protect against SCATTERED SPIDER using Falcon Next-Gen SIEM

In a bid to combat the rising threat of cybercrime, the Falcon Next-Gen SIEM (Security Information and Event Management) system has been developed to provide real-time detection and response across various layers, including identity, cloud, SaaS, and network. This advanced technology is particularly effective in tracking agile, multi-domain threats like SCATTERED SPIDER.

SCATTERED SPIDER, an eCrime adversary conducting financially motivated activities since early 2022, has recently reemerged with a refined help desk social engineering playbook. The group impersonates employees using stolen Personal Identifiable Information (PII), including Social Security Numbers and birthdates, to bypass verification processes.

Adversaries such as SCATTERED SPIDER often target Global Administrator privileges in Azure/Entra ID environments. By bypassing security controls, they can achieve complete tenant control, compromising organizations worldwide and deploying ransomware and exfiltrating sensitive files.

To counteract these tactics, Falcon Next-Gen SIEM builds on broader platform capabilities and protections to disrupt SCATTERED SPIDER across the attack lifecycle. The system unifies third-party telemetry and correlates it with native Falcon intelligence, extending visibility into areas adversaries frequently exploit.

Falcon Next-Gen SIEM offers multiple rule templates to detect initial access attempts by SCATTERED SPIDER and similar attacks. These templates include rules for detecting modifications to federated identity credentials in Microsoft Entra ID, such as "Microsoft - Entra ID - Modification of Federated Identity Credentials for Service Principals or Applications".

Moreover, the system provides rule templates for detecting Global Administrator role assignments, including "Microsoft - Entra ID - Global Administrator Role Assigned". SCATTERED SPIDER operators are known to add unauthorized federated identity providers to Azure AD/Entra ID tenants to achieve persistence in the environment, creating backdoor access that bypasses standard security controls.

The adversary's federation manipulation remains effective even after password resets, allowing them to maintain access long after initial detection and remediation efforts. However, Falcon Next-Gen SIEM's detection capabilities extend into VMware environments to identify malicious activities before full compromise occurs.

Customers can leverage the provided dashboard to better understand the available out-of-the-box rule templates within the Falcon Next-Gen SIEM product. A detection coverage dashboard is available within the system to provide a comprehensive view into the available rule templates.

The blog post mentions a full list of all rules relevant to SCATTERED SPIDER and other prominent adversaries. Falcon Next-Gen SIEM also implements detection rules for data exfiltration methods, such as "our website - Endpoint - Exfiltration to File Sharing Services during Interactive RDP Session".

While there is no publicly available information about which organizations SCATTERED SPIDER has compromised in Germany since 2022, it is clear that this eCrime adversary poses a significant threat. By implementing Falcon Next-Gen SIEM, organizations can take a proactive approach to protecting their networks and data from such threats.