One Learning Event. Six Team Views.

Same finding, different actions. KTLYST automates everything except the one decision that matters: approve or reject. The human clicks once. The system does the rest.

Learning Event #LE-2024-0847
Scattered Spider Social Engineering Campaign — IT Helpdesk Targeting
Source: CISA Advisory AA23-353A + Internal Incident IR-2024-0312  |  ✓ Zero-inference verified
6
Teams
14
Actions
9
Deployed
12
🤖 Automated
2
👤 Human only
How it works
🤖 Auto KTLYST does this — no human involved
👤 Approve Human reviews and clicks approve/reject
⚡ Auto-deploy Pushes to your tools after approval
🔍 CTI Analyst
⚙️ Detection Engineer
🖥️ SOC Analyst
🚨 IR Lead
📊 CISO
📋 GRC / Compliance
🔍
CTI Analyst View
"What did this advisory actually say, and can I trust the extraction?"
📤
Nobody opens KTLYST. This enriched intelligence pushes directly into your existing TIP — attached to the threat actor profile, with provenance.
ThreatConnect MISP Anomali Recorded Future
Extracted Behavioral Patterns 🤖 Auto
• Threat actor calls IT helpdesk impersonating employee
• Requests MFA reset on targeted executive accounts
• Uses social media reconnaissance to answer security questions
• Pivots to Okta admin console within 4 minutes of credential access
• Deploys Azure AD backdoor app for persistence
5 behavioral patterns ✓ All source-verified
Provenance Chain 🤖 Auto
Every extraction traces to exact source text. No inference. No hallucination.
Page 4, ¶2: "Scattered Spider actors have historically evaded detection on target networks by using living off the land techniques and allowlisted applications"
Page 7, ¶1: "Actors gained access through social engineering of IT help desk personnel to reset multi-factor authentication"
✓ Character-level provenance CISA AA23-353A
MITRE ATT&CK Mapping 🤖 Auto
Technique mappings extracted from source document with evidence.
T1566.004 — Spearphishing Voice T1078 — Valid Accounts T1098 — Account Manipulation T1136 — Create Account T1534 — Internal Spearphishing T1021.007 — Cloud Services
Connected Intelligence 🤖 Auto
KTLYST links this advisory to prior learning in your org's memory.
⚡ Related: IR-2024-0298 — Caesars Entertainment breach (same actor, same TTPs, Sep 2023)
⚡ Related: LE-2024-0791 — Okta support system compromise (credential overlap)
⚡ Escalation: 3 prior learning events share ≥2 TTPs with this campaign
⚙️
Detection Engineer View
"What rules do I need to review, and where's the evidence they're correct?"
📤
Nobody opens KTLYST. Rules appear as draft PRs in your detection repo or as pending rules in your SIEM console — ready to review and approve in your existing workflow.
GitHub PR Splunk Snowflake Elastic Sentinel
Generated Rule — Ready for Review 🤖 Auto-generated 👤 Approve
Rapid MFA Reset Followed by Okta Admin Access
Behavioral rule detecting the exact attack sequence documented in CISA AA23-353A.
-- Rule: Scattered Spider MFA Reset → Okta Admin Pivot -- Source: CISA AA23-353A, Page 7 ¶1 + IR-2024-0312 -- Confidence: HIGH | Provenance: VERIFIED SELECT helpdesk.ticket_id, helpdesk.target_user, okta.actor_display_name, DATEDIFF('minute', helpdesk.resolved_at, okta.event_time) AS minutes_to_admin FROM helpdesk_tickets helpdesk JOIN okta_system_log okta ON helpdesk.target_user = okta.actor_alternate_id WHERE helpdesk.category = 'mfa_reset' AND okta.event_type = 'application.lifecycle.update' AND okta.target_type = 'AppInstance' AND minutes_to_admin BETWEEN 0 AND 30 AND helpdesk.resolved_at >= DATEADD('day', -1, CURRENT_TIMESTAMP())
Snowflake SQL ✓ Provenance verified ⏳ Awaiting review Behavioral — survives infra changes
Approval Package 🤖 Auto-assembled
Everything you need to approve or reject this rule in one place.
