How to Defend Against Identity-Based Cyber Attacks

Today's cybersecurity landscape moves at breakneck speed, driven by deception and AI-powered attacks.
Identity security has emerged as the critical frontline in the battle against cybercriminals.
As threat groups like SCATTERED SPIDER refine their methods to exploit both human vulnerabilities and system weaknesses, organizations need to fundamentally rethink how they detect threats, respond to incidents and stay ahead of attackers, according to Zeki Turedi, Field CTO for Europe at CrowdStrike.
In this Q&A with Technology Magazine, Turedi explores the evolution of agentic defense, the rise of AI Detection and Response (AIDR) and how cross-sector collaboration is transforming the fight against modern cybercrime.
What made SCATTERED SPIDER's tactics unique among eCrime groups?
SCATTERED SPIDER distinguished itself through aggressive, identity-focused attacks that set a new standard among eCrime groups.
After lying relatively dormant, the group resurfaced in 2025 with coordinated campaigns targeting aviation, insurance and retail sectors.
Their signature technique is voice phishing, or "vishing", where they use social engineering to impersonate legitimate employees. Armed with accurate identity information, they contact help desk staff and manipulate them into resetting passwords or multi-factor authentication (MFA) credentials.
Within minutes, attackers typically register their own devices for authentication, gain access to Microsoft 365 and other SaaS applications, delete security alerts to cover their tracks and move laterally throughout corporate networks.
What sets them apart is the remarkable speed and precision of their operations. They specifically target help desks to compromise accounts belonging to IT and security personnel, who typically have access to network architecture documentation, security tools and incident response procedures.
The group also pursues C-suite executive accounts, leveraging their access to sensitive data, communications and resources that facilitate data theft and extortion.
Once they breach a network, they move swiftly by using compromised identities to steal large volumes of data, escalate privileges and, in some cases, progress from initial account takeover to full ransomware deployment in under 24 hours.
Their combination of social engineering, hands-on-keyboard tactics and identity exploitation allows them to bypass heavily monitored endpoints and disrupt critical sectors more effectively than most eCrime groups.
Which industries suffered most from their attacks and why?
Throughout 2025, SCATTERED SPIDER concentrated on industries where disruption creates immediate, high-impact consequences.
The aviation industry attracts the group due to its dependence on continuous operations, interconnected systems and the handling of sensitive information.
Insurers make valuable targets because of the highly sensitive data they maintain and their essential role in financial services.
Retailers face particular vulnerability due to large workforces, distributed IT environments and the intense pressure created by operational downtime.
By combining social engineering with rapid privilege escalation, SCATTERED SPIDER exploited identity and process vulnerabilities in these sectors, transforming them into leverage for extortion and ransomware attacks.
How did public-private collaboration shape this law enforcement response?
When law enforcement and private industry share critical threat intelligence and take decisive action together, they can disrupt cyber operations that inflict significant damage on global businesses, as demonstrated by the arrests of two SCATTERED SPIDER members.
What shifts do you anticipate in ransomware operations after these arrests?
These arrests represent a major disruption and will likely degrade SCATTERED SPIDER's operations in the short term.
More significantly, they send a clear message: cybercriminals who aggressively extort and disrupt businesses are not beyond law enforcement's reach.
What immediate actions should businesses take to defend against similar threats?
Start with identity security. Companies should implement phishing-resistant MFA and strengthen help desk processes to prevent attackers from exploiting them to reset credentials or register new devices.
Prioritise detection and monitoring. Organisations need to thoroughly understand their critical technology infrastructure, whether that's a virtual cluster running essential applications or a SaaS CRM containing sensitive information. Implement robust logging and monitor for authentication anomalies, administrative changes and unusual behaviour affecting critical systems.
Comprehensive logging and solutions that provide cross-domain analytics, such as next-generation SIEM platforms, are essential. Pay close attention to suspicious application usage, search terms and data access patterns that often signal malicious activity.
Strengthen infrastructure security. Segment networks, secure VMware environments, apply least-privilege access controls across cloud systems and disable outdated authentication methods. These measures limit how far adversaries can penetrate once they breach the perimeter.
Ensure incident readiness. Maintain isolated backups, practice incident response procedures regularly and train help desk and IT staff to recognise social engineering attempts.
By strengthening identity protections, improving visibility and preparing to respond quickly, organisations can close the security gaps that adversaries exploit and stop breaches before they escalate.



