Preparation and resilience extend beyond simply establishing robust defenses against intruders. Despite the effectiveness of your security measures, there may be instances when attackers successfully breach your defenses.
This approach involves not only identifying threat actors exploiting legitimate access to your employees, network, or cloud services, but also containing these attackers to mitigate damage. Additionally, it is crucial to implement effective strategies for responding to and recovering from any breaches that may occur. Recent discussions have suggested that a group known as ‘Scattered Spider’ may be behind some incidents, with speculation around their use of social engineering tactics targeting IT helpdesks to facilitate password and MFA (multi-factor authentication) resets, a method previously attributed to this group.
We have developed tailored guidance for the sector. We believe that by adhering to best practices, all organizations can significantly reduce their vulnerability to threats of this nature.
In addition to following the NCSC’s advice on Mitigating malware and ransomware attacks, organizations are strongly encouraged to:
- Implement 2-step verification (multi-factor authentication) comprehensively.
- Enhance monitoring efforts for unauthorized account usage; for instance, by identifying ‘risky logins’ within Microsoft Entra ID Protection based on sign-in attempts that exhibit potentially compromised indicators due to suspicious behavior, particularly those flagged by ‘Microsoft Entra Threat intelligence.’
- Pay particular attention to Domain Admin, Enterprise Admin, and Cloud Admin accounts, verifying the legitimacy of their access.
- Review helpdesk password reset protocols, ensuring robust authentication measures are employed to verify staff credentials before executing password resets, especially for those with elevated privileges.
- Ensure your security operation centers can detect logins from unusual sources, like residential-range VPN services, through source enrichment and similar methods.
- Establish a system to quickly integrate threat intelligence related to techniques, tactics, and procedures while ensuring an appropriate response capability.
The prevalence of online criminal activities—encompassing, but not limited to, ransomware and data extortion—continues to escalate. Such attacks are increasingly common, necessitating that all organizations, regardless of size, remain vigilant and prepared.
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers
