Building an Incident Response Playbook on the Fly Against Scattered Spider Lateral Movement

Webinar Registration

Unless you’ve been hiding under a proverbial rock, you heard about the largest and, possibly the most impactful, ransomware attack this year when the Scattered Spider threat group attacked the networks of both MGM Resorts and Ceasars Entertainment. Gaining access to both networks through social engineering, the group bypassed multi-factor authentication by attaining login credentials and one-time passwords. In MGM’s case alone, 30 hotels and casinos around the world were essentially offline for 10 days, costing the resort group an estimated $80 million in lost revenue.

In this Real Training for Free webcast, we have the unique opportunity to sit down with a cybersecurity vendor called on by a customer in the middle of a Scattered Spider attack to help them stop all lateral movement by the threat actors.

When organizations have no response plan in place for such an attack, it can become overwhelming attempting to prioritize next steps that will have a compounding impact on the threat actor’s ability to retain access to and control over a compromised network.

Up first, 4-time Microsoft MVP, Nick Cavalancia takes my seat as he covers:

  • The history of Scattered Spider
  • The publicly available details on their modes of operation during an attack
  • Aligning Scattered Spider’s actions to the MITRE ATT&CK Framework

Up next, you’ll hear from Yiftach Keshet, VP of Product Marketing, and Yaron Kassner, CTO and Co-Founder, both from Silverfort who have firsthand experience in building a response playbook in real-time to respond to a customer’s active Scattered Spider attack.

They’ll present the real-life scenario in which they were called to build and execute a response plan while attackers were moving inside the org’s hybrid environment. The challenge was how to rapidly and efficiently (and in as automated a manner as possible) meet the following response goals:

  • Put ‘roadblocks’ immediately in place to protect against additional lateral movement from that point forward
  • Pinpoint user accounts that were compromised, with a special emphasis on service accounts (a favored Scattered Spider target)
  • Eradicate potential malicious presence from the org’s identity infrastructure (again – a favorable and publicly documented Scattered Spider technique)

Yiftach and Yaron will cover the steps taken in response, focusing on three dimensions of lateral movement:

  1. User Accounts – we’ll look at the needed policies and monitoring for service accounts, admin users, and domain users
  2. Identity Infrastructure – We’ll discuss limiting user access, disabling insecure authentication protocols, and further harden authentication requirement
  3. Other Domain-Joined Machines – We’ll look at limiting inter-machine communication for user’s workstations, temporarily blocking insecure authentication protocols

This Real Training for Free webcast will be full of practical real-world content! Register now!

First Name:   
Last Name:   
Work Email:  
Job Title:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources