The Retail & Hospitality ISAC Podcast 9.27.23
Ep 36 | 9.27.23

Analyzing Top Attack Techniques in Multi-Party Data Breaches, Summit Preview, & Intel Briefing


Luke Vander Linden: Hello there, cyber world. This is Luke Vander Linden, Vice President of Membership at the Retail and Hospitality Information Sharing and Analysis Center, and you're listening to the RH-ISAC Podcast. Well, it's almost here. In just a couple days, I'll be jetting off to Dallas, Texas to spend a few days with 400 of my nearest and dearest colleagues at the 2023 RH-ISAC Cyber Intelligence Summit. You've heard us talking about it, and you've probably gotten one or two emails about it over the past few weeks and months. There will be sessions delivered by prominent thought leaders and experts from the provider community, collaborative workshops, cybersecurity exercises, and exceptional networking opportunities, all driven by your fellow members, assuming you're a member of the RH-ISAC, of course. I will be joined today by Alex Brown, the RH-ISAC Senior Director of Operations and guru of all of our events, to give us the lowdown on what you can expect at the summit, a know before you go. But it's not too late. If you can get down to Plano, Texas, there's still time for you to join us. Head over to to get all the details, after you listen to today's episode, of course. Also, given that we're not a daily podcast, but produced twice a month, we don't often delve into breaking news. Usually, we do more deep analysis and incidents and threat actors and ways retailers can protect themselves. But recent events have pointed us to look at not just third-party risk, which we have done quite often on this podcast, but what David Severski of Cyentia Institute calls ripple events. David is a senior security data scientist at the Cyentia Institute, and he'll explain what that means. And, well, you can't get more breaking news than when we're joined by Lee Clark with The Briefing. Usually, it's a wrap-up of the major trends we're seeing, but he's promised me that today, we're going to talk quite a bit about certain types of Scattered Spiders or muddled Libras or leaping llamas. It's hard to keep track. Those are making news of late. We're a bit early for Halloween, and those certainly sound like spooky creatures, but no matter what you call them, they are a very sophisticated threat actor that are using social engineering to gain a very privileged level of access to a couple of organizations, and then they're able to move around and do quite a bit of damage there. And by the way, RH-ISAC analysts profiled this threat actor many months ago when we launched our Threat Actor Galaxy and MISP. So quite a bit in store for us on this episode, so let's get to it. Of course, if you have something cybersecurity-related that you just have to get off your chest, shoot us an email at, or if you're a member, hit me up on Slack or Member Exchange. I'm happy to be joined now by David Severski, Senior Security Data Scientist at Cyentia Institute. Welcome to the RH-ISAC podcast, David.

David Severski: Thank you very much, Luke. It's a pleasure to be here, and I know that's a mouthful of words to have to pronounce.

Luke Vander Linden: It is, but I think I did it successfully. So you and Cyentia were introduced to the podcast by RiskRecon. RiskRecon, of course, is no stranger to our members and our listeners. Kelly White, the founder, was on our podcast a couple months ago, and of course, RiskRecon is an associate member of ours, big supporter of the RH-ISAC. So tell us a little bit about what the Cyentia Institute does and how you work with RiskRecon.

David Severski: Fantastic, I'm happy to do so. So at the Cyentia Institute, we are a small cybersecurity and data science firm. We work with vendors such as RiskRecon to transform data into publicly-facing research that the community can benefit from and that can actually inform their practices in a data-driven manner. Essentially, we're trying to replace the promises of good practices and compliance checkbox with actual data-driven practice to know what actually works, what actually makes a difference for risk management. RiskRecon and Cyentia have had a long relationship, just like RH-ISAC and RiskRecon as well. Our relationship goes back to 2019. We've done over 15 reports together. This one that we'll be talking about today, which is the ripples Attack Report, is the latest one that's due out, I believe, early next month. Folks that are familiar with RiskRecon know that they focus upon the attack surface of both firms and their third parties, where they're automatically scanning the internet thousands of times every day and collecting quite a bit of information about what the attack surface looks like about firms, what other technologies they have deployed, what are the ones that are vulnerable or perhaps forgotten about and not well managed. We've done a lot of work on that over the years. Most recently with this report, we're actually looking at what happens when those controls actually fail. So we're looking at the loss side of the equation from a risk management perspective. What is the frequency and magnitude of losses when they impact a firm or the firm's suppliers?

