“Assume they’ll get in. Design for what happens next.”
That was the message from major UK retailers like Marks & Spencer and the Co-op during recent Parliamentary hearings on cyber resilience. Their stories weren’t hypothetical, they were recovering from real-world incidents involving identity compromise, supply chain breaches, and operational disruption that cost hundreds of millions of pounds.
The lesson is clear. Prevention is necessary, but it is no longer enough. To navigate today’s threat landscape, security leaders must think differently.
Prevention is Table Stakes, Resilience is the Goal
Modern resilience begins with a mindset shift. For years, cyber security focused on building bigger walls to keep attackers out. But attackers are no longer always breaking through those walls, they are often walking through the front door using valid credentials, abusing trusted processes, or exploiting human behaviour.
Leaders are asking different questions. What happens when the attacker is already inside? How do we limit the blast radius? Can the business continue to operate during an incident? This shift means embedding detection and response as core capabilities, not bolt-ons. Like fire alarms and sprinklers in a building, it’s not enough to hope the fire never starts. You need systems in place to detect, contain, and survive it.
This mindset is informing everything from system architecture to communication plans. It means rehearsing real-world breach scenarios and integrating cyber response into crisis management. The goal is to contain and control the impact, not to chase the impossible goal of perfect prevention.
Identity is the New Perimeter
Attackers have moved from breaching systems to exploiting people and processes. Phishing, session hijacking, and helpdesk impersonation are now reliable access paths. Valid credentials are more valuable than malware. Groups like Scattered Spider demonstrate this shift. They call support desks, impersonate staff, and bypass security without touching a line of code. M&S and the Co-op were both breached using these methods.
Resilience means starting with identity. Enforce phishing-resistant MFA. Monitor for abnormal login behaviour. Harden account recovery procedures. Identity misuse is no longer an edge case. It’s a primary attack vector.
Scattered Spider: Real Methods, Not Myths
Scattered Spider isn’t a sophisticated cybercrime syndicate in the traditional sense. It’s a loosely affiliated group of financially motivated attackers, often teenagers, using repeatable, low-tech methods. The BBC and UK’s National Crime Agency have linked them to multiple major breaches. Their tactics are consistent. They target helpdesks using social engineering. They use AiTM phishing kits like Evilginx to hijack sessions and bypass MFA. They exploit identity providers like Okta or Microsoft Entra, and sometimes even federate attacker-controlled SSO providers into the victim’s environment. Once inside, they exfiltrate data from SaaS apps and occasionally deploy ransomware directly to virtualised infrastructure.
These aren’t advanced malware authors. They are persistent social engineers who understand identity and operational weaknesses better than most defenders. Defeating them means fixing the processes they exploit, not just deploying new tools.
AiTM and MFA Downgrade Attacks
Modern phishing kits have moved beyond stealing credentials. AiTM phishing uses transparent proxies to intercept full session tokens, allowing attackers to bypass MFA altogether. Some kits go further. They detect phishing-resistant MFA options like FIDO2 and downgrade the flow to weaker alternatives like push notifications or one-time codes. This happens invisibly to the user. Resilience requires more than deploying the right tools. It demands securing fallback methods, enforcing strong flows consistently, monitoring for suspicious session activity, and understanding how attackers will seek the path of least resistance.
Helpdesk Exploitation
Helpdesks have become a favoured entry point. Attackers gather public information, impersonate users, and convince support staff to reset credentials or re-enrol MFA. These attacks are simple and repeatable. A convincing voice, a phone number, and some OSINT is often enough. Defending against this means treating helpdesks as frontline responders. Train them, test them, and give them clear escalation paths. Helpdesk abuse is one of the most common routes past even the best technical controls.
You Can’t Defend What You Can’t See
In hybrid, cloud-first environments, visibility is often patchy. Shadow IT, unmanaged services, dormant accounts, and forgotten third-party connections all create exposure. JUMPSEC research found that less than 20 percent of organisations have visibility over more than 95 percent of their assets. That means most companies are blind to a significant portion of their environment. Resilience depends on closing this gap. Automate asset discovery across cloud, on-prem, and third-party platforms. Continuously monitor your external attack surface. Reconcile discrepancies between IT and security inventories. You cannot protect or recover what you don’t know exists.
Traditional Detection is Falling Behind
Modern phishing feels like a zero-day. Payloads are hosted on trusted platforms. Malicious pages are unique and dynamic. Indicators of compromise are often unavailable until it’s too late. Static detection struggles to keep up. Mature teams are shifting to behavioural techniques, focusing on what users and processes do, not just what they look like. They monitor browser and session activity, flag credential reuse, and build contextual triage pipelines. Detection needs to be proactive, not reactive.
Segment and Isolate
If an attacker gains access, how far can they go? In flat networks, the answer is often: everywhere. That’s why segmentation is critical. Separate sensitive systems from general-purpose environments. Enforce least privilege and time-bound access. Ensure that compromise of one user or system does not lead to full control of the estate. Build in isolation capabilities so that systems, accounts, or cloud environments can be quickly quarantined without widespread disruption. Containment limits the damage and preserves operational continuity.
Modernise the Core
Legacy systems often become critical failure points during incidents. They lack visibility, logging, and patching support. In some breaches, recovery has taken weeks because legacy applications could not be quickly restored. Resilient organisations are identifying these risks. They are modernising key systems or wrapping them in logging, segmentation, and monitoring. They are building fallback plans that don’t depend on brittle infrastructure. Legacy systems aren’t just technical debt. They are business risk.
Train Like You Fight
Resilient organisations simulate attacks. They don’t just theorise about threats, they rehearse them. They use real-world TTPs from adversaries likely to target their sector. They test response under pressure, across people, processes, and technology. They run purple team exercises, measure detection effectiveness, and use threat intelligence to prioritise improvement. You cannot build resilience without testing it.
AI Impacts Both Sides
Artificial intelligence is changing cyber security. But it also raises uncomfortable questions. Recent reports from global coalitions and research labs warn that AGI could pose existential risks to humanity, particularly if control remains in the hands of a few unregulated entities. These concerns go far beyond cyber security, but they set the tone for how we think about AI’s power and governance. Today, attackers are already using AI to generate convincing phishing emails, automate credential attacks, build polymorphic malware, and impersonate people using deepfakes and chatbots. Defenders are using AI to summarise logs, prioritise alerts, and support investigations. AI is speeding up workflows, but it’s not infallible. It can hallucinate, it can be evaded, and it can be fed poisoned data.
Leading organisations are using AI to assist, not replace, human judgment. They are designing workflows where critical decisions remain human-led, and AI acts as a force multiplier.
Clarify Third-Party Risk
Attackers often gain access through suppliers. Outsourced IT, billing systems, and customer service platforms are common entry points. Resilient organisations take a structured approach. They map vendor access, enforce minimum standards, and monitor third-party activity. They prepare for what happens when, not if, a supplier is compromised. Your security perimeter now includes your suppliers. Treat it accordingly.
Eight Priorities to Strengthen Resilience
Security should enable the business, not slow it down. Resilient organisations absorb shocks, protect trust, and recover faster than competitors.
Eight Priorities to Strengthen Resilience:
- Assume compromise, design for continuity and detection
- Prioritise visibility across all assets and environments
- Focus on behaviours, not just static detections
- Rehearse recovery for full system failure
- Segment networks and isolate rapidly
- Address legacy risks at the core
- Train using real adversary methods
- Include suppliers in your defensive model
Resilience is not just about survival. It’s about maintaining control, trust, and operational capability under pressure. That is what modern security leadership looks like.
Matt Lawrence
Matt has over 20 years of experience in the cyber security industry, currently leading JUMPSEC’s Detection & Response function and overseeing Managed eXtended Detection and Response (MXDR) services.