PALO ALTO, Calif. – Sept 27, 2023 – Permiso, a cloud detection and response startup, is making good on their promise of finding evil in cloud environments by offering complimentary private threat briefings with the P0 Labs team on Scattered Spider, the threat actor group responsible for orchestrating multiple well-known campaigns against cloud environments, most recently targeting MGM and Caesars earlier this month.
“An identity-first security strategy is paramount to defending against modern threat actors. P0 labs is at the forefront of understanding these attacks by making identity a pillar in their research of threat actors like LUCR-3, aka Scattered Spider, who are actively targeting the identity infrastructure,” said Jason Chan, former Head of Security at Netflix.
Runtime visibility continues to evade security professionals in the cloud. Point in time scanning and snapshot solutions focus on the posture of an environment, ensuring that resources are configured in a secure manner to protect against rudimentary attacks. Detecting attacks against an environment at runtime, however, presents a significant challenge to many security organizations.
“LUCR-3 (AKA Scattered Spider) is a threat actor group the P0 Labs team have been following closely in the past year. They are orchestrating campaigns across cloud environments that touch not only the cloud hosting providers like Azure or AWS, but span across identity providers and multiple SaaS environments like CRMs, team collaboration tools, productivity suites and into CI/CD pipelines. They cover their tracks meticulously and can be difficult to detect, but we’ve learned a great deal about their TTPs and want to freely share that with the broader community to help organizations defend against this group,” said Permiso Co-founder and Co-CEO Jason Martin.
The challenge of detecting these attacks becomes exponentially more difficult as threat actors are moving across authentication boundaries over the entire attack surface in the cloud. Permiso, with the help of industry partners and extensive threat research, has developed a comprehensive guide to how the group operates, and how they are successfully infiltrating the cloud environments of large, Fortune 1000 companies.
Because much of the access and activity in the cloud is done through shared credentials like roles and access keys, tracking that behavior back to the individual identity or user is difficult. According to Crowdstrike’s recent threat hunting report , Nowhere to Hide, their team observed a 160% increase in attempts to gather secret keys and other credential materials via cloud instance metadata APIs. The use of compromised credentials makes deciphering legitimate users from imposters a significant challenge. Accordingly, many of Scattered Spider’s attacks have largely gone undetected. They are able to gain access with ease, conduct a significant amount of reconnaissance on the environment, and are are often able to escalate their privileges or leverage over privileged identities to access sensitive data, all within a few days.
During the threat briefing, Ian Ahl, SVP of P0 Labs and former Head of Advanced Practices at Mandiant, will provide some additional information about the threat actor group that wasn’t previously covered in a recent blog post on the Permiso website or made publicly available before. He will also discuss the TTPs of the LUCR-3 threat actor group (AKAS Scattered Spider, UNC3944, Roasted Okatpus, STORM 0875). Ahl will also cover LUCR-3's role in extortion through the data theft of intellectual property and their recent attacks against multiple cloud environments such as IaaS, SaaS, Identity Providers and CI/CD pipelines. The threat briefing will offer guidance on how organizations can develop detections in their own environment based on the group’s attack patterns, as well as other steps organizations can take to prevent breaches, or reduce the dwell time should an actor gain access to an environment.
"The PO Labs continues to impress us by being at the forefront of these emerging cloud attacks. The knowledge they're able to share with our team on the TTPs of modern threat actors like Scattered Spider is unlike anything we've seen before,” said Rob Preta, Head of Cyber Security at ACV Auctions.
Earlier this year, Permiso released their Cloud Detection and Response Survey Report , where they found that more than 80% of respondents expressed confidence that their current team and tools would be able to prevent a threat actor from being able to breach their environment. 95% of the respondents, however, expressed concern with their ability to detect a threat actor in the event that they were able to gain access to their environment. 55% of those expressed their concern as ‘very concerned’ and ‘extremely concerned.’
To schedule a free threat briefing for your organization, you can go to https://hero.permiso.io/lucr-3-scattered-spider-threat-briefing to get started.
About Permiso
Permiso is a cloud detection and response company that finds evil in cloud environments. Permiso creates session constructs for the identities across cloud and SaaS applications to break down visibility boundaries and understand user behavior and intent across your environment. These session constructs are developed by stitching together activity across cloud applications, services, and providers to create an immutable ledger of activity in an environment. Permiso creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso is able to detect access anomalies, behavioral anomalies, or specific activities associated with compromised credentials. For more information, please visit our website or find us on Twitter and LinkedIn.