✅ Source paragraphs attached (Page 4 ¶2, Page 7 ¶1)
✅ MITRE mapping: T1566.004 → T1078 → T1098
✅ Expected log sources: Okta System Log, Helpdesk API
⚠️ Required: Helpdesk ticket data in Snowflake
✅ False positive estimate: LOW (time-window correlation)
Additional Rules from This Event ⚡ Auto-deploy after approval
Rule 2 of 4 Azure AD app creation by non-admin identity ✓ Deployed
Rule 3 of 4 Lateral movement via RDP within 15min of MFA reset ⏳ Review
Rule 4 of 4 PsExec execution from newly provisioned account ✓ Deployed
🖥️
SOC Analyst View
"This alert just fired. What does it mean and what do I do next?"
📤
Nobody opens KTLYST. When the alert fires, this context is attached directly to the alert in your SIEM — the analyst sees campaign history, next steps, and related incidents without switching tools.
Splunk SOAR Sentinel ServiceNow PagerDuty
🔴 Alert Fired — Context from Learning Event 🤖 Auto-attached to alert
MFA Reset → Okta Admin Pivot detected for user j.martinez@corp.com
Why this alert exists:
This rule was created because CISA Advisory AA23-353A documented Scattered Spider actors calling IT helpdesks to reset MFA, then pivoting to Okta admin consoles within minutes. This is the exact attack pattern that hit Caesars and MGM in September 2023.
Immediate Actions 🤖 Auto-generated from playbook
1. Verify with IT helpdesk: did j.martinez request MFA reset? Call directly, do not email.
2. Check Okta admin log for j.martinez — any app registrations or policy changes?
3. Review Azure AD for new enterprise applications created in last 30 minutes
4. If confirmed: escalate to IR immediately — this matches active Scattered Spider TTP chain
What to Hunt Next 🤖 Auto — from campaign memory
If this alert is a true positive, Scattered Spider's documented next moves are:
🔎 Internal spearphishing from compromised account (T1534)
🔎 Data staging in cloud storage — look for unusual SharePoint/OneDrive activity
🔎 RDP lateral movement to finance/HR systems
🔎 Credential harvesting via browser session hijack
Source: CISA AA23-353A pg. 8–12
Campaign Context 🤖 Auto-correlated
This alert is part of a known campaign pattern. KTLYST has tracked 3 related learning events involving Scattered Spider across your org.
📌 Caesars breach postmortem (Sep 2023) — same initial access vector
📌 Okta support compromise — credential overlap with this actor
📌 Internal IR-2024-0298 — similar social engineering attempt (blocked)
🚨
IR Lead View
"Have we seen this before? What worked last time? What didn't?"
📤
Nobody opens KTLYST. When an incident opens, campaign history and prior learnings auto-attach to the incident ticket. The IR lead sees what worked and what failed last time — before the first call.
Jira ServiceNow TheHive Slack #incident
Cross-Incident Correlation — Institutional Memory 🤖 Auto — built over time
KTLYST links this learning event to every prior encounter with Scattered Spider in your org. What you learned then informs what you do now.
Sep 7, 2023
Caesars breach postmortem ingested — 4 behavioral patterns extracted, 2 became deployed rules. Social engineering vector identified but helpdesk monitoring not implemented.
Sep 12, 2023
MGM advisory processed — KTLYST flagged: "same actor, overlapping TTPs with Caesars. 2 rules from Caesars event applicable here." Elevated priority automatically.
Oct 2023
Okta support compromise linked — credential overlap detected. KTLYST correlated stolen Okta session tokens with Scattered Spider infrastructure. New rules generated.
Nov 2023
CISA AA23-353A published — KTLYST matched 4 of 5 behavioral patterns to existing internal learning events. Gap identified: helpdesk → Okta admin correlation rule missing. Rule generated and queued for review.
Feb 2024
Internal attempt blocked — Rule from this learning event fired. SOC had full context from campaign history. Contained in 12 minutes. This is compounding.
What Worked Last Time 🤖 Auto — from prior events
✅ Okta session revocation within 5 minutes of detection
✅ Azure AD conditional access policy blocked new app registration
✅ SOC had campaign context → no triage delay
What Failed Last Time 🤖 Auto — gap tracking
❌ Helpdesk had no callback verification procedure
❌ RDP lateral movement wasn't detected for 3 hours
❌ No automated containment for compromised cloud sessions
⏳ 2 of 3 gaps now covered by new rules
📊
CISO / Security Leadership View
"Are we actually defended? Can I prove it?"
📤
Nobody opens KTLYST. Coverage dashboards and accountability reports push to your existing BI tools on schedule. Board-ready metrics arrive in the format leadership already consumes.
Tableau Power BI Email digest Slack #security-leadership
Learning Event Accountability — All Teams 🤖 Auto-tracked
This advisory required action from 6 teams. KTLYST auto-generated, assigned, deployed, and verified. Humans only approved.
Team Required Action Work by Status
Detection Eng Deploy MFA reset → Okta admin pivot rule 🤖 ✓ Deployed
Detection Eng Deploy Azure AD backdoor app creation rule 🤖 ✓ Deployed
Detection Eng Deploy RDP lateral movement rule 👤 ⏳ Awaiting approval
IT Operations Implement helpdesk callback verification procedure 🤖 ✓ Deployed
Identity / IAM Enforce conditional access on Okta admin actions 🤖 ✓ Deployed
Security Eng Enable helpdesk ticket data pipeline to Snowflake 👤 ⏳ Requires infra change
Security Eng Automated Okta session revocation playbook 🤖 ✓ Deployed
SOC Update runbook with Scattered Spider campaign context 🤖 ✓ Auto-attached
GRC Document CISA advisory response for audit 🤖 ✓ Auto-generated
Coverage Summary 🤖 Auto-calculated
This Learning Event 78%
Scattered Spider (All Events) 64%
Social Engineering (Attack Class) 41%
Quarter-over-Quarter 🤖 Auto-calculated
↑ 34% Learning events → enforced defenses (vs Q3)
↓ 71% Average time from learning to deployment (22 days → 6.4 days)
↑ 12 Cross-team learning connections discovered
⚠️ 3 Learning events still pending action >30 days
📋
GRC / Compliance View
"Can we prove to auditors we acted on this advisory?"
📤
Nobody opens KTLYST. Audit evidence packages export on schedule or on-demand — complete chain of custody from advisory receipt to enforced defense, in the format your auditor expects.
PDF export JSON/CSV ServiceNow GRC Archer
Audit Evidence — Advisory Response Timeline 🤖 Auto-recorded
Complete chain of custody from advisory receipt to enforced defense. Every step timestamped, attributed, and verifiable.
2024-01-15T09:12:00Z
Advisory received — CISA AA23-353A ingested by KTLYST. Learning Event #LE-2024-0847 created automatically.
2024-01-15T09:12:34Z
Extraction complete — 5 behavioral patterns, 6 MITRE mappings, 12 indicators extracted. Zero-inference verification passed. Provenance chain recorded.
2024-01-15T09:14:00Z
Cross-reference — System linked to 3 existing learning events (Caesars, MGM, Okta). Elevated to HIGH priority based on pattern overlap.
2024-01-15T11:30:00Z
Actions assigned — 14 actions across 6 teams generated. Owners notified. SLA clock started.
2024-01-16T14:22:00Z
First rules deployed — Detection Eng approved and deployed 2 of 4 rules. Approval by: Sarah Chen (Sr. Detection Eng). Evidence: PR #4721, Snowflake deployment log.
2024-01-22T09:00:00Z
9 of 14 actions complete — 5 remaining tracked with owners and ETAs. Compliance notified per SLA.
Regulatory Mapping 🤖 Auto-mapped
NIST CSF — DE.CM (Continuous Monitoring), RS.AN (Analysis)
SOC 2 Type II — CC7.2 (Monitoring of System Components)
ISO 27001 — A.16.1 (Management of Security Incidents)
PCI DSS 4.0 — Req 12.10 (Incident Response Plan)
Exportable Evidence Package 🤖 Auto-assembled
One-click export for auditors. Everything in one document.
📄 Advisory source document + receipt timestamp
📄 Extraction output + provenance chain
📄 Decision log (who approved, when, what evidence)
📄 Deployment proof (PRs, config changes, logs)
📄 Current status of all open actions + SLA tracking
📄 Regulatory control mapping
✓ Audit-ready PDF + JSON export

KTLYST — One learning event. Every team sees what they need. Every action tracked. Every defense verified.

Nobody logs into KTLYST. KTLYST logs into their tools. That's what a Security Learning Control Plane does.