Luke Vander Linden: So well, thank you for that because third-party risk is one of our favorite topics here on the RH-ISAC podcast. And I think this fits perfectly with that. And I love the fact that it's data driven. And so, it's not just feelings, it's actual facts. So I think third-party risk is kind of having a moment right now, without mentioning any specific incidents or breaches currently underway, except maybe we can talk about Clop Move It. But there's a lot of activity right now that was initially from a third-party, an attack on a third-party that's now hitting some big companies who arguably were at no fault of their own but kind of got swept up in these events.

David Severski: Absolutely. And so, this has been a topic we've been interested in for a number of years now because it's not just the events that many folks are focused on, which are the events that impact my immediate company because I had an old brochure website out there and it happened to have direct access to a purchasing system. And that was the method of compromise that affected the firm, certainly well-known there. But it's also, as we are all very familiar with in the post-2021 COVID world now, it is all the relationships that form up your supply network, both the physical supply chain as well as the technical supply chain as well. And those are potentially, and in our experience, are in fact very different events than ones that impact just a single firm. And the example I typically give on this is something like the Blackbaud event from 2020, pre-COVID era there, where you had a single firm that was affected by a ransomware attack that spread to, on our last count, hundreds of what we call downstream firms with combined losses of over $47 million. It's huge. And in our experience, we've been working with RiskRecon and with the Zywave advising team for their loss data there. And we see that these multi-party security incidents typically cost seven times more than single-party events. So there's already quite a bit of cost there. And when you look at these multi-party, what we call ripple events, seven times the typical costs are associated with that.

Luke Vander Linden: All right. So why don't you define -- I think it's a great term, ripple event. Did you guys coin that phrase? And what exactly, how do you define it?

David Severski: Yeah. So it is a term that we coined using the work that we've done previously with RiskRecon. We've coined this out of the ripples across the attack surface. So if you imagine a pond out there, which is your typical internet exposure there, you drop a rock in the middle of that pond there, you certainly have the immediate splash, the immediate impact from that. But as anyone that's skipped rocks before in a pond, you know that those ripples spread out in concentric rings that affect more and more parties. Whether that's the first party, the original firm that experienced the event, third parties, which are those ones that are perhaps just one hop away, but there's also fourth and fifth and nth party relationships as well, as it's your supplier's suppliers. In fact, you can have an event that takes place very far down your supply chain that has effects that spread all the way back to you. In our work, we call these the difference between the generators, the source firm that actually experienced the breach or the other intrusion, versus the receivers, those that are downstream from that event. And we typically see a ratio of one-to-seven between the generators and the receivers. That means in a typical average ripple event, there's at least seven other firms that are swept up in one of these multi-party events.

Luke Vander Linden: I'm thinking when I speak sometimes to folks and explain to them, when they want to ask about ransomware, for example, and I talk to them about double extortion, triple extortion, this goes beyond that. This isn't just access to data that may have seeped over to a third party or a fourth party or a fifth party, but this is an actual technical effect of a breach in one place and it ripples out.

David Severski: Absolutely. The actual mechanism of that transmission can be varied. So a question we often get is, are all ripples supply chain events? And the answer to that is no, they're not necessarily, because there are multiple types of relationships that firms can have with each other. Oftentimes in third-party risk management, we focus upon where does the data go? And for very good reasons, I exchanged data with this other party, but there are many other ways that things can be transmitted through the course of business relationships that can be through legal means, through system outages. If you are working with a cloud provider and that cloud provider has an outage, even though your data may not be exposed, that certainly has, for many firms these days, has a very substantial impact upon their operations.

Luke Vander Linden: So what are the other examples that you might be able to give of some of the things that some of these breaches that we're talking about with the ripple effect?

David Severski: Yeah, certainly. As you mentioned yourself there, there's the move-in event that's still unfolding today.

Luke Vander Linden: No end in sight.

David Severski: No end in sight. Of course, Excelion before that, and file transfer appliances seem to be a perennial favorite in that aspect there. But there's Blackbaud events there. Those events go further and further beyond.

Luke Vander Linden: Why are these events of special significance specifically to third-party risk managers? Or in another way, how do ripple events differ from single company events?

David Severski: So they differ in many ways, one of which is they're frequently unanticipated. Third-party risk managers may be focused upon a particular dimension or maybe even two, such as I'm focused upon where is my data going and which firms are directly within my supply chain there. You know, the modern enterprise is composed of hundreds, if not thousands, of these relationships there, not all of which are necessarily within the scope of an IT manager's purview, and they may not have visibility into those. With the ratio that we have seen of one-to-seven in terms of generators to receivers out there, this is meaning that every single event has the potential to spread out to many, many different firms, sometimes ranging up to hundreds of firms, but the cost is very different as well. You may feel as a third-party risk manager that you have a good understanding of what your particular firm's exposure is to losses, but we've seen for these ripple events, the cost ranges anywhere from typically seven times to as much as 15 times or even greater than the typical cost of a single-party event. So when these things happen that sweep up multiple companies, they're typically extremely costly, as you can imagine from the legal ramifications, regulator impacts, and of course, the customer impacts as well.

Luke Vander Linden: Right. Not to mention reputational impacts, you know, even if it's not your own breach, your name will get dragged through the mud if you're the primary brand that people know.

David Severski: Absolutely. And I think it's important to mention here that our data on this particular aspect is coming from publicly verifiable real-world costs. So we've been a long-time partner with Zywave, formerly Advizon, and they published a feed of publicly verifiable breach information that encompasses hundreds of thousands of events out there, and all of these events are actual hard costs. So we're not dealing with estimates. We're actually dealing with companies actually experienced.

Luke Vander Linden: So I think, I hope, that most of our listeners are familiar with MITRE ATT&CK framework. So how does ATT&CK analysis fit in to all this and relate to these ripple events?

David Severski: Absolutely. So ATT&CK is a fantastic framework. As many people are familiar with, it goes back to MITRE. I think it was originally founded back in 2013, and it's up to version 13 out there, and it's a way of describing the full attack chain. That's perhaps an overused term there. Everywhere from initial compromise through to lateral movement all the way out to post-compromise and impact on the sad end of the equation there. Because a lot of the information we're dealing with is from public sources or publicly accessible sources there, we don't often have full forensics information on many, if not most, or even all of these events. We have, hey, this event happened, it was this type perhaps, and here are the losses, but we don't know exactly all the steps that happened there. So what we've done at Cyentia, and we've done this in several reports now, many of which are publicly available, including the Information Risk Insights Study, and we're happy to bring to this effort with RiskRecon, we've been working on taking these information, applying our data science expertise to do some machine learning and advanced natural language processing to say, okay, given what we know about the event, can we extract what are the probable actual parts of the MITRE ATT&CK taxonomy that apply here? And that's incredibly useful because not only can we then classify, here are the common ways that attackers are actually getting a foothold and then exploiting that foothold on firms, but here are actually the controls that have the greatest probability of preventing either that initial foothold or the impact to the organization.

Luke Vander Linden: Right, excellent. So is there a difference here between insider-related events and how they differ, I guess, from outside threat actors?

