Intelligence lead tips in a time of rising threat
Recent cyber attacks on UK high street retailers are highlighting the growing risks that are facing organisations thanks to increasingly sophisticated cyberattack techniques. As we’ve recently seen, these breaches can expose vast amounts of sensitive data, take down services, and completely destroy a brand, reputation or trust. And it’s not just retailers that are at risk. Many organisations are yet to adopt robust security measures or still rely on outdated IT infrastructure, making them prime targets for exploitation, regardless of what industry they are in.
Our 24/7 Security Operations Centre (SOC) currently has a unique vantage point on the evolving threat landscape and has been actively monitoring the recent incidents to gain a better understanding of the methods used in order to provide our clients with clear, actionable insights and to suggest effective mitigation strategies.
Our cybersecurity intelligence indicates that the most recent cyberattacks targeting high street businesses have been attributed to the group Scattered Spider, utilising the DragonForce ransomware strain.
Scattered Spider gained notoriety in 2023 following ransomware attacks on Caesars Entertainment and MGM Resorts in Las Vegas, for which they reportedly received ransom payments totalling approximately $15 million. The group has also been linked to the Snowflake breach, which exposed personally identifiable information (PII) of millions of users.
Many of the Key Indicators of Compromise (IOCs) associated with the group include:
- Sophisticated social engineering tactics like spear phishing emails or tricking people into revealing sensitive information
- Pretending to be a legitimate user in order to trigger a password reset
- Multi-Factor Authentication (MFA) fatigue attacks which includes repeatedly bombarding a user with MFA requests until they approve out of annoyance or confusion
- SIM swapping which involves an attacker tricking phone providers into transferring phone numbers to a SIM that they control
- Exploitation of known vulnerabilities that haven’t been patched, like CVE-2015-2291 (a vulnerability in Intel’s ethernet drivers)
In most cases the attacks were highly complex and sophisticated, but with the right control, monitoring and employee awareness, they were also very preventable.
The UK’s National Cyber Security Centre (NCSC) has issued guidance regarding these attacks, and in addition to that, our SOC team are strongly urging organisations to:
- Deploy multi-factor authentication (MFA) comprehensively across all accounts and services. Modern phishing resistant method are advised.
- Improve monitoring for unauthorised account activity, such as identifying risky sign-ins using Microsoft Entra ID Protection, particularly those flagged by Microsoft Entra Threat Intelligence.
- Review and audit high-privilege accounts, such as Domain Admin, Enterprise Admin, and Cloud Admin accounts, ensuring all access is legitimate.
- Assess helpdesk procedures for password resets, particularly verifying staff credentials before processing requests for accounts with elevated privileges.
- Enhance detection capabilities within your Security Operations Centre (SOC) to identify logins from atypical sources (e.g., VPNs using residential IP ranges) through source enrichment and related methods.
- Establish processes to rapidly ingest and respond to threat intelligence, particularly regarding evolving tactics, techniques, and procedures (TTPs).
In addition to implementing the NCSC’s recommendations, as a business, we are also actively evaluating the effectiveness of restricting IT resource access to company-owned devices only. A comprehensive review of Conditional Access policies and firewall configurations is also considered best practice.
It is crucial that organisations regularly review, test, and update disaster recovery, business continuity, and cyber incident response plans to ensure preparedness and resilience against cyber threats.
Our most recent Mid-Market report highlights a significant misalignment between IT and business leaders, creating a critical barrier when it comes to cybersecurity investment. While IT leaders recognise cybersecurity and technology upgrades as crucial, business leaders often perceive these as costs rather than strategic growth enablers. But as these high-profile retailers have seen, discrepancy and overestimation of security postures can leave organisations, no matter how big or small, vulnerable to threats.
“There’s a growing recognition that cyber security isn’t just an IT problem, but now more of a business continuity imperative. The most resilient organisations treat security as a continuous, adaptive process rather than a one-time implementation. They integrate security into everything – from software development to employee onboarding.”
James Rentoul, SecOps Manager
Implementing simple yet effective security measures can significantly enhance resilience. Being brilliant at the basics of cybersecurity is a critical step toward building future-ready IT services.
Read more about cybersecurity…
Addressing IT Skills Shortage
Navigating the Intersection of AI and Cybersecurity
