Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

Update: 2024-06-25

Description

In todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures.

Key Takeaways

Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes.

Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne), Remote access (Screen Connect, Team Viewer), and VPN (Tailscale).

Social Engineering Tactics: Their methods include impersonation, MFA fatigue (MFA bombing), and SIM swapping to gain access.

Persistence Mechanisms: They maintain access through methods like automatic account linking and adding additional MFA tokens

Defense Strategies: Implement strong identity verification, monitor for unusual activity, and educate users social engineering & smishing

Quotes

"By understanding their tactics, techniques, and procedures, or TTPs, you can better defend your network and improve its security posture."
"There's a lot of push on recognizing phishing emails and hovering over links and verifying the sender, but not enough focus on social engineering training for staff"

Action Points

Review Service Desk Processes: Ensure robust identity verification to prevent social engineering.
Monitor for Unusual Activity: Regularly audit and set up automated alerts for suspicious MFA changes or logins.
Educate Users: Conduct training on recognizing phishing and social engineering techniques.
Test Tools in a Lab: Use the mentioned tools to simulate attacks and improve defensive measures by analyzing security logs and infrastructure.

Mentioned Resources

Remote monitoring and management or RMM tools

Fleetdeck.io
Level.io
Ngrok Mitre Ref: [S0508]
Screenconnect
Splashtop
Teamviewer
Pulseway
Tactical RMM

Reconnaissance:

PingCastle - https://www.pingcastle.com/
ADRecon - https://github.com/sense-of-security/ADRecon
Advanced IP Scanner - https://www.advanced-ip-scanner.com/
Govmomi - https://github.com/vmware/govmomi

Cred dumpers:

Mimikatz - https://github.com/ParrotSec/mimikatz
Hekatomb - https://github.com/ProcessusT/HEKATOMB
Lazagne - https://github.com/AlessandroZ/LaZagne
gosecretsdump - https://github.com/C-Sto/gosecretsdump
smbpasswd.py - (as part of Impacket) - https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py
LinPEAS - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
ADFSDump - https://github.com/mandiant/ADFSDump

VPN:

Tailscale - Provides virtual private networks (VPNs) to secure network communications

Comments

Top Podcasts

The Best New Comedy Podcast Right Now – June 2024 The Best News Podcast Right Now – June 2024 The Best New Business Podcast Right Now – June 2024 The Best New Sports Podcast Right Now – June 2024 The Best New True Crime Podcast Right Now – June 2024 The Best New Joe Rogan Experience Podcast Right Now – June 20 The Best New Dan Bongino Show Podcast Right Now – June 20 The Best New Mark Levin Podcast – June 2024

In Channel

Episode 15 -Windows event log analysis with Hayabusa. The Sigma-based log analysis tool

2024-10-1523:20

Episode 14 - AI and the future of log analysis, bug detection, forensics and AI ethical considerations with Jonathan Thompson

2024-09-2201:08:33

Episode 13-ELK EDR and Sandboxing, Home grown CTF environments, DFIR Automation & Forensics in the cloud, with Jacob Wilson

2024-08-2054:55

Episode 12 - You're forced to decide: Cyber Generalist or Cyber Specialist?

2024-08-1317:47

Episode 11 - Velociraptor, Containerisation and Infrastructure Deployed as Code with Myles Agnew

2024-07-2952:46

Episode 10 - Detecting and Preventing Phishing Attacks

2024-07-1719:04

Episode 9 -Unmasking APT40 (Leviathan): Tactics, Challenges, and Defense Strategies

2024-07-1221:48

Episode 8 - Hidden digital forensic logging for Cybersecurity on Any Budget: Practical Strategies for Enhanced Detection and Prevention Using Sysmon, Blocking Data Exfil with group policy and printer forensics

2024-07-0719:57

Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

2024-06-2517:07

Episode 6 - Responding to ransomware - is your VPN a target? Plus ransomware risk mitigation with Phil Ngo

2024-06-2026:11

Episode 5 - NIST SP 800-61 Computer Security Incident Handling Guide (Post-Incident Activity)

2024-06-1233:06

Episode 4 - NIST SP 800-61 Computer Security Incident Handling Guide (Containment,Eradication and Recovery)

2024-06-0722:10

Episode 3 - (Part 2) NIST SP 800-61 Computer Security Incident Handling Guide (Detection)

2024-05-3111:41

Episode 3 - NIST SP 800-61 Computer Security Incident Handling Guide (Detection)

2024-05-2846:52

Episode 2 - NIST SP 800-61 Computer Security Incident Handling Guide (Preparation)

2024-05-1727:17

Episode 1 - Digital forensics trends and preparations, learning from real life case studies & DFIR training for getting started

2024-05-1623:27

00:00

Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

#box-pro-ellipsis-173457686657136{-webkit-line-clamp:2;}Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures

Clint Marsden

Episode 7 - Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures