Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Hacking Away at Holiday Cheer

Threat Intelligence That Combines External and Internal Data Will Help You Determine What You Need to Care About in Your Environment

Threat Intelligence That Combines External and Internal Data Will Help You Determine What You Need to Care About in Your Environment

According to the Deloitte 2016 Holiday Survey consumers expect to spend roughly $430 million this holiday shopping season – evenly divided between online and in-store purchases for the first time ever. Two thirds of respondents will shop online and then purchase in store (webrooming); half will shop in store and then buy online (showrooming); and more than 4 in 10 will take advantage of “buy online, pick up in-store” offers. However the final numbers shake out, we know this is the biggest time of the year for retailers – and also for hackers. The stakes are high as the number of credit card transactions soars.

As validated by the many highly publicized breaches, in-store Point-of-Sale (POS) devices are proving to be high-value targets for cyber criminals for a number of reasons. They are difficult to secure due to their ubiquitous nature, often run on old operating systems, are difficult to patch, and use outdated software. What’s more, many retailers don’t include anti-virus (AV) or other security software on their POS devices. And even if they do, relying on AV alone is not enough to counter the threat of POS malware. With names like PoSeidon, POS Pro and POSCardStealer, these types of attacks tend to play out very similarly, establishing command and control communication back to the adversary’s infrastructure to send stolen credit card numbers and keylogging information. New Europay, MasterCard and Visa (EMV) chip-enabled cards make it more difficult to profit from credit card data; since a unique transaction code is created every time the card is used they can’t be copied. But this technology will not prevent breaches.

Online retailers tend to have more security tools at their disposal since they were built from the ground up in this digital age. Encryption, dual authentication, SSL certificates and firewalls can all help protect the theft of credit card and other personally identifiable information (PII). Consumers can also get involved in protecting their data with strong passwords, AV protection and making sure they update their operating systems and software on their devices. Still, attacks on online shopping sites can and do happen. The 2016 Verizon Data Breach Investigations Report, Retail finds that 45 percent of security incidents in the retail sector involved Denial of Service (DoS) attacks that can bring down websites for days and often infiltrate networks and steal data. Another 26 percent of retail breaches involve web app attacks that use keyloggers to steal credentials and conduct fraudulent transactions.

Regardless of the attack vector, once an intruder gains access to a retailer’s network they can remain undetected for long stretches of time, continuing to capture more data and wreak more havoc. Target, Home Depot, Neiman Marcus and Eddie Bauer can attest to this.

So what can retailers do? Threat intelligence based on a combination of external and internal data can help retailers detect the presence of malware and other malicious activity on their network so that they can take action more quickly and mitigate damage.

It starts by gathering external threat data usually compiled from multiple data feeds – commercial sources, open source and additional feeds from existing security vendors. Global threat data lets you see activities happening outside of your enterprise – not only attacks themselves, but how attackers are operating and infiltrating networks. This data, from disparate feeds and in disparate formats, needs to be gathered together into one manageable location and translated into a uniform format so you can use it.

Now that you have global threat data that you can use, you need to enrich and augment it with internal data. Only then will you have enough intelligence to know that you’ve been breached and how to deal with it most effectively.

Advertisement. Scroll to continue reading.

Internal data includes, but is not limited to, threat and event data from your security information and event management (SIEM) system, log management repository and case management systems. By correlating events and associated indicators from inside your environment with external data on indicators, adversaries and their methods, you can get a broader picture of not only what has happened but who may have done it and even how. And that information can help you anticipate what may happen next.

The combination of external and internal data will help you determine what you need to care about given your environment. That is extremely important in light of the shortage of skilled security professionals and a phenomenon called ‘alert fatigue’ (getting overwhelmed by the volume of alerts from SIEMs, ticketing systems and other security technologies). Most organizations don’t have enough resources to cut through the noise and identify what is actually happening in their environment. Relevant and contextual intelligence helps you focus on what matters most.

Let’s make sure adversaries don’t hack away at holiday cheer. Threat intelligence that incorporates external and internal data can go a long way toward helping you mitigate breaches during the holiday shopping frenzy.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.