Getting the first 48 hours right

Rumours that the hacking collective Scattered Spider have retired appear to have been premature. Claims that they were ‘going dark’ have been disproven by a recent spate of attacks, many of which have focused on the financial services sector.

 

The group’s current focus on financial services is no coincidence, as the industries they choose typically have three characteristics in common: high-value data such as PII, complex IT infrastructure, and/or outsourced or vulnerable help desk operations, all of which are applicable to firms operating in the finance arena. 

 

Typically, Scattered Spider will deploy a wide spectrum of sophisticated social engineering tactics to target its victims. These range from buying employee and company information on the dark web to posing as help desk staff to deceive employees into sharing confidential information, right through to using deep-fake voice calls to impersonate executives or IT personnel.  

 

After getting through password and multi-factor authentication, Scattered Spider installs remote access tools (RATs), scans the environment for valuable systems like hypervisors and backups, then steals data, encrypts machines, and issues a ransom demand. But it is what happens in the 48 hours following a breach that will decide the severity of the long-term impact firms will have to deal with. There are several mistakes that firms typically make. 

 

What firms get wrong in incident response

Arguably the biggest and most impactful error is not having an incident response plan in place, or in the event of having one, not following it. Having a robust incident response strategy is a non-negotiable requirement for organisations in financial services today. It is a requirement of the latest cybersecurity regulations that apply in the sector.

 

Both the SEC regulations in the US and DORA in Europe mandate financial entities having an incident response plan in place for when a breach or ICT-related incident occurs. This plan should outline procedures for detecting, responding to and recovering from security incidents and include protocols for assessing and containing incidents, enforcing data retention policies and proper oversight for service providers.

 

Unfortunately, many firms still have incident response plans held on paper which are not actively tested or updated. Equally, a lack of training or clarity about roles and responsibilities mean that some firms struggle with execution during incidents, and poor internal communication following an incident occurring can make this problem worse.   

 

Continuous threat detection and response across endpoints, cloud systems and traditional network infrastructure is essential for early identification and swift response to malicious actors attempting to gain a foothold into company systems. The reality is, though, that budget constraints or a lack of skilled personnel can limit the effectiveness of such an approach.

 

Why people and technology are key to recovery

Within incident response, enhanced end-user security awareness covering the latest malicious actor techniques, like generative AI impersonation and social engineering testing, is important in ensuring organisations can respond to modern threats. Again, this best practice approach does not always happen across the board due to issues like a lack of senior executive buy-in or employee training fatigue.

 

Every incident response plan should also have procedures for data recovery, necessitating the need for valid recent backups. Retention policies should be implemented in order to ensure that critical backups and snapshots are not allowed to be overwritten or lost (the second big mistake firms often make).  

 

Linked to this is another major error businesses make: restoring over infected systems. In the days after an attack, financial services firms are eager to restore their systems as quickly as possible. In the rush, they can end up restoring their backups directly onto systems that are already infected. Any malware or viruses left behind will potentially then end up simply reinfecting the environment.

  

Some firms will rush out to buy new hardware in the belief that this will help to rectify the problem. Such an approach is misguided. If attackers still have access to the environment, or data and systems remain infected, simply buying new systems serves little purpose.

 

Technology and a trusted partnership

Another challenge organisations face is a lack of in-house expertise and resources. According to figures from the UK government, nearly half (49%) of businesses have a basic cyber skills gap, with many struggling to perform essential tasks including setting up firewalls, managing personal data securely and detecting malware. Without assistance from third parties, most firms will find it very difficult to initiate and execute vital containment and remediation measures.

 

External cyber-security experts and the technology they have at their disposal can play a key role in helping financial services firms to stop hacking groups like Scattered Spider from advancing through their environment.

 

More to the point, they can help firms block initial access – principally by inhibiting social engineering tactics with advanced email security and phishing-resistant MFA. Alongside this, they can implement further important measures such as ongoing security awareness training, strengthened help desk protocols and Zero Trust strategies.

 

Partners can help with execution too. Most notably, they can assist firms in deploying endpoint managed detection and response (MDR), cloud MDR, and application controls to increase visibility, spot unusual execution chains, and block unapproved software. With these tools, cyber-security specialists can identify and control activity which is suspicious or increases vulnerability, such as the creation of new privileged accounts and escalation of group memberships.

 

Looking to the future, the threat posed to financial services firms looks set to continue. The social engineering and MFS bypass tactics employed by hackers are set to escalate, and tactics like ransomware and extortion remain profitable.

 

By working with cyber-security experts and leveraging a range of tools and responses from managed detection and response to multifactor authentication to carefully coordinated incident response, financial services firms can ensure they better protect themselves from an attack and respond quickly and efficiently to mitigate the threat whenever an incident occurs.  

 

---

 

Travis DeForge is Director of CyberSecurity, Abacus Group

 

Main image courtesy of iStockPhoto.com and bymuratdeniz