Defending Against Scattered Spider: Best Practices for UK Organisations
30 June
The recent cyberattacks on UK retailers like Marks & Spencer (M&S) and the Co-op, attributed to the cybercriminal group Scattered Spider, have underscored the evolving threat landscape. This group employs sophisticated social engineering tactics, including impersonating employees to deceive IT staff into resetting passwords, and exploiting vulnerabilities in multi-factor authentication (MFA) systems. The impact has been significant, with M&S reporting up to £300 million in lost profits and a £750 million drop in market value .
To safeguard against such threats, UK organisations should adopt a comprehensive, multi-layered cybersecurity strategy. Below are key best practices:
1. Enhance Social Engineering Awareness
Human error remains a primary entry point for cybercriminals. Regular training sessions should be conducted to educate employees about phishing, vishing (voice phishing), smishing (SMS phishing), and other social engineering tactics. Simulated attacks can help staff recognise and appropriately respond to suspicious activities .
2. Implement Robust Multi-Factor Authentication (MFA)
Standard MFA methods can be vulnerable to attacks like SIM swapping. Organisations should adopt phishing-resistant MFA solutions, such as FIDO2/WebAuthn or Public Key Infrastructure (PKI)-based authentication, to strengthen access controls .
3. Secure Remote Access and Endpoints
Given the rise in remote work, securing remote access is crucial. Implement Virtual Private Networks (VPNs) or Virtual Desktop Infrastructure (VDI) for remote connections, and restrict the use of Remote Desktop Protocol (RDP) unless absolutely necessary. Endpoint Detection and Response (EDR) tools can help monitor and respond to suspicious activities on devices.
4. Regularly Update and Patch Systems
Cybercriminals often exploit known vulnerabilities in outdated software. Establish a rigorous patch management process to ensure that all systems, applications, and firmware are up to date, particularly those exposed to the internet.
5. Implement Application Allowlisting
To prevent the execution of unauthorised software, organisations should implement application allowlisting. This approach ensures that only pre-approved applications can run, blocking potentially malicious programs that may be used by threat actors.
6. Segment Networks to Limit Lateral Movement
Network segmentation involves dividing the network into smaller, isolated sections to prevent attackers from moving freely within the system. This practice can contain potential breaches and protect critical assets .
7. Maintain Secure and Immutable Backups
Regularly back up critical data and ensure that backups are secure, immutable, and stored offline. This practice is essential for recovery in the event of a ransomware attack .
8. Develop and Regularly Test an Incident Response Plan
Having a well-defined incident response plan is vital. Organisations should establish clear procedures for detecting, responding to, and recovering from cyber incidents. Regular testing and updates to the plan ensure preparedness and effective response during actual events
9. Monitor and Analyse Network Activity
Continuous monitoring of network traffic can help detect unusual patterns indicative of a breach. Employing Security Information and Event Management (SIEM) systems and threat intelligence feeds can aid in identifying and responding to threats promptly .
10. Collaborate with Cybersecurity Experts
Engaging with cybersecurity professionals and services can provide organisations with up-to-date threat intelligence and expertise. Collaboration enhances the ability to anticipate, detect, and mitigate emerging threats effectively.
The evolving tactics of groups like Scattered Spider highlight the necessity for organisations to adopt a proactive and comprehensive approach to cybersecurity. By implementing these best practices, UK businesses can enhance their resilience against sophisticated cyber threats and protect their operations, data, and reputation.