Introduction

In September 2023, Scattered Spider attacked MGM and fundamentally changed the threat landscape.  A single call to the IT Help Desk, coupled with social engineering, SIM Swap and identity impersonation opened the door to a ransomware attack.

Since then, this technique has been used against a multitude of high-profile brands including Cartier, M&S, Harrods, Adidas, Coop, Dior, Allianz, Victoria’s Secret, Tiffany, Qantas, The North Face, Aflac, and no doubt others that have not been made public.

This whitepaper aims to share the best practices of IT Help Desks that have successfully thwarted Scattered Spider and their attack methodology.

The Strategy

E-commerce retailers have been fending off cyberattacks for over 25 years and have subsequently developed strategies to efficiently manage high volumes of online orders:

• Screen all transactions with an automated system that is immune to human error and social engineering, also reducing the costs of handling live calls.
• Transactions that do not pass the automated service are funneled to a human fraud investigator for manual review.
• Those remaining transactions that do not pass the fraud manual review are funneled to a supervisor trained to handle escalations.

This strategy, employing three levels of targeted defense, provides the most optimized operation without compromising on security.

When replicated by the IT Help Desk, it can provide the most secure operation with the least amount of costs and the fastest resolution of tickets.

This layered strategy lets machines do what they do best, and humans do what they do best, in harmony.  As cyber-attacks are akin to fraud attacks in their occurrence rates, this strategy is fit for purpose in both cases.

How To Deploy Three Layers of Defense

First Layer: Self-Service

The first layer is a self-service system that operates in real-time and is available to employees 24x7x365.  This is where 100% of the journeys should begin, and it should resolve over 90% of requests, such as password or MFA resets, without a call to the IT Help Desk.

By offering this as the first step you achieve the following:

1. Fewer calls into the IT Help Desk
2. Lower costs
3. Lower AHT (average call handling time)
4. Lower chances of human error
5. Less opportunity for social engineering
6. Lower chance of insider threats

Second Layer: Agent-Assisted

The second layer is an agent-assisted system that operates in real-time and is available to employees 24x7x365.  This is where 10% of the journeys should funnel to, i.e., those that do not pass self-service.  Tier 1 human agents will attempt to conduct an identity verification before making the requested changes and will strive for first-call resolution.  This should resolve over 90% of second-layer transactions without an escalation to a Tier 2 supervisor.

By offering this as the second step you achieve the following:

1. Fewer calls into the Tier 2 IT Help Desk agents
2. Lower costs
3. Lower AHT (average call handling time)

Third Layer: Agent Assisted with a Supervisor/Escalation Expert

The third layer is an agent-assisted system that operates in real-time and is available to employees 24x7x365.  This is where 10% of the second-layer journeys should be funneled to, and it should resolve over 90% of these transactions.

By offering this as the lasts step you achieve the following:

1. Fewer calls into the Tier 2 IT Help Desk
2. Lower costs

You will note that this model never totals to 100% as there will always be cases that can’t be resolved via the IT Help Desk.

Why do the current defense lines falter?

Many IT Help Desks are using standard operating procedures (SOPs) and best practices that were established before GenAI took off.  Thus, they may completely miss the detection of hackers categorically.

Some examples of current defense lines:

If you use an IDV that scans documents but does not consider GenAI deepfakes, you may accept a fake document as a result.

If you send an SMS OTP as part of your IDV or MFA, but it does not consider SIM Swapping, you may accept a verification that is not coming from your employee.  The hacker gets the message, leaving the employee unaware, and your IT Help Desk is none the wiser.

If you ask for knowledge-based authentication (KBA), much of the data has already been breached, or is subject to phishing attacks and social engineering of your employees.

If you are using IP Geolocation, but it does not consider VPNs and Apple’s Private Relay, you may prevent a good employee from completing a journey, whether it is a self-service portal or a live call with an agent.

If you use methodologies that precede Man-In-The-Middle (MITM) attacks, or do not have a way for your employees to verify that it is your IT Help Desk calling them, you are exposed.

How To Defend Against Scattered Spider

The three-layer defense model sets up your IT Help Desk for success, lowering risk and reducing cost.  Nonetheless, you need to know what to do when the transactions are handled to avoid a false sense of security.

By studying the MOs (modus operandi) of Scattered Spider, you can match your defense to their tactics.  The essential reason they have been so successful to date is that they avoid detection during the call. When they impersonate employees, they rely on a combination of failures to sail through without notice.

If, for example, your current security process begins with an SMS based MFA check of the caller, this is futile if the phone number has recently been SIM-Swapped.  Scattered Spider starts their attack ahead of calling the IT Help Desk. Once they learn that your security process relies on SMS, they will first target the telco, or as they are known in the industry, MNO (Mobile Network Operators), and persuade them to transfer control of the target’s number – a SIM Swap attack Therefore if you do not apply a SIM Swap check before sending any SMS then you’re wide open to that attack vector.

Additionally, if you rely on traditional ID&V processes that scan a government-issued ID as part of your account recovery process, you must protect yourself with a technology that is immune to GenAI deepfakes.  With the advent of GenAI it is easy for scammers to produce both static and live videos, showing convincing “employees” holding up their “ID”.

For reference:

• https://www.linkedin.com/feed/update/urn:li:activity:7295501609734688769/
• https://www.linkedin.com/posts/david–maimon–29343632_bankaccountsbankaccount–data–activity–7159954838473097216–BB84
• https://www.linkedin.com/feed/update/urn:li:activity:7303395115090259968/

By observing the known attack vectors and tools that cybergangs like Scattered Spider employ, you can deploy countermeasures such as:

1. Using a proven anti-replay detection system to detect replay of a scan of a real employee’s ID that has been siphoned by malware on their device. Due to BYOD, employees’ phones may be jailbroken and allow an attacker to capture images or videos off their camera.
2. Detecting manipulated and/or counterfeit documents presented by the user.
3. Enabling the user to easily share their GPS location with the IT Help Desk agent. VPNs, even when used legitimately, may obscure their true IP geolocation.
4. Alerting your agent when an SMS/Email sent to the caller has been forwarded on to an unsuspecting genuine employee using a Man-In-The-Middle (MITM) attack.
5. Ascertaining if the scanned ID document is authentic by verifying it with the relevant issuing authority.GenAI deepfakes can create convincing replicas that look authentic to software and the human eye.  By verifying ID with the issuer, you can compare unguessable fields like issue date and expiration date.
6. Providing training to your agents on how the internet works, how the MNOs work, and how attackers will exploit this infrastructure.This should include simulation of calls that attempt to fool and social engineer the agent, so they can practice their countermeasures.
7. Finally, deploying the reverse capability, i.e., protecting unsuspecting employees from engaging with fake IT Help Desk calls.Scattered Spider not only targets the IT Help Desk they also call employees pretending to be your IT Help Desk agents.  On these calls, they will attempt to socially engineer your employee to provide sensitive information or perform operations that subsequently enable ransomware attacks.

In Conclusion

Cybergangs like Scattered Spider, The Com, and Blackcat are now utilizing a combination of technologies and a significant level of sophistication to infiltrate your network via your IT Help Desk.  To protect your enterprise from these attacks, you should mirror the threelayer strategy developed by e-commerce retailers over the last 25 years.  As the threat landscape evolves constantly, now is the time to assess your capabilities against new threats and deploy countermeasures accordingly.