Scattered Spider: A 90-day recovery plan to build better resilience

In April 2025, Scattered Spider executed a sophisticated cyberattack on Marks & Spencer (M&S), exploiting social engineering tactics to compromise IT helpdesk personnel.

This breach led to unauthorized access, data exfiltration, and significant operational disruptions, including the suspension of online and telephone orders and the shutdown of automated ordering and stock systems. It also cost the retailer around £300m in lost profits. 

Similarly, the Co-op faced a cyberattack in May 2025, resulting in data loss and downtime, as well as at least £206m in lost revenue. While financial data remained secure, the breach highlighted vulnerabilities in service desk operations and the need for enhanced cybersecurity measures.

🕷️ Watch our webinar on Scattered Spider now 🕷️

These incidents underscore the necessity for a comprehensive recovery strategy. The following 90-Day recovery guide and downloadable checklist gives you actionable steps to rebuild systems, fortify defenses, and prepare for future threats. That’s how real cyber resilience is built. 

Get my 90-day recovery checklist

Phase 1: Containment and triage (Days 0–10)

Objective: Stop lateral movement and prevent further compromise.

Actions:

• Lock down compromised accounts: Immediately disable accounts involved in suspicious activity and force password resets.

• Re-enroll MFA: Reset hardware and software tokens to close authentication gaps.

• Isolate infected endpoints: Disconnect compromised systems to prevent lateral movement.

• Audit recent session activity: Identify logins from unusual IPs, times, or devices to detect unauthorized access.

Real-world application: Following the M&S breach, immediate containment measures were crucial in preventing further unauthorized access and mitigating the impact on operations.

Phase 2: Validation and investigation (Days 11–30)

Objective: Understand the full scope of compromise and identify hidden footholds.

Actions:

• Active Directory integrity checks: Review replication status, GPO consistency, and SID history to detect unauthorized changes.

• Credential and session correlation: Match event logs against stolen accounts to identify misuse.

• Baseline endpoint and cloud behavior: Compare against historical telemetry to spot anomalies.

• Forensic triage of NTDS.dit access: Investigate unauthorized dumps and map to impacted users.

Real-world application: In the Co-op incident, thorough investigation revealed the extent of data loss and helped identify the compromised systems, facilitating targeted remediation efforts.

Phase 3: Rebuild and remediate (Days 31–60)

Objective: Reconstruct systems and trust while eliminating attack vectors.

Actions:

• Reissue certificates and rebuild trust: Replace compromised certificates to restore secure communications.

• Reestablish tiered admin accounts: Implement least privilege access to minimize potential damage.

• Rotate service account credentials: Change credentials for service accounts to prevent unauthorized access.

• Apply detection tuning based on TTPs: Configure SIEM/EDR to flag techniques used by Scattered Spider, such as impersonation and credential dumping.

Real-world application: Post-breach remediation at M&S involved rebuilding trust in systems and implementing stricter access controls to prevent future incidents.

Phase 4: Hardening and CTEM integration (Days 61–90)

Objective: Convert recovery into lasting operational resilience.

Actions:

• Simulated attack scenarios: Replicate Scattered Spider TTPs in a controlled environment to stress-test detection and response capabilities.

• Measure mean time to detect/respond (MTTD/MTTR): Use these exercises to benchmark team performance and identify areas for improvement.

• Embed exposure learnings into CTEM: Integrate lessons learned into Cyber Threat Exposure Management (CTEM) to enhance future readiness.

• Continuous monitoring adjustments: Tune alerts to highlight subtle behavioral anomalies, such as unusual login patterns and unauthorized access attempts.

Real-world application: M&S's recovery efforts included implementing continuous monitoring and conducting simulated attack scenarios to enhance their resilience against future threats.

DOWNLOAD THE FULL 90-DAY CHECKLIST

What’s next?

The Scattered Spider attacks on M&S and the Co-op serve as stark reminders of the vulnerabilities inherent in retail operations. By following this 90-Day recovery plan, organizations can not only recover from such breaches but also fortify their defenses against future threats more effectively. 

And don’t forget: the proper integration of CTEM practices ensures that recovery efforts translate into lasting resilience, enabling teams to detect, respond to, and mitigate attacks more effectively.

Download our Global Cyber Skills Benchmark Report: CTEM Edition