5 Steps Retailers Should Take to Handle a Cyberattack

The severity of cyberattacks hitting U.S. companies has been on the rise in recent years, and with it, so grows the risk to businesses. A new study by IBM finds that while the number of cyberattacks against retailers declined by 50 percent in 2014, the actual number of records stolen remains at near record levels at 61 million. It's clear that attackers are becoming more sophisticated and efficient, reaping larger gains with less work and at a higher cost to the retailer. A recent survey by the Ponemon Institute showed the average cost of cybercrime for U.S. retail companies more than doubled from 2013, to an annual average of $8.6 million per company in 2014.

There are many reasons why attackers have set their sights on retailers. An increasing number of attack vectors as a result of multichannel strategies, BYOD, QR codes and mobile wallets, as well as vulnerable point-of-sale (POS) terminals, legacy systems and third parties in the supply chain are just a few reasons why retailers make good targets. It's impossible to prevent every single attack, but there are actions retailers can take to be more proactive when a breach happens. At the end of the day, a good offense is the best defense.

Here are five steps retailers can take to handle a cyberattack to help identify and remove advanced threats quickly and prepare for any future attacks:

1. Detect and identify. Retailers are now multichannel with storefronts, online shopping and mobile apps. This increase in customer engagement across a variety of mediums also means a more challenging task to keep data secure because customer data must be protected in different ways and places.

Once a threat has been identified in the system and verified as not a false positive, a cross-functional team is needed to oversee response, which includes locating "patient zero," the original point of entry or infection, and gaining access to the actual malware or threat. The team will need the skills to analyze it and determine how it got in, how it's behaving and spreading, and whether data is being exfiltrated.

2. Contain (or not contain). POS terminals have significant vulnerabilities that make it easy for hackers to target. Hackers have found ways to grab card data before it's encrypted into a POS system's memory. Whether it's foot traffic or website traffic, open ports — USBs, ethernets and tampering with POS devices — have all proven themselves as a security risk. Hackers can easily gain physical and virtual access to a network and move laterally to the targeted data.

Once an organization has identified the nature, extent and severity of the attack, the incident response team is faced with two options: contain it or remove it. Containing and stopping the attack involves quarantining the compromised hosts or systems or disabling some functions, removing user access to the system, and determining and blocking the access point. More advanced malware and threats, which can alter techniques depending on your reaction, might require moving right to the removal phase without tipping off the attacker that you're on to them.

3. Remove and recover. QR codes are used daily by retailers, however, they're easily manipulated by hackers, ultimately acting as a door into a retailer's network if hacked. Cybercriminals leverage these codes by taking users to a malicious website that infects the system without the user ever knowing, and then directing them to the correct website. QR codes are indecipherable to the naked eye; for experienced hackers, however, they're easily translated. Thoroughly removing a threat such as this is critical to reducing the risk of reinfection and regaining normal operation.

Once infected hosts have been identified, do the following:

• stop and kill all active processes;
• remove and save all files installed by the attack for later investigation;
• separate sensitive data from the network;
• apply necessary patches;
• update/reset all affected login accounts;
• assess file damage;
• reinstall affected files;
• notify all affected parties;
• disconnect affected hosts; and
• perform daily reboot.

4. Be proactive. Attackers are becoming increasingly sophisticated using advanced malware and techniques to hijack operating systems, applications and servers. These attackers learn from their experiences and often return with nuanced attack versions, putting organizations back on the defensive, and the vicious cycle continues.

Enterprises can defend proactively against cyber attackers by actively investigating the environment for indicators of compromise (IOCs) and looking for suspicious behavior. It's important to stay current with the latest threat intelligence and available countermeasures, deploying them as appropriate in the context of your environment. This includes keeping all software up to date and ensuring that patches and bug fixes are applied in a timely manner.

5. Automate incident response. It can be a challenge initially to be proactive with cyber defense because you're investing resources in detecting attacks before they occur. However, this is where automated, continuous threat removal solutions can help by leveraging the skills and manpower of the IT department and multiplying their efforts. Automation eliminates the need to perform manual work that's necessary, yet time consuming and expensive — e.g., collecting endpoint data from a large number of hosts and searching for IOCs.

To begin to incorporate automation into your approach to incident response, consider the following:

• Select solutions that you and your team trust and that integrate with your existing security infrastructure.
• Evolve from manual methods to automation over time as your comfort level grows and the value is demonstrated. Begin with simple steps that leverage automation and then slowly incorporate more sophisticated methods.
• Monitor how automation is benefitting your bottom line — i.e., saving costs while enhancing security by freeing up skilled security staff.

The time and costs of mitigating and recovering from malware attacks is significant. According to a 2014 global report from the Ponemon Institute, it takes an organization an average of 31 days, at an average cost of $20,000 per day, to resolve a cyberattack, making the average cost of a single breach around $640,000.

Retailers can't avoid being the target of a data breach, but they can improve their response and mitigate the impact of attacks now and in the future by proactively preparing a response plan. Taking into consideration the outlined security strategy and automating security tactics will help strengthen any organization's cybersecurity plan by changing their defensive position to an offensive one.

Todd Weller is the vice president of corporate development at Hexis Cyber Solutions, a provider of cybersecurity solutions for commercial companies and government agencies.