It’s been an undeniably rough few weeks for British retailers, with M&S, The Co-Op and Harrods all hit by (very public) cyberattacks. In each of these cases, the retailers dealt not only with a level of disruption to services, but also potential reputational and financial hits, the full scope of which will not be fully known until a much later date. With household names like this targeted, many organisations, of all sizes and industries, are likely to ask: what if we’re next? What can we do to protect ourselves? and, critically, where to start?
In this Hacker Headspace, I’ll be dealing with the very necessary, very basic Incident Response Plan and other parts of business continuity planning, as well as other proactive measures organisations can take to protect themselves if a cyber incident was to occur. Why? Because, sending shivers down my (and I’m sure many other security professionals’) spine, an anonymous insider disclosed to Sky News that M&S “didn't have any business continuity plan [for this], we didn't have a cyber attack plan." - yikes. That’s enough to send any security team and/or c-suite exec into a spin.
The Anatomy of a Cyber Incident: Deconstructing the M&S Breach
Let’s first look at what we know.
In February, Marks & Spencer fell victim to a cyberattack, likely a ransomware incident orchestrated by the hacking group known as Scattered Spider. According to a CISA advisory from 2023, Scattered Spider is “a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.”
Some research has come out suggesting this to be the work of a gang of teens and young adults based in the UK and US, what’s interesting is the gang’s affiliation with ALPHV/BlackCat, the Russian-speaking ransomware gang. Scattered Spider is thought to act as an initial access broker (IAB) for the group, meaning that they specialise in gaining the initial foothold within a target organisation’s network, which can then be sold or given to ransomware operators to deploy malware. Scattered Spider’s techniques often involve sophisticated social engineering, like the reported impersonation of employees targeting the M&S helpdesk, to bypass security measures such as multi-factor authentication. This allows them to gain access, steal data, and deploy malware, causing a lot of disruption in many cases (we saw this in 2023 with the MGM Resorts hack, which the group was linked to, too).
In late April, it was reported that M&S’s critical systems had been encrypted using DragonForce malware. The attack has caused widespread disruption, stopping online orders, impacting contactless payments, and disrupting supply. It is thought that the attack has caused upwards of £650m in lost revenue. One of the biggest problems? The company’s lack of business continuity plan for if (or, as attacks rise across the board, when) an attack happens.
On Incident Response Plans and Business Continuity
Organisations must plan for if something goes wrong. Some sectors, like banking and finance (after the financial crash of 2008), mandate this. A lack of business continuity in the event of an incident can hurt shareholder value, as well as employee and customer trust. It also means that an organisation could take a significant reputational hit and it can take organisations even longer to recover.
Organisations should appoint a person who can own the incident response (IR) plan. They should be empowered to make the case to the board for preventative investment in decent cyber resources. However, it is critical - and this cannot be overstated - that plans must be tested. One way to do this is through tabletop exercises. Tabletop exercises, including engagement by the c-suite, make cyber seem more ‘real’. The reason these exercises are so important is because many underestimate the depth a takedown can go within an organisation. In reality, organisations are way more interconnected than many think. Whilst these exercises are more of an imperfect board game rather than reality, they can reveal just how significant a breach would be and how critical responding quickly and appropriately is. This can help drive engagement and funding, both of which are critical when it comes to security justification.
A good incident response plan should also include back ups, which can be restored from in the event of an incident. These backups must be segmented, almost disconnected from the internet and must be easy to restore from if necessary.
By having a strong business continuity plan in place, organisations can strive for greater cyber resilience.
Organisations Are Complex, Perfect Security is Almost Impossible to Achieve
But just having an incident response plan and tabletop exercises alone is not enough.
Many vendors are trying to shift left when it comes to security, by integrating security practices and testing into the early stages of the Software Development Lifecycle (SDLC) to proactively identify and address vulnerabilities before they become expensive to fix later on. We see this with the Secure by Design initiatives, like CISA’s Secure by Design Pledge, that are becoming more popular globally. However, the reality for modern organisations, especially large ones like M&S, is that they have very complex IT estates, with many different facets and points of entry onto the corporate network to secure and a sprawling attack surface. From helpdesks, consumer apps and corporate IT systems to physical stores, supply chains, inventory tools and manufacturing plants, these organisations are extraordinarily complex. The reality is that you’re never going to have all areas protected perfectly. What’s needed is layers of security, including stop gaps and breaks, so that a persistent hacker can’t continue travelling through a system and getting to critical data.
The first step to a good security strategy is knowing what you’ve got and what you need to protect. A good attack surface scan will map and monitor for weak entry points and known vulnerabilities. With a large organisation in particular, there may be a lot of assets to discover and protect, a constellation of them in fact (that’s why we call our ASM tool Observatory!) You can’t protect what you don’t know you have. Turning the lights on to see the full scope of assets (and inventory them) is a critical first step.
Additionally, there’s no use having lots of security tools if you’re not using them properly. Targets need to be discovered and logs need to be kept, analysed and acted on if an intrusion occurs. These are key to multi-layered defence.
Final Thoughts?
Organisations must take cybersecurity seriously, preparing for when and not if a cyber event may happen. However, credit must be given to those managing the IT systems of large corporate networks, like in the case of M&S, because it can be hard to secure everything well. What organisations need is adequate investment to put into a good, multi-layered cyber strategy, including network scans and IR plans.