David Severski: Absolutely, there is. So insider threats and insider events are ones that get a lot of attention because it's always that concern there, the trusted insider there, and certainly I don't want to downplay those events. That being said, in our research, we have found the actions of malicious insiders to be much less than is commonly expected. That's not to say, however, that insiders are not involved. As we've seen in this particular bit of work on these ripple events, those ripple events that are from insider mistakes, so that would be errors, that would be I clicked on something I shouldn't have there, are twice as common as those that are not insider-related. And in fact, those insider events, even more significantly, are 800 times as costly as those typically involving insider malice. So yes, having a rogue administrator is definitely a problem. It is still the user behavior that is the biggest and most lucrative target.

Luke Vander Linden: Right. So it goes back to security awareness, security as social engineering, that kind of stuff.

David Severski: Absolutely. Absolutely.

Luke Vander Linden: Right. So looking at the data, looking at what you've learned, what are the key techniques seen at the start of these ripple events and what controls are most connected to preventing the events?

David Severski: As you mentioned, it is things that are well known to many practitioners but are still hard. Certainly, there are lots of advanced malware out there, advanced techniques out there, but in the vast majority of events, it is still the, I'll put air quotes around, the standard things that are challenging for a lot of companies. On the frequency side, it is, just as you were mentioning there, you see valid accounts. So having root passwords exposed out there, valid accounts being exploited, whether that be through phishing or password guessing there, are extremely common. Also, we have trusted relationships. So this is, I trust this third party implicitly. And when that is compromised, that is affected as well. On the loss side of the equation, most commonly the largest share of losses that companies are experiencing are coming from an exploit of their public facing applications, whether that's a payment portal or a customer data portal, et cetera. From a mitigations perspective, there's like four key controls that are relevant for over two-thirds of all the events in this particular report. Those being user account management. So you know, knowing who your customers are and who your employees are. It is privileged account management. So this is how well do you track and manage those administrator accounts and those other ones that have highly privileged access. One that's a little bit more technically oriented would be network segmentation. Do you have all of your assets on a single network or is there layers that attackers would have to go through to get from a public website to your production backend, et cetera? And then last but certainly not least, as far as the top four would be user training. So if you look at those three things, you know, three of them there are all user oriented.

Luke Vander Linden: Right. And is this something then that companies should demand or strongly request of the third parties as well to follow these basic rules?

David Severski: I think it would be excellent advice for both practitioners looking to defend their own organization or looking to focus upon for the third-party risk management perspectives as well. We can even go further and look at saying from the other end of the equation, what happens on the post-compromise? So if those controls are not successful at the front end, there are things that can be done on the backend to help reduce the actual loss magnitude. And there's a quick list of five that I'll list off that are responsible for 90 percent of those losses. And that would be restricting file and directory permissions. So this is, again, limiting access to only just what is necessary. Zero trust has been a popular one of recent years, and this is very equivalent with that. Going back to the users again, you have user account permissions. How well those permissions are limited. Privileged account management follows up again. We have execution prevention, and this is one that is a little bit more technical as well. So this is what you might think of as allow listing. So do you only permit known good executables to be run on your devices, on your endpoints? And then following up on that, you have endpoint protection. This is your standard antivirus endpoint response system, whatever we're calling it these days, type of technologies.

Luke Vander Linden: Right. You want to have good relationships with your internal folks, the companies that you work with, but you also need to verify that you're protecting your own environment from things that they're doing and they're protecting their environment so that you can trust everybody.

David Severski: Absolutely.

Luke Vander Linden: Looking ahead to what might change or might be on the horizon in the future, I ask this of my guests a lot. Do you see anything that you'd like to predict in this area?

David Severski: As we talked about in the course of this conversation there, it is still the old and true that are the most common. User behavior, and I certainly don't mean to cast aspersions and shade upon users. I mean, this is hard. It is a failure, I believe, of the technology that it is just too easy for a user and enterprise to be compromised by one errant click. There's just too much around that. So this means that we need to provide better tools and education and technology to users so that they can go about the things they need to do in a safe fashion. So that is a hope rather than a prediction around that there. Yes, I'll leave it at that.

Luke Vander Linden: Yeah. You're not alone in that. We interviewed Ira Winkler, formerly of Walmart, about a year ago, and he talks about the same thing that we often blame the humans as the weakest part of cybersecurity. But the whole world is set up to protect humans from themselves. And why should cybersecurity be any different?

David Severski: It should not.

Luke Vander Linden: Excellent. David Severski, senior security data scientist at Cyentia Institute. Thank you very much for joining us on the RH-ISAC podcast. All right. We are now joined by a very special guest, Alexandra Brown, senior director of operations for the RH-ISAC. Welcome back to the podcast, Alex.

Alexandra Brown: Hello and hi, RH-ISAC podcast listeners. As Luke said, I'm Alexandra, or Alex Brown, senior director of operations here at the RH-ISAC.

Luke Vander Linden: Excellent. And I should point out that we're also joined potentially by Clyde, your dog. So in case we hear him in the background, he's just going to opine on things that are important to him. You and I are in meetings all the time. I get to see you all the time, get to work with you all the time. But for the benefit of those folks listening or our members who don't know you as well, can you give us a little introduction about who you are and what you do and as much of your background as you want to share?

Alexandra Brown: Sure. We'll keep it brief. But I, as the senior director of operations here, I help to oversee the H.R., finance, strategic operations and the events portfolio for our business, primarily, of course, right now leading up to the peak event season. I'm really focused on events, but also supporting all of those other functions as well.

Luke Vander Linden: That's great. And you're right. One of the things we have been working on closely together is the upcoming RH-ISAC Cyber Intelligence Summit, our biggest event of the year. And I can say it's here now. It's only a few days away. So give us a little details about the event.

Alexandra Brown: Yeah, very exciting. So the RH-ISAC Summit is coming up October 2nd through the 4th, and it's going to take place at the Hilton Dallas Plano Granite Park in Plano, Texas, or Dallas, Texas, essentially, if you're not local to Texas. This is going to be our eighth year holding this program, and it is our second time at this location.

Luke Vander Linden: Yes, it's the Dallas-Fort Worth Metroplex. It's all right there. You fly into the same airport. So it's great and great location. Glad we could be back. Perfect spot for the event. What should our attendees expect when they get there?

Alexandra Brown: That is a great question. And the answer depends on when you arrive. So the action will begin on Monday, October 2nd. We'll be hosting a strategic tabletop exercise at noon that day, a tactical capture the flag that will start at 1 p.m. We have a soft registration that's going to open at 2 p.m. Sponsors will be putting their tables together, getting ready for their networking the following day. And then we will have our opening reception that takes place on the outdoor patio and fire pit area at the Hilton, beginning at 5 p.m. So there's a lot happening on day one. We encourage attendees to take advantage of any and all opportunities for networking before the official conference begins the following day, Tuesday, October 3rd.

Luke Vander Linden: Excellent. So once they get into town, they can start moseying over in Texas fashion starting around 2 o'clock.

Alexandra Brown: That's right.

Luke Vander Linden: All right. So looking at the agenda, which I've done at the Summit website,, huge array of topics and speakers. Give us some highlights.

Alexandra Brown: Yeah, absolutely. So we've got a fantastic lineup of speakers, topics and sessions at this year's event. As of recording, as of today, we have 55 speakers confirmed, 24 breakout sessions, and five keynote or panel discussion presentations. So the majority of our speakers are from our retail and hospitality membership base from companies like Target, United Airlines, Marriott, Albertsons, Costco, Walmart, Home Depot, Hyatt, T-Mobile, Lowe's, IHG, I could go on and on. A couple of sessions I did want to highlight for listeners. So first, our opening keynote, it's a panel discussion that's titled the Priorities, Purpose, and Power of Information Sharing. We're bringing together a couple of really great CECL leaders from Levi Strauss, Ulta Beauty, and Casey's General Stores. They're going to help us to essentially set the stage for the conference and really showcase why it's important for us to gather like this, why we share and the importance of nurturing our RH-ISAC community to help collectively defend against bad actors. Another session that I'm really looking forward to is our panel discussion on the state of cyber threat intelligence or CTI in 2023 and beyond. So that session is moderated by Victoria's Secret. We've got some fantastic CTI leaders joining from Target, Sheen, and Canadian Tire. We've got, I think you've already talked on the podcast about Dineen Di Fiore, the CCO at United Airlines, her presentation on navigating through a global crisis. We've got another panel, main stage panel on digital fraud, emerging tech, and AI with leaders from Walmart, Kava, Colgate, Palmolive, and Booking Holdings. And then last, our closing keynote for the summit is a cyber security analyst, researcher, and white hat hacker, Karen Ilazari, who's going to talk about what we can learn from hackers about the future of cyber security. So it's a fully packed two days, lots of sessions to choose from. Oftentimes what we hear from our attendees is, you know, they wish they could be in two or three places at once because we've got these stacked. So very excited.

Luke Vander Linden: I was just going to say that there's so much going on and so much happening at the same time. It's really been amazing to watch this agenda gel. And I did mention Dineen to sweeten everybody's interest. And I got to meet Karen in London earlier this year, and she told me she was very excited about coming over and being part of our event. So that's great. So can you tell us, I think there's going to be a lot, looking at the registration list, I think there's going to be a lot of newcomers attending, but also some folks who have been here before. Registration's going well, and it seems like it's probably going to be bigger even than last year. So what can these folks expect? Give me maybe some helpful tips so that people can prepare for arrival.

Alexandra Brown: Yeah, you're exactly right. So said and done, we're going to see upwards of, you know, 350, maybe even close to 400 folks at this event this year. So whether you're attending the summit for the first time or you're a seasoned attendee, I do have some tips to help make sure that this is a memorable experience for everyone. So first, hotel reservations. If you have not already done so, please make sure to book your hotel rooms. Our room block is at capacity, but there are a handful of alternative options in close proximity to the event. If you go to the aforementioned micro website,, there is a venue and travel tab with a handful of options for you there. Suggested attire. So the dress code is business casual. We want our attendees to feel comfortable, we suggest, you know, nice jeans paired up with button down shirt, slacks or casual dress or a skirt. Suit jackets and ties are not required. We just suggest bringing a light sweater or jacket as, you know, conference centers, meeting rooms can sometimes become a bit chilly. As far as arrival goes, parking and transportation, the majority of attendees are going to be flying in for the event. So we suggest just using a ride share app, an Uber, a Lyft, getting a taxi to get to your hotel. For those that are local or are driving in, there is a large parking lot in front of the hotel. You can self-park. If you plan to leave your car overnight, the cost is $18 per night to keep your car there. So just go to the front desk and take care of that. A couple other things. So there are additional programs that require registration. Some of those are the tabletop exercise that I mentioned on that Monday at noon, the tactical capture the flag, also on Monday at 1 p.m., the member meeting and celebration dinner. So for all of our retail hospitality members, you will not want to miss that. And that does require separate registration. And then last, just on-site support. We have a registration desk that will be staffed during all hours of the event, not overnight. If you have any questions, if you need help, start at the reg desk. They'll help you find the answers or connect you with the right people to make sure that you're getting what you're looking for. So leading up to the event, if you have any questions, concerns, or comments, send those over to, And then don't forget to check out the summit website. It has the agenda, speakers, all the details. That's I think that's it for me. So looking forward to seeing you all in Dallas and thanks for having me on the podcast, Luke.

Luke Vander Linden: That's great. I'm getting excited about it. Looking forward to it. Looking forward to seeing all of our members again, which is great. Alex, thank you for being on the podcast. More importantly, thank you for all that you do to make our events and all the other things you do great. All right. We are now joined by Lee Clark, the RH-ISAC's own, for The Briefing. And usually you have fairly topical subjects to talk about because it's a briefing of the major threats and trends you're seeing, but pretty good breaking news happening in our sector these days, right, Lee?

