Attacks/Breaches
10/30/2014
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Retailers Now Actively Sharing Cyberthreat Intelligence

The retail industry's R-CISC has been up and running for four months now and is looking for more retailers to sign up.

When a threat alert arrived about a new malware threat during a recent industry gathering of retailers, a group of them immediately left the room to check in with their home networks. The intel came in the form of an email via the retail industry's new intelligence-sharing program, the Retail Cyber Intelligence Sharing Center (R-CISC).

"We happened to be having a meeting... and someone got intel on some malware. Immediately, people got up [and left the room] and checked on their systems and detected it," says Suzie Squier, senior vice president of the Retail Industry Leaders Association (RILA), which spearheaded the formation of the R-CISC. 

R-CISC, which RILA announced back in May, has been up and running for about four months now, gradually ramping up to 100 member retail organizations participating in the industry's information sharing and analysis center (ISAC). Target, American Eagle Outfitters, Gap, JC Penney, Lowe's Nike, Safeway, VF, Walgreens, and other major retailers, sit on the board of directors of the R-CISC, a portal-based threat intelligence-sharing platform for retailers that includes feeds from government and other industry sources, and provides threat analysis. It's open to all retailers -- not just RILA members -- including small merchants and online-only e-commerce sites.

R-CISC also offers education and training for participants, and shares threat information with the US Department of Homeland Security, the US Secret Service, and the FBI.

Calls for an official threat intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry at the time had no formal threat and attack intelligence-sharing mechanism like financial services, the defense industrial base, and other industries have, and concerns arose that the industry was being blindsided by attacks and malware.

[After the Year of the Retail Breach, retail's annual holiday shopping season "freeze" on new technology and some security patching is just around the corner. Read Retailers Facing Intensified Cyberthreat This Holiday Season.]

Another retail association, the National Retail Federation (NRF), earlier this year also began forming an intel-sharing platform, sparking concerns of dueling intel-sharing mechanisms. But the NRF, which represents many smaller retailers, grocery chains and restaurants, now says it plans to ultimately integrate its platform with the R-CISC.

NRF has been running a threat alert system since early June that's generating some 15 to 20 alerts per day, says Tom Litchford, vice president of retail technologies at NRF. The NRF's platform is linked to the financial services industry's ISAC, FS-ISAC. "We're connected at the hip with the financial services industry. US-CERT is providing stuff to us [as well]," Litchford says. There are also plans to link with private industry threat intelligence feeds, he says.

The government's July 31 alert about the notorious Backoff malware that struck multiple retailers' POS platforms that was sent to NRF members via the intel-sharing mechanism actually helped quell some attacks, he says. "One of our members used it to check and sure enough, found evidence of a [Backoff] breach. They were able to limit or mitigate it to less than one percent of their stores," Litchford says.

NRF is also working closely with RILA to integrate its platform with the R-CISC. Litchford, who sits on the R-CISC advisory board, says one big concern is to ensure the smallest retailers who can't afford the thousands of dollars in dues to join the R-CISC will also be able to participate.

R-CISC dues are based on corporate revenue and range from $2,000 per year for a company with less than $250 million in revenues to $35,000 for a company with greater than $10 billion in revenues.

"We have 12,000 members, down to the smallest mom and pop shop. They've got to have some level of information-sharing without spending thousands of dollars to join an ISAC," Litchford says. At the least they need to receive critical threat notifications, he says.

Law enforcement officials say small businesses, including small merchants are often ground zero for new malware variants. That makes them valuable members of the R-CISC, too. There currently are some small retailer members, and RILA is well aware that pricing has to be affordable for them to participate.

RILA's Squier says the R-CISC is working on outreach to smaller merchants, via other trade associations who represent them.

All sizes of retailers need to be sharing intel and working together against unprecedented levels of threats and attacks, says Nick Ahrens, vice president of cybersecurity and privacy at RILA.

No silver bullet
But no one expects the R-CISC to eradicate attacks on retailers.

"I don't think there are any guarantees, but we absolutely think this is a critical tool in the toolbox. This is a team sport... You can only win by all fighting together," Ahrens says, adding that retailers increasingly are sharing more and more intel, and their confidentiality concerns are starting to wane.

Ahrens says merely investing in security technology and resources isn't enough for a retailer today, especially at a time when even JP Morgan and the White House are also getting hit by cyberattacks.

One of the next phases of the R-CISC will be to automate the ingestion of the intelligence within members' networks. That's the Holy Grail of intel-sharing ISACs, and several industry standards are gradually becoming adopted that allow for machine-readable intel to go straight to security tools to defend against the latest threat.

“We absolutely have to get to that," Ahrens says. "You have to remember that the retail industry is broad and deep and has varying levels of [technology] sophistication among members. Some have the ability to integrate machine-readable information into their systems more than a smaller retailer would."

Ahrens says as the R-CISC evolves and begins collecting dues (its first few months have been gratis), its capabilities will be upgraded as well, including adding "real-time, machine-readable information."

RILA's Squier says the R-CISC has come a long way in a short time period. "The fact that in just four months we already have a very vigorous dialog going on is really a kudos to the industry. Not only [sharing] threat indicators, but leading practices," she says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 3:40:42 PM
Re: Finally!
So true, @Robert. The Dairy Queen and Jimmy John's breaches were franchise-dependent, so they could serve as cautionary tales.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 2:51:08 PM
Re: Finally!
I would hope that the mother company would realize the benefit to helping the franchisees is critical to maintaining customer faith in their brand name.  Many franchisees, even though they have a big time name, are often small operations and don't have the resources to handle these threats on their own.  A breach at a Franchise McDonalds, for example, is just as damaging to the brand name as a breach at the corporate office.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 1:33:17 PM
Re: Finally!
Good question. I think it depends on the chain itself and how they "regulate" the franchises. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/31/2014 | 12:24:15 PM
Re: Finally!
Kelly, where do the franchisees fit in in this spectrum of small to mega retailers? Are they getting support from the big guys or are they on their own?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 9:59:38 AM
Re: Finally!
Great question. The retail industry folks didn't share a lot of details on this, but one thing they are working on is getting alerts via the intel-sharing platforms about the latest malware targeting retailers to these smaller firms. They also offer education and training on security issues, etc. 
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:55:55 PM
Re: Finally!
Kelly, I would assume some of these mom and pop retailers --- maybe most --- aren't sophisticated technology wise or are lacking in significant resources to implement security. How are the big boys helping out with those issues?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2014 | 5:49:09 PM
Re: Finally!
The smaller retailers need threat information as well, but may not have the tech resources to apply them. While RILA and NRF wouldn't share some details of the inner workings of the sharing, there was definitely a common threat of making the intel useful and actionable for the smaller retailers as well. The key is getting the word out to some of mom-and-pops and giving them guidance on how to use the information to protect their operations, something NRF is very focused on.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/30/2014 | 3:31:41 PM
Finally!
This is a great start and a much-needed collaboration within the retail industry. But how closely are the needs of the two groups aligned? i would suspect that the needs and resources of the smaller retailers would be much different than the big box chains. 
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.