10 Hackers Hacking: A Holiday Countdown of Retail Cybersecurity Threats
On the eve of Black Friday and Cyber Monday, we have a little gift for you: the top 10 MITRE ATT&CK techniques Red Canary detected against the retail sector in 2019.
Holiday shopping season has been a boom time for retail breaches over the years. Naughty code such as FrameworkPOS can really put a damper on all the holiday cheer, causing reputational damage and direct financial losses. Many retailers implement enterprise-wide code freezes, leading to downtime during a period in which revenue is so important.
Ultimately, peak retail season is just about the worst time to have to disclose a data breach or other security incident. Luckily, Red Canary is here to help retailers stay vigilant.
Here’s the list—we checked it twice—of ATT&CK techniques that adversaries used against our retail customers in 2019, from fewer detections to the most:
A tried-and-true method for achieving persistence, attackers can add entries to the “autorun keys” in the Registry or startup folder on Windows systems to automatically execute with the associated user’s permissions at startup.
Adversaries use this execution technique to run a binary, command, or script as a native Windows service, which simultaneously helps an attack blend in with routine process activity while achieving high privilege levels.
This is the variety of phishing that leverages email messages with malware-laden attachments. Phishing has been an effective initial access technique for decades, but T1193 has been particularly en vogue in the era of weaponized macros, Visual Basic Scripts, and PowerShell.
Straddling three tactics, Scheduled Tasks offer adversaries a technique for persisting, elevating privileges, and executing code on Windows systems. Assuming the adversary has gained the privileges to do so, they may use Windows Task Scheduler to schedule programs or scripts to execute at a specified time.
Alternatively used for privilege escalation and defense evasion, attackers often leverage Windows User Account Control (UAC) to elevate their privileges to administrator-level permissions, sometimes prompting the user for confirmation but sometimes doing so in the background—depending on account configuration and the program or process the attacker is leveraging.
Smart adversaries clean up after themselves, removing any malware, tools, or other non-native files dropped or created on a system. Unfortunately, this is a defense evasion technique that majorly complicates incident response and is also very hard to detect, given that humans and operating systems also normally delete files.
This is a defense evasion technique that manifests in a variety of ways, particularly as adversaries attempt to delete or alter logs or carry out other anti-forensic activity on a host system. We’ve observed attackers exercising this technique as part of ransomware attacks (volume shadow copy deletion) and to disable Windows Event Log collection, to name a couple of methods.
To evade detection, adversaries kill security software or event logging processes, delete Registry keys so that tools do not start at run time, or disable other tools to interfere with security scanning or event reporting.
Powerful, performant, and installed on basically every Windows system on the planet, adversaries use this interactive command-line interface and scripting language to execute code and perform countless other malicious actions on Windows systems. It’s incredibly popular among sysadmins as well, enabling them to remotely apply configuration changes, enforce security policy, and carry out all variety of daily tasks, which makes it hard to baseline.
And the most detected technique—the canary in a pear tree, if you will—is….
More often than any other technique, we detected adversaries on retailers’ systems manipulating file metadata-associated executables—often re-naming them to appear as a legitimate, trusted program to evade defenses and observation.
This was just a sneak preview—we’ll be counting down the top ATT&CK techniques for finance, education, healthcare, manufacturing, and other sectors in our 2020 Threat Detection Report, out early next year!
If you just can’t wait, you can read last year’s report here, which includes detailed and actionable collection and detection guidance for half of the techniques listed here.
And while in you’re in that holiday spirit, why don’t you rewatch our favorite Christmas movie too.
All 2021 Threat Detection Report content is fully available through this website. If you prefer to download a PDF, just fill out this form and let us know what email to send it to.
Thanks for your interest!
Check your inbox, the 2021 Threat Detection Report is headed your way.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.