Cross-Border Reality: What FBI/CISA and Canada’s Cyber Centre Agree On About “Scattered Spider”
This fall, SecTor returns to Toronto, bringing together cybersecurity practitioners from both sides of the border to share insights on fast-moving threats and the playbooks that actually work in the wild. Few topics warrant that cross-border lens more than Scattered Spider, a financially motivated threat collective whose evolving tactics in social engineering and identity abuse continue to challenge defenders.
In late July, U.S. authorities released an updated advisory detailing how these actors infiltrate IT help desks, bypass multi-factor authentication (MFA) using push-fatigue and SIM-swapping techniques, comb through internal systems like email and SharePoint, and even join incident remediation calls. The guidance is clear: organizations must be prepared to pivot incident coordination out of band when in-band channels are compromised or suspected to be.
Just days earlier, the Canadian Centre for Cyber Security issued a joint advisory warning domestic organizations about Scattered Spider. It echoed similar tactics, techniques, and procedures, including help desk social engineering, identity abuse, rapid data theft, and extortion, and emphasized the need for robust mitigations.
For defenders in both Canada and the U.S., the message is consistent: incident response teams need to plan for hackers surveilling them and other critical roles like legal and executives by targeting their internal communications and collaboration tools.
What the Advisories Actually Say (and Why It Matters)
- Identity is the new perimeter and a favorite target.
The FBI/CISA guidance highlights repeated success by threat actors using help desk interaction, MFA push bombing, SIM swaps, and other identity-focused techniques. These methods work precisely because they exploit everyday workflows and trusted processes. - In-band communications become an intelligence leak.
The joint U.S. advisory warns that Scattered Spider actively monitors email, collaboration tools, and incident response (IR) calls to track what defenders know and what they plan to do next. This creates a chilling second-order effect: responders may self-censor or hesitate, fearing they’ll tip off the adversary. The takeaway? Establish your out-of-band (OOB) communication channels before you need them. - Guidance is now harmonized across borders.
Canada’s cyber authority and the U.S. interagency team are aligned on Scattered Spider’s tradecraft and the core mitigations: phishing-resistant MFA wherever possible, stricter help desk protocols, faster detection, and crisis workflows that treat in-band systems as both targets and sensors.
What Should You Do?
- Rehearse going “out of band.”
Incident response plans should be built on the assumption that by the time you’re executing the plan, your critical teams have already been under surveillance, and network communications tools can’t be trusted. Practice failing over to that out-of-band communications tool. Measure how quickly your team can assemble on the alternate channel, and ensure executives, Legal, IR, and external partners can be brought in with least-privilege access.
The Three Requirements for IR Communications
IR comms must meet three non-negotiable criteria:- Requirement #1: It must be out of band. No dependencies on the production network. No hosting or backups tied to network hardware. No copies of the in-band tool.
- Requirement #2: It must be more secure. End-to-end encryption across messaging, files, voice, video, and screen sharing is essential to reduce insider and third-party risk.
- Requirement #3: It can’t sacrifice controls. Security policies, user controls, and retained records must remain intact. If your “OOB” tool relies on your network for hosting or exports, it’s not truly out of band.
- Stabilize identity under stress.
Harden help desk workflows with callbacks, out-of-band verification, and scripted challenges. Minimize opportunities for SIM-swap escalation, and expand phishing-resistant MFA (e.g., FIDO/WebAuthn) wherever feasible. - Assume internal knowledge will be read.
Scattered Spider thrives on reconnaissance. Treat email, Slack/Teams, SharePoint, and ticketing systems as potentially observable. Write playbooks that route sensitive details, such as containment windows, negotiation strategy, and legal posture, through your OOB lane until confidence is restored. - Don’t forget about regulatory/legal obligations.
Both advisories stress the importance of reporting and community sharing. Keep audit-ready records of who was involved, what decisions were made, and when.
Strengthen Your Incident Communications Now
The FBI warns that communication can make or break your cyber incident response. Secure your communication now: update IR plans with out-of-band procedures, train teams on using them, and assess solutions for secure crisis collaboration. Anyone looking for a best of breed out-of-band communications tool would do well to take into account what Forrester had to say:
“Organizations requiring out-of-band communications for incident response, security operations, or threat intel sharing should consider ArmorText.”
Why ArmorText
ArmorText has been recognized as a Leader in The Forrester Wave™: Secure Communications Solutions, Q3 2024 report, saying:
ArmorText outclasses for SecOps, incident response, and threat-intel-sharing use cases.”
Disclaimer: Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.