The Identity IR Playbook Against Scattered Spider Attacks  

Scattered Spider adversary group has been extremely active in the past month, increasing its outreach to financial and insurance entities. This group features an extensive and in-depth use of identity compromise in both the initial access and lateral movement stages. A sound defensive strategy against Scattered Spider should include a full lifecycle protection layer to reduce and monitor the identity attack surface, as well as detect, block, and respond to the use of compromised identities for malicious access.

Silverfort’s threat research team has interacted closely with the identity threats used by Scattered Spider. This article presents the identity IR framework that was implemented, shedding light on the critical components that must be addressed to ensure the identity aspects of a Scattered Spider attack are efficiently addressed.

What’s Different in the Identity Aspect of Incident Response?

Where the malware aspect of IR focuses on detecting and removing malicious files and network IR is about detecting and blocking malicious traffic, the identity aspect of IR is about detecting and blocking lateral movement carried out by compromised user accounts.

Let’s assume there’s a live incident going on. You know the adversaries have established a foothold in your network and are accessing resources within it. Now you need to identify compromised user accounts, stop the attackers from using them and ensure other resources are not being compromised as rapidly as possible.

To do that efficiently you need to have full visibility, analysis and access control capabilities for authentications and access attempts that involve the following entities:

• User accounts including service accounts, domain admins and regular users.
• Identity infrastructure including domain controllers, federation servers, SaaS identity providers, PAM solutions and any other component that manages identities in your environment.
• Domain-joined machines, including IT and security infrastructure, workstations and servers.

Silverfort is the first solution that provides IT teams with these capabilities in a single, easily deployed solution. Let’s understand how this is mapped to the NIST IR lifecycle used by most IR teams as a standard guideline.

Mapping Identity Protection to the NIST IR Lifecycle Model

The NIST IR framework divides the IR process to four parts: 1) preparation, 2) detection and analysis, 3) containment, eradication and discovery, 4) post-incident activity.

In this example we will assume the Silverfort platform is only called in when an incident is fully active and wasn’t installed before, so we will focus on stages (2) and (3) only.

Identity IR: Detection and Analysis

This stage focuses on the identification of the compromised user accounts, identity infrastructure, and any other resource that has been accessed with the compromised entities.

For this stage, Silverfort provides IR teams with a detailed Log Screen that includes an aggregated view into all authentications and access attempts made by all users to any cloud or on-prem resource. Every authentication is assigned a risk score by Silverfort’s risk engine, along with a wide range of filters to easily detect authentications that were initiated by malicious actors.

Using these capabilities, the IR team can perform the following actions:

• Analyze the unified logs of AD and other on-prem, federation, and cloud directories to spot lateral movement attempts between the cloud and on-prem environments.
• Analyze the logs for hybrid service accounts (featuring both machine-to-machine communication as well as manual logins by human users) to detect anomalous activity or access attempts that Silverfort’s risk engine flags as malicious.
• Analyze the logs for infrastructure related service accounts to detect anomalous activity or access attempts that Silverfort’s risk engine flags as malicious (again due to Scattered Spider’s inclination towards infrastructure compromise).

Silverfort’s integration with all identity providers in the environment means you can get all authentication logs made by any user to any on-prem or cloud resource via a single pane of glass.

 Identity IR: Containment, Eradication and Recovery

This stage comprises the bulk of the IR process and (as the name implies) this stage is about blocking the attackers from performing further advancement, eliminating their presence, and restoring things to how they were.

Silverfort assists IR teams mainly with the containment and eradication parts of this stage by providing the following tools:

• Policy configuration screen where MFA and Block Access policies can be configured for any user account in the hybrid environment. This applies to any authentication type, including command line access over PsExec, PowerShell or WMI, which are typically used by adversaries.
• Dedicated screen for service account protection that provides automated visibility into all service accounts and enables the creation of access policies to block access or alert if they deviate from their standard behavior, which is a clear indication of compromise.

Using these capabilities, IR teams can apply the following actions for the various entity types that were listed above:

Service Accounts

• Discover all service accounts within the environment.
• Activate policies to block service accounts from accessing resources if they deviate from their standard behavior.
• Detect Kerberoasting attacks or when a service account interactive login is used.
• Configure policies to block access from VPN subnets. 

Domain Admin Accounts

• Configure MFA policies for all admins and harden these policies by requiring FIDO tokens and number matching.
• Configure policies to deny access for built-in administrator and guest accounts.
• Configure policies to block access from VPN subnets. 

All Users Accounts

• Use MFA or access block policies to temporarily restrict access attempts that use services such as termsrv, host, and CIFS to perform remote connections.

Domain Controllers

• Reset the KRBTGT account’s password to mitigate potential Golden Ticket attack and eliminate the adversary’s foothold.
• Configure MFA policy for Windows logon to the DC to prevent remote logon.
• Configure policy to deny NTLM connection to the DC.
• Configure policy to Block DC access to all users except domain admins.
• Configure MFA policy to deny access for users without a registered MFA token to prevent future malicious access via social engineering.

Federation/SaaS identity providers

• Configure MFA or block access policies for known malicious and unknown IPs.

IT and Security Infrastructure

• Configure MFA policy to deny access for users without a registered MFA token.

Other Domain-Joined Machines

• Discover existing NTLMv1 authentications and configure policy to deny access.
• Temporarily block all NTLMv2 authentications until detection and containment of compromised user accounts.
• Configure policy to restrict personal workstation access to critical resources (such as DC) only, and prevent connection between machines.
• Configure policy to require MFA for all access on any machine open to the Internet.

Important: these containment activities are also detection activities, as any blocked authentication indicates that the initiating user account is compromised.

Silverfort for Identity Threats: Post-Incident Activity and Preparation – Achieve Defense in Depth

Sound defense against Scattered Spider should address all its parts, from the social engineering aspect to the unique malware this group employs (Bring Your Own Vulnerable Driver (BYOVD) attack via CVE-2015-2291, an old kernel vulnerability). Mobile and browser security solutions typically address the first while EDR addresses the latter.

However, it’s imperative that the environment’s security architecture is fully equipped to confront identity infrastructure compromise, as well as detect and block malicious access with compromised accounts.

It’s easy to see that most of the containment activities described above are also part of the preparation phase.

In addition to the policy configuration capabilities, Silverfort also enables IR teams to proactively prepare their environment to tackle an identity threat, whether initiated by Scattered Spider or any other threat actor. For this, Silverfort provides IR teams with an Insights screen that aggregates all identity security weaknesses and exposures such as shadow admins, NTLMv1, unconstrained delegation and many others that threat actors typically abuse. Using this screen, the IR team can systematically harden the security posture of its environment.

Conclusion: Identity Threat IR Tools and Practices are a Must

Identity threats are becoming an integral part of adversaries’ arsenals. While Scattered Spider is a leader in that aspect, it is by no means the only one. As a result, IR teams must have the tools to conduct a rapid and efficient identity IR process. In the same way an EDR is the ultimate tool to address the malware aspect, a respective tool is required to pinpoint the compromised identities to contain the attack and eliminate malicious presence.

Want to learn more about Silverfort’s identity IR capabilities? Schedule a call with one of our experts.