Scattered Spider: Visualising the initial attack

Threat overview

A significant threat to the cyber security of organisations, it is essential for all companies to understand the techniques implemented by Scattered Spider (also labelled Octo Tempest or Roasted 0ktapus).

The name Scattered Spider is used to describe a set of tactics employed by financially motivated cyber criminals, rather than a single cohesive group. These criminals leverage native English accents to conduct effective social engineering and identity focused attacks.

The Nomios SOC has been actively tracking Scattered Spider tactics and to help professionals better understand them, the below guide has been created to give insight into how initial access to organisations can be gained.

MITRE ATT&CK flow for Initial Access

Mapping Initial Access Tactics: Thinking in Graphs

To offer another perspective for those defending against Scattered Spider tactics, techniques and procedures (TTPs), we’ve created a MITRE ATT&CK flow using MITRE’s Center for Threat Informed Defense Attack flow: a graph based visualisation that maps the sequence and relationships between attack techniques. This approach helps organisations looking to protect themselves from cyber attacks understand not just what the attackers do, but how their techniques connect, pivot, evolve, and consider alternative attack paths when implementing mitigations.

Scattered spider initial access attack flow

Operationalising the Flow

Scattered Spider conducts reconnaissance to gather the information needed to create convincing scenarios for phishing and to bypass verification processes. They then apply this with typo squatted domains that mimic what users expect to see and hear. They identify high value accounts with privileges that will give them access to the parts of the organisation that they want to exploit and spend time learning about that user to mimic them when attempting access. These activities typically take place outside the victim’s network, making them difficult to detect with traditional tools. However, organisations can take proactive steps to identify risks and reduce the opportunities available (see below for potential detections and preventions).

By interpreting the attack flow as a map of attacker decision points, defenders can pinpoint choke points or create them through proactive measures that shut down attacker options. For example, implementing time-based one-time passwords (TOTP) for multi-factor authentication (MFA) can effectively block attacks like SIM card swaps and fraudulent MFA request generation, though it does not eliminate phishing risk entirely. This forces Scattered Spider to resort to methods such as spearphishing via voice or malicious phishing links, increasing attacker requirements. Where controls that block attacker paths cannot yet be implemented, these areas should be prioritised for developing preventive measures, and in the meantime, enhanced monitoring should be deployed.

Potential Detection Opportunities

• Recognise and reward positive security behaviour and foster a culture of trust and transparency.
• Train users to identify and report phishing attempts.
• Monitoring forums used by criminals may reveal mentions of the brand or infrastructure.
• Monitor newly registered domains that could be used during targeting, especially those containing variations of your organisation and identity provider (IdP) name.
• Monitor for leaked credentials in breach databases and those being offered for sale online.

Potential Prevention Opportunities

• Implement blocking and request takedown of newly registered typo squatting domains.
• Consider preemptively purchasing potential typo squatting domains.
• Use automated workflows to revoke and reset any exposed credentials when discovered online.
• Maintain a list of approved remote access tools and explicitly block all others.
• Require IT approval and action before any installation of remote access software.
• Review and strengthen conditional access policies, do not rely solely on location based controls.

Conclusion

Defending against Scattered Spider means going beyond static checklists and adopting a mindset that connects the dots between tactics, techniques, and attacker objectives. By visualising their initial access paths, you can pinpoint choke points, strengthen defences, and improve detection before an intrusion escalates.

For any further guidance or assistance in assessing your security posture, do not hesitate to reach out to our team. We are here to help you stay ahead of evolving threats.