Lee Clark: Yeah, it has been a busy September and an even busier past two weeks in the RH-ISAC community, that's for sure, Luke.

Luke Vander Linden: So one thing we wanted to take this opportunity for The Briefing to talk about was there has been a serious uptick in the last month in Scattered Spider activity, and especially Scattered Spider facilitating the Alpha V and Black Cat ransomware strains by targeting Okta customers. So this is happening especially in the hospitality and gaming communities, right? We've all been seeing breaking news of organizations being compromised as a result of Okta credentials or Okta environments being hit, right? So essentially the gist we want to get across to membership and to the larger community is that organizations who are operating in the retail, hospitality, travel spaces are strongly encouraged to implement defensive recommendations that have been provided by Okta and a few recommendations that we have here at the ISAC, like reviewing known tactics, techniques, and procedures employed by Scattered Spider and other threat groups known to target Okta, ingesting indicators of compromise associated with those same groups, and then just maintaining situational awareness of developing threat intelligence related to Scattered Spider. So essentially throughout this entire year, Scattered Spider has dramatically escalated targeting the retail, hospitality, and travel sectors, and this includes activity like domain impersonations, phishing campaigns, and facilitating ransomware operations, especially of the Alpha V or Black Cat strain, right? In September of this year, that activity increased just exponentially in the form of targeting in the hospitality sector, right? So in late August, Okta actually provided some really interesting security recommendations as well as TTPs, IOCs, and detection options. That memo is really worth checking out for organizations because they provide in-depth defensive recommendations for their customers to combat some of the activity that we're actually seeing expand now, right? This includes protecting sign-in flows by enforcing authentication with FastPass, configuring authentication policies for access to privileged applications, using self-service recovery, reviewing and consolidating the use of remote management and monitoring tools, strengthening help desk identity verification process using combination of maybe visual verification, delegated workflows to issue MFA challenges, or access requests that require approval by a user's line manager, right? That last one I'd like to highlight in particular for obvious reasons. These recommendations go on, and they're pretty lengthy, and the great thing that Okta has done here is they've actually given detailed instructions in the forms of links within each of those recommendations for organizations to look into exactly how to enable these access controls. And these access controls have the benefit of being both technical and process-oriented. So in addition to changing configurations on machines in your environment, it's also about training staff. It's also about creating processes and workflows that require staff to follow secure guidelines, right? And those things in combination are some of the most effective defenses against all cyberattacks, not just the current ones we're seeing. Right. That's one of the things that stuck out to me about this is how policy-oriented it was, that there are certain things that can be put into place just from a process standpoint that were not being used by the victims of these attacks.

Lee Clark: Sure. So I mean, overwhelmingly in cybersecurity for years, there's been this sort of idea that the human element in a cybersecurity operation is the weakest link. And I don't think that's always true, but it is true that combining that level of people-focused security controls and technologically-focused security controls, those two things together are what can really develop this sort of posture that enables the overwhelming rejection of a number of cyber intrusions. And that's because these organizations are operated by people at the end of the day. So it doesn't matter if you have all the security controls in the world enabled if, say, a phishing email allows someone into your network because someone clicked on it, right? So those two things in concert are what can really help defense. And I really like that Okta sort of does that here. They combine those two to sort of help their customers figure out ways to develop that sort of culture of security that we talk about. So if we pivot from the organization being targeted, right, to the organization doing the targeting, Scattered Spider is also known as UNC3944, Scatter Swine, and Muddled Libra. What a name. They're a financially motivated actor. They've been active since at least 2022, and they've largely been observed targeting telecoms and business organizations, especially critical infrastructure organizations. They have more recently in the past, let's say, year, maybe six months, increased the targeting of the retail sector dramatically, right? And in this changing of targets, they've also started leveraging a variety of new tools, especially social engineering tactics, like calling a help desk and impersonating IT maintenance, right? So Scattered Spider is one of the first organizations that we here at the RH-ISAC actually covered in our threat actor catalog. So the RH-ISAC operates a MISP Galaxy, where we have a database of the major threat actors that target the retail and hospitality and travel communities in a sophisticated and consistent way. Scattered Spider was among the first ones we did. Our profile for that available to members includes known aliases, background information and history, known exploitive vulnerabilities, prominent open-source incidents attributed to the group, known TTPs leveraged by the group, IOCs attributed to the group, including closed source IOCs that aren't publicly available, and then data sources of where we get all this information, right? And we have this for a number of threat actors, but Scattered Spider is one of the big ones we've been focusing on, especially because we've been seeing so much activity from that group. In addition to Scattered Spider, what other threat actors have been targeting Okta, right? Okta is a really valuable target for cyber threat actors because organizations rely on them so much. Okta is such an incredible tool for managing an environment, right, that organizations end up integrating them in a serious way, which makes them a high-value target. Now, Okta is really good about catching these, disrupting them, letting their customers know what's going on. No shade to Okta at all, but that's why we have such a dedicated timeline of organizations targeting them, right? In August of last year, Group IB identified an opportunistic phishing campaign, probably involving Scattered Spider or an organization they call Octopus, which we assess with a moderate degree of confidence is probably the same organization. Out of nearly 10,000 user accounts and 130 global organizations that were targeted in that phishing account, at least seven retail companies were targeted and saw exploitation attempts, right? Earlier that same year, Okta actually themselves released a really excellent technical report about an ongoing compromise they had been notified about by Twilio, right? They identified unauthorized access to information related to a number of customers, and Okta released a great report about exactly what happened, exactly what was done to mitigate it. We also know that in March of last year, the Lapsus Cybercriminal Group, whenever they were in the middle of their spree, they went on quite a spree, getting a number of retail organizations in South America, a number of financial institutions, and Okta was one of the organizations that they eventually posted screenshots of on their Telegram channel, demonstrating that they had super user access. Okta immediately responded to that, right? So the gist of this is what I said when we were right up front at the beginning, right? There is an established history of sophisticated threat actors targeting Okta users in a consistent and technologically advanced and well-resourced way, and because of that history, and because that history has led to a current sort of escalation in these attacks on the retail, travel, and hospitality communities, we're going to strongly recommend that organizations really take a good look at those Okta recommendations and implement them, right? As well as maintaining that situational awareness through, say, participation in an ISAC community, right?

Luke Vander Linden: Sharing intel, that's important. Wow, that's a lot. It's rare, at least in my experience, to have two major things happening at the same time. This is on the heels of the CLOP situation as well, so a lot going on for our members, a lot going on for you guys on the intel team here at the RH- ISAC, so keep up the good work. Thanks again, as always, for The Briefing, Lee, and we'll see you in a couple weeks. Thank you to all of my guests, David Saversiy of Cyentia Institute and the RH-ISAC's own Alex Brown and Lee Clark. If you do one thing after listening to today's episode, head over to to learn all about the RH-ISAC Cyber Intelligence Summit kicking off next week. We have great speakers, including CISOs from Colgate-Palmolive, United Airlines, Ulta Beauty, Kava, Lowe's,, Levi Strauss, Casey's General Stores, Aramark, Contour Brands, and more. Check out the whole list of speakers and the agenda at I hope to see you there. If everything you've heard today sounds great, but your company isn't yet a member of the RH-ISAC, what are you waiting for? Go to to learn more and to start the process. And if you want to discuss anything you've heard today, or if you have an idea for a podcast segment, or even if you want to be on yourself, shoot us an email at As always, thank you to the production team who do their best to make us sound good. For the RH-ISAC, that's Annie Chambliss and Marisa Trushinecki, and from N2K Networks, formerly known as the CyberWire, Jennifer Eiben, Trey Hester, and Elliott Pelzman. Thanks as always for listening, and stay safe out there.