instantly to suspicious activities, locking out affected accounts and cutting off attackers’ access. This proactive stance is essential for mitigating potential damage and deterring future attacks.

  • Comprehensive credential management: Given Scattered Spider’s record with obtaining privileged access, it may be wise that all privileged accounts undergo a comprehensive update of their credentials. Elastic’s search capabilities can help detect privileged accounts and ensure they are valid, tightly controlled, and monitored, significantly reducing the attack surface.

  • Generative AI Assistant: Elastic AI Assistant bolsters cybersecurity operations teams with generative AI. It allows users to interact with Elastic Security for tasks such as alert investigation, incident response, and query generation or conversion using natural language. By facilitating natural language interactions for tasks such as alert investigation and incident response, the AI Assistant empowers organizations to swiftly and effectively identify and counteract the sophisticated tactics employed by cybercriminal groups.

A unified front against cyber threats

Scattered Spider and other adversary groups are important reminders of the need for vigilance, innovation, and collaboration in cybersecurity. By leveraging tools like Elastic Security, financial institutions can not only defend against the immediate dangers posed by such cybercriminal groups but also foster a more secure, resilient digital ecosystem. In doing so, teams across FSI (and all industries) can continue to safeguard their assets and maintain the trust and well-being of their customers.

Interested to learn more? Watch Securing the future of finance, or check out the Global Threat Report for a more in-depth understanding of adversary movement.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use. 

Elastic, Elasticsearch, ESRE, Elasticsearch Relevance Engine and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners.