Fighting Cybercriminals in the Retail Industry

With UK high street floundering amid falling consumer power and rising import prices, the country’s retailers have turned to digitalisation to improve their customer experience and find efficiency savings in a struggling retail sector. However, these opportunities do not come without risks, and new analysis shows that the number of cyber breaches in retail more than doubled in the last year, resulting in disruption, reputational damage and significant financial losses. With Black Friday fast approaching the threat from illicit actors targeting both consumers and retailers will no doubt be around the corner.

UK Retailer Breach

Last year, health and beauty retailer Superdrug Stores admitted to a security breach that potentially compromised names, addresses, and in some cases, dates of birth and phone numbers of 20,000 customers. The financial and reputational consequences of a cyber-attack can be huge and retailers, of all sizes, including Superdrug, need to ensure they can effectively respond to and recover from a cyber-breach if the worst should happen.

Retailers are very tempting targets for hackers due to the sheer amount of business being done, the scale of systems and the type of data being held. As a result, they face a multitude of threats from different cybercriminal individuals and collectives, using an ever-increasing variety of vectors and techniques. In such a crowded environment knowing where to direct defence activity is a large part of the problem. These businesses need cybersecurity teams to find a way to combine and summarise all external and internal threat data, filter out the noise, assess and prioritise threat intelligence, and use that threat intelligence to act. In cybersecurity attack is the best form of defence, therefore, the faster a team can streamline their ability to import, enrich, deploy and operationalise that information, the more chance that these actors make offensive mistakes and oversights.

The key challenges for retailers surround PIN and payment information, spear-phishing and vulnerability patching.

Personally Identifiable Information and Payment Information

PII and credit card data is essential to the retail industry. Every transaction involves the exchange of valuable information, and this massive amount of data makes retailers lucrative targets for threat actors. Secure payment technology helps strengthen defences, but it is not a silver bullet. When attacks do happen, research by Visa shows that they result in higher-impact breaches. Whilst chip technology increases security of point-of-sale (POS) transactions, it does nothing to protect “card not present” transactions involved in the e-commerce side of the business.

Spear Phishing

Many of the top threats to the retail industry use spear phishing emails that are nearly impossible to differentiate from legitimate emails. Some campaigns engage in a rapid, wide-scale attack to target multiple merchants utilising a scattergun approach. Others target the merchant’s POS vendor or integrator to gain access. Once inside the network, they take advantage of vulnerabilities for credential takeover and privilege escalation to steal payment card data or launch ransomware attacks.

Vulnerability Patching

Threat actors take advantage of the fact that IT and security teams struggle to keep up with patching of their POS systems, e-commerce payment applications and underlying internal infrastructure. As retail merchants strive to remain competitive in this difficult market, they invest in additional digital channels, applications and technologies that add complexity to the environment, further compound patching challenges and create new vulnerabilities.

The Six Steps to Success

Retailers need to ensure that their cyber teams are operationalising threat intelligence, therefore allowing teams to learn from industry peers and their own past experiences to discover adversarial TTPs and proactively reassess and strengthen defences to combat future attacks. Following these six workflow steps allow retailers to successfully combat these ongoing threats.

Consolidation of all sources: Whether the information is external (e.g., R-CISC) or internal (e.g., SIEM). The threat intelligence and vulnerability data need to be kept in a central repository.

Elimination: With the large amount of data and sources, it is imperative to eliminate noise and easily navigate through vast amounts of threat data to focus on critical assets and vulnerabilities.

Prioritisation: Security teams need to ensure that they prioritise what matters most for their respective environment.

Proactivity: It is important to ensure the teams are hunting for malicious activity which may signal payment card fraud, denial of service attacks and other harm to consumers and merchants.

Focus: Attention on known security vulnerabilities in currently active exploits which may impact regulatory status and security posture is also a key step in ensuring proactive measures are taken.

Analysis: Evaluation and response to attacks against multiple targets, including POS systems, e-commerce applications, new digital channels and supporting infrastructure is another important step in proactive measurement.

All these steps are necessary and having a robust threat intelligence platform to assist the security teams will ensure it gives retailers the context and prioritisation they require to make better decisions, accelerate detection and response to combat the biggest threat to retailers in the modern digital age.