Over the course of 2017, Visa Threat Intelligence (VTI) observed many global breach trends that had the potential to impact the RH-ISAC community. There are a myriad of point of sale threats facing the retail landscape. Through Visa research and partnership within the industry, Visa Threat Intelligence identified the top five cybersecurity threats and outlined mitigation steps, indicators of compromise, and offered recommendations for avoidance.
Glen Jones, senior director of risk and authentication products at Visa presented this data in a recent RH-ISAC Associate Member webinar. We also had a chance to sit down with him and ask some of our questions based on their findings. Take a look at the interview below.
Miss the webinar? RH-ISAC members can review the recording by logging into the Collaboration Portal and visiting VTI’s Associate Member space.
Q: Why has there been such a substantial uptick in retail breaches since 2015?
A: One factor that I believe is contributing to this is the shift in attacks to e-commerce merchants, many of which are retailers. The shift in attack strategy is likely driven by EMV adoption at brick and mortar stores and by the fact that criminals are targeting some well-known vulnerabilities in e-commerce payment applications. A threat actor can easily automate many of the early steps of an attack against a vulnerable payment platform and simultaneously affect multiple merchants at once.
Q: What are some of the commonalities you see in these threat actor’s TTPs?
A: Many of the active threat actors like to use the same intrusion methods, toolkits, lateral movement methodology and exfiltration methods across all of their victims. There is a fair amount of predictability in how they set up and execute their attacks, so the more you understand the threat actor TTPs, the better chance you will have at recognizing similar behavior on your own network.
Q: Are there similar pitfalls you’ve seen within those organizations who have been attacked?
A: The biggest shortcomings we see across most victims are the lack of a practiced incident response plan and information security and intelligence teams drowning in data. The combination of those two can be devastating for an organization hoping to defend against payment system attacks. Resources are scarce to begin with, so responding to the wrong things or trying to react to all threats with equally priority will likely result in missing some obvious breach indications.
Q: As a retailer, how can I prepare for the next wave of attacks?
A: No single action or technology will be effective. We recommend a defense in depth strategy, making it harder for attackers to reach payment data will increase your chances of spotting them before they can get to the data. One of the best ways to prepare is to look at ways to remove the payment data from your environment altogether. Payment systems with tokenization, end-to-end encryption, and EMV are less of a target and we have seen evidence that suggests criminals will simply move on to less protected merchants.
Another highly recommended step you can take is to ensure you are using the right kind of threat intelligence and using it effectively. Focus on threats relevant for your organization and pay attention to things like threat actor TTPs and Indicators of Compromise. Train your systems and people to recognize threats and practice reacting with the speed of the attackers and if you do those things right, it will go a long way toward keeping pace with whatever the bad guys throw at us.
For more exclusive content direcltly for RH-ISAC members, visit RH-ISAC.org/events. Interested in facilitating a webinar? Have a topic or speaker idea? Email events@RH-ISAC.org to connect with the team today.