Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Scattered Spider identity tradecraft: what IAM teams need to fix


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Scattered Spider combines phishing, vishing, MFA bypass, token theft, and identity provider abuse to move from initial compromise to rapid extortion, according to Hydden and the cited public case studies. The real failure is that identity controls still assume verification, privilege, and recovery happen slowly enough to contain human-driven abuse.

NHIMG editorial — based on content published by Hydden: Scattered Spider identity tradecraft and attack vectors

By the numbers:

Questions worth separating out

Q: How should security teams reduce the risk of Scattered Spider-style identity compromise?

A: Security teams should harden recovery, enrollment, and privileged access workflows rather than only focusing on login protection.

Q: Why do MFA and SSO controls still fail against identity-focused intrusions?

A: MFA and SSO fail when attackers steal the factors, enroll their own devices, or replay already satisfied claims.

Q: What do organisations get wrong about internal credential exposure?

A: Many organisations treat internal credentials in chat tools, repositories, and documentation as low-risk because they are not public.

Practitioner guidance

  • Harden help desk identity proofing Replace knowledge-based recovery checks with stronger verification for password resets, MFA resets, and device re-enrolment.
  • Monitor for credential harvesting inside collaboration tools Search Slack, documentation platforms, code repositories, and ticketing systems for secrets, recovery data, and privileged account references.
  • Track federation and PAM changes as attack signals Alert on new device enrolment, MFA policy changes, delegated authentication updates, role membership changes, and unusual privileged actions in PAM and cloud identity systems.

What's in the full article

Hydden's full blog covers the operational detail this post intentionally leaves for the source:

  • A broader catalogue of Scattered Spider TTPs across people, credential theft, MFA bypass, and infrastructure abuse.
  • Specific examples of the phishing kit behaviour, including copycat identity pages and live credential streaming into attacker channels.
  • The longer list of public case studies and acknowledgements that support the aggregate view of the group’s tradecraft.
  • The full mitigation checklist for help desk, PAM, cloud identity, and identity event monitoring.

👉 Read Hydden’s analysis of Scattered Spider’s identity-centric attack tradecraft →

Scattered Spider identity tradecraft: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Identity compromise is the group’s primary control plane, not a side effect of the intrusion. Scattered Spider succeeds by turning authentication, recovery, and privilege workflows into attack paths. The group’s mix of phishing, vishing, token theft, and IdP abuse shows that once identity is weak, the rest of the environment becomes reachable through normal admin logic. Practitioners should read this as a governance failure across access assurance, not a collection of isolated incidents.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when identity recovery is abused in a breach?

A: Accountability usually spans IAM operations, help desk teams, privileged access owners, and security monitoring functions because the attack path crosses all of them. If identity recovery can be abused to restore access without strong proof, the organisation has a governance gap, not just a user problem. Access assurance must be owned across the full lifecycle.

👉 Read our full editorial: Scattered Spider identity tradecraft is a governance problem, not a phishing one



   
ReplyQuote
Share: