Remaining Secure in the Midst of Cyber Crime

Written by Travis DeForge, Director of Offensive Cybersecurity at Abacus Group.

In recent weeks, the UK retail sector has been rocked by a series of high-profile cyber-attacks, targeting prominent retailers such as Marks & Spencer (M&S), the Co-operative Group (Co-op), and Harrods. These incidents have exposed some novel vulnerabilities in technology, but more predominantly underscore the importance of remaining vigilant against the increasingly aggressive nature of cyber criminals.  

What Happened? 

These incidents, attributed to the hacking group known as Scattered Spider, also referred to as Octo Tempest, involved sophisticated techniques leveraged to gain unauthorized access to sensitive customer and financial data. The attackers reportedly gained access to M&S systems as early as February 2025, stealing sensitive data, including the NTDS.dit file, which contains user credentials. They then deployed "DragonForce" ransomware to encrypt the company's servers. These breaches have not only compromised sensitive information but also shaken consumer confidence and highlighted the potential financial repercussions for affected companies. While details continue to emerge, initial reports suggest that social engineering played a significant role in the malicious actors obtaining initial access.

What Is Social Engineering? 

At Social engineering is a manipulation technique that exploits human psychology to gain access to confidential information or systems. Traditionally, it involved simple tactics like phishing emails, where attackers trick individuals into revealing sensitive data by posing as legitimate entities. However, over the last few years, and accelerated by the expanded use of Large Language Models (LLMs), social engineering has evolved significantly, now encompassing a sophisticated array of methods that leverage artificial intelligence (AI).  

Modern attackers use AI to craft highly personalized and convincing messages, automate large-scale phishing campaigns, and even simulate human interactions in real-time, utilizing deep fake technology. This evolution has made social engineering attacks more effective and challenging to detect, emphasizing the need for advanced security measures and continuous awareness training.

Proactive Measures to Stay Protected 

While it is challenging to remain fully protected against an ever-changing cacophony of adversarial tactics, techniques, and procedures (TTPs), there are proactive measures that firms can take to ensure their defense-in-depth strategy remains robust. Our clients across the financial sector have found the best success by combining a thorough, holistic assessment of existing security controls with highly sophisticated threat emulation simulations like Social Engineering Testing. 

Beyond ensuring the organizational risks are understood at the business level, additional best practices can be implemented in parallel to ensure users are best protected against threats.  

1. Ensure multi-factor authentication (MFA) is enabled across all systems and restrict access to sensitive data based on the principle of least privilege. This is a critical first step to implementing access controls to ensure only registered and managed devices can access the network. The combination of both of these controls makes it much more challenging for malicious actors to initiate the breach, even if a valid username and password have been compromised.
    
2. Regularly monitor critical systems and bank accounts for unusual activity and promptly reset passwords for any affected accounts to prevent unauthorized access.
   
   
3. Conduct regular security training to educate employees about common cyber threats and best practices, helping them recognize and respond to suspicious activities effectively. 

Conducting Risk Assessments

As firms increasingly rely on various Software as a Service (SaaS) platforms, the complexity of their attack surface grows, introducing additional third-party risks. A comprehensive cybersecurity risk assessment is essential to understand how these third parties integrate and contribute to the overall risk posture. This process should extend beyond traditional questionnaires or interview-based assessments to include hands-on technical analysis of configurations within business operations. 

A thorough cybersecurity risk assessment involves several key steps: 

1. Identify Critical Assets: Determine which assets are most vital to your business operations and data security.
   
   
2. Analyze Threats and Vulnerabilities: Evaluate potential threats and vulnerabilities that could impact these critical assets. One way to accomplish this is through a continuous vulnerability scanning as a service (VmaaS) program, ensuring you’re alerted of new vulnerabilities rapidly.
    
3. Assess Impact and Likelihood: Estimate the potential impact and likelihood of different threat scenarios.
   
   
4. Evaluate Existing Controls: Review current security measures to determine their effectiveness in mitigating identified risks.
   
   
5. Develop a Mitigation Plan: Create a roadmap to address vulnerabilities, prioritize security investments, and enhance the overall security posture. 

By conducting a detailed risk assessment, organizations can identify specific areas for improvement and make informed decisions about where to invest in security measures. As best practice, these assessments should be conducted annually, or when a significant change to the organization occurs, such as through mergers or acquisitions. This proactive approach not only helps mitigate risks but ensures compliance with industry regulations and standards.  

Social Engineering Testing

Social engineering testing involves simulating real-world attacks to assess the human element of security within an organization. This goes far beyond traditional awareness training and seeks to leverage the most advanced adversarial tactics such as bypassing multi-factor authentication (MFA) and leveraging AI to conduct real time deep fakes. This approach helps identify vulnerabilities from human behavior, such as susceptibility to phishing attacks or manipulation. By performing regular social engineering tests, organizations can: 

1. Educate Employees: Raise awareness about common social engineering tactics and train employees to recognize and respond to suspicious activities.
   
   
2. Strengthen Policies: Develop and enforce policies that minimize the risk of human error, such as strict email protocols and verification procedures.
   
   
3. Improve Incident Response: Enhance the ability to detect and respond to social engineering attacks swiftly, reducing potential damage. 

Incident Response Tabletop Testing 

These attacks have also demonstrated that while many firms have Business Continuity and Disaster Recovery (BCDR) and Incident Response plans in place, they are often not fully understood by the key stakeholders and have gaps which can add to confusion. By conducting regular tabletop testing of the incident response plan firms can think through realistic scenarios and identify any shortcomings in the plan, before having to put it into action.  

The FCA and the SEC have specific requirements for testing incident response plans, but these tests can sometimes be seen as a regulatory “check the box”. Rather, ensuring robust, engaging and realistic scenarios can quickly identify fundamental shortcomings and lead to a prudent roadmap to effectively manage and mitigate the impact of security incidents.  

Conclusion

The recent cyber-attacks on UK retailers serve as a stark reminder of the evolving threat landscape. For financial sector leaders, adopting proactive measures is crucial to staying protected. By prioritizing these strategies, organizations can fortify their defenses, safeguard sensitive information, and maintain consumer trust.