In an earlier blog post, we discussed some of the ways criminals are using advanced attacks against retailers to go after payment card data and customer account information. Today, we'll take a look at how these threats might affect a fictitious retail company, and why.
Coco Le Fen is a luxury fashion brand that operates more than 200 boutiques around the world in affluent neighborhoods and exclusive resorts, with annual revenue approaching $2 billion USD. It has a burgeoning ecommerce presence that's fueled by flash sales, social media, and exclusive online-only offers. Coco Le Fen also operates several manufacturing facilities in the US and Asia that produce most of its clothing and accessories. Unbeknownst to most consumers, Coco Le Fen also develops and manufactures bullet-proof sunglasses and related products for several branches of the US military.
As Coco Le Fen has built its successful and well-known brand, it has also become a prime target for malicious hackers using advanced threats.
Criminals regularly try to break into Coco Le Fen's main network to surreptitiously gather new designs and sell them to counterfeiters, who then rush to manufacturer them for sale on the black market as part of larger criminal operations. Designs for military gear may be stolen to be sold to corrupt agents of foreign governments.
Given its global reach and high profile, Coco Le Fen is also a prime target for Distributed Denial of Service (DDoS) and Advanced Persistent Threats (APT) from social hacktivists, especially as its manufacturing and labor practices have come under recent scrutiny for possible human rights violations and there are allegations that the company used animal testing in formulating its new cosmetics line.
Since Coco Le Fen has many wealthy individuals and celebrities as customers, criminals may try to use Coco Le Fen's network and applications as a means to get to them via phishing emails, or by compromising Coco Le Fen's ecommerce website to get unsuspecting shoppers to download malware that captures keystrokes, enabling them to break into customers' bank accounts. Criminals may also tamper with or add skimming devices to its in-store POS systems to capture credit card data, or hack into the company's unsecured wireless network.
While this is a fictitious company, the information security challenges facing retailers today are quite real. Although PCI compliance requirements address some of them, the reality is that PCI alone won't address many of the advanced threats that retailers now face. As a result, retailers must develop stronger defenses and ramp up security initiatives to combat such threats.
One tool that can help in defending against advanced threats is threat intelligence. This involves studying potential attackers, identifying individual threat actors or groups that might target your company, and what their objectives might be. For example, what kind of information might they try to get? Are there possible social or political motives that might drive attacks? Are they aggressively targeting similar companies in your industry?
What about your organization? If you're a retailer, do you think your organization is adequately prepared to face threats like this? Do you have a regularly updated incident response plan?