Scattered Spider Arrests & Future Threats
11–25–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, November 25, 2024, and it’s Thanksgiving week here in the US, so let’s temper productivity expectations accordingly.
Scattered Spider Arrests & Future Threats
Let me start by first acknowledging that the Chinese hacking group known as Salt Typhoon has continued to dominate the airwaves - with the chairman of the Senate Intelligence Committee telling the Washington Post this was “the worst telecom hack in our nation's history - by far.”
And while the NSA Director wants industry to disclose details around this attack, and reports are indicating that President Biden brought this up in-person with President Xi when they met in Peru last week, we’ve covered the implications for that hack here, and I think there’s another bit of news that deserves our discussion.
That item is related to another one we’ve covered here - back in September in a post entitled “The Kids Are Not Alright.”
That episode was, of course, about Scattered Spider, a group that has now seen five members charged by the US Department of Justice last week.
These five men - and they’re all men - are between the ages of 20 and 25, and from the US, UK, and Scotland. Cyber reporter Brian Krebs has a good writeup on the group and their history, so I’d refer you to his story for details, but here’s what you need to know.
These young men are part of a group of hundreds more attackers based in Western countries who are doing this for fun and sport, and making a bit of money on the side.
They are incredibly skilled at social engineering, and exploiting the human in the loop.
I say this because I also saw an article last week denouncing the effectiveness of phishing training - and a good bit of discussion that followed on from it.
The killer line from the phishing training research article closes like this:
“Taken together, our results suggest that anti-phishing training programs, in their current and commonly deployed forms, are unlikely to offer significant practical value in reducing phishing risks.”
That may be so - but does that mean you don’t do phishing training?
I’d argue that you’ve actually got to do more - and do better - if you’re going to empower your users in the battle against attackers like Scattered Spider.
Because they’re exploiting the human in the loop - convincing users to give up their second factor codes, whether that be from SMS messages, applications and tokens, or push notifications - those technical controls are immediately neutralized.
While we might have some more technical folks piping up at this point about phishing-resistant MFA - which, for those of you who are getting up to speed here, includes a physical component such as a YubiKey token, a biometric like Apple’s finger print or FaceID, Windows Hello, or a certificate - the reality is that most of our enterprises are lagging in implementation for these more modern, more robust authentication methods.
As a result, until we’re fully “passwordless” and can count on those technical controls to combat these attacks, we’ve got to find ways to lift our people up, give them awareness, help them understand what they should expect from our systems and procedures, and what they should do when something just doesn’t feel right. Only then do we have a fighting chance against attacks like these.
The other thing that I think is worth noting here is the continued efforts of the Department of Justice, FBI, and others to bring consequences to these threat actors - particularly those here in the US.
The deterrence effect is real, and let’s hope that by introducing this friction, this risk, those folks who have these skills find ways to use their powers for good.
Fundraising
From a fundraising perspective, we’re back to bigger ranges, with more than $21.5B in newly committed capital, including:
Silver Point Capital raising over $8.5b for its latest direct lending fund;
Bain Capital raising $5.7b for its second global special situations fund; and
Frazier Healthcare Partners raised $2.3b for its 11th growth buyout fund.
The private markets continue to be compelling as that wave of pending IPOs, particularly in the tech space, continues to hold off - forcing more and more and longer and longer on the private side.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and with that - I hope you all have a wonderful Thanksgiving, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.nytimes.com/2024/11/22/us/politics/chinese-hack-telecom-white-house.html
https://www.intentionalcyber.com/blog/the-kids-are-not-alright
https://krebsonsecurity.com/2024/11/feds-charge-five-men-in-scattered-spider-roundup/