Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/30/2014
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Retailers Now Actively Sharing Cyberthreat Intelligence

The retail industry's R-CISC has been up and running for four months now and is looking for more retailers to sign up.

When a threat alert arrived about a new malware threat during a recent industry gathering of retailers, a group of them immediately left the room to check in with their home networks. The intel came in the form of an email via the retail industry's new intelligence-sharing program, the Retail Cyber Intelligence Sharing Center (R-CISC).

"We happened to be having a meeting... and someone got intel on some malware. Immediately, people got up [and left the room] and checked on their systems and detected it," says Suzie Squier, senior vice president of the Retail Industry Leaders Association (RILA), which spearheaded the formation of the R-CISC. 

R-CISC, which RILA announced back in May, has been up and running for about four months now, gradually ramping up to 100 member retail organizations participating in the industry's information sharing and analysis center (ISAC). Target, American Eagle Outfitters, Gap, JC Penney, Lowe's Nike, Safeway, VF, Walgreens, and other major retailers, sit on the board of directors of the R-CISC, a portal-based threat intelligence-sharing platform for retailers that includes feeds from government and other industry sources, and provides threat analysis. It's open to all retailers -- not just RILA members -- including small merchants and online-only e-commerce sites.

R-CISC also offers education and training for participants, and shares threat information with the US Department of Homeland Security, the US Secret Service, and the FBI.

Calls for an official threat intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry at the time had no formal threat and attack intelligence-sharing mechanism like financial services, the defense industrial base, and other industries have, and concerns arose that the industry was being blindsided by attacks and malware.

[After the Year of the Retail Breach, retail's annual holiday shopping season "freeze" on new technology and some security patching is just around the corner. Read Retailers Facing Intensified Cyberthreat This Holiday Season.]

Another retail association, the National Retail Federation (NRF), earlier this year also began forming an intel-sharing platform, sparking concerns of dueling intel-sharing mechanisms. But the NRF, which represents many smaller retailers, grocery chains and restaurants, now says it plans to ultimately integrate its platform with the R-CISC.

NRF has been running a threat alert system since early June that's generating some 15 to 20 alerts per day, says Tom Litchford, vice president of retail technologies at NRF. The NRF's platform is linked to the financial services industry's ISAC, FS-ISAC. "We're connected at the hip with the financial services industry. US-CERT is providing stuff to us [as well]," Litchford says. There are also plans to link with private industry threat intelligence feeds, he says.

The government's July 31 alert about the notorious Backoff malware that struck multiple retailers' POS platforms that was sent to NRF members via the intel-sharing mechanism actually helped quell some attacks, he says. "One of our members used it to check and sure enough, found evidence of a [Backoff] breach. They were able to limit or mitigate it to less than one percent of their stores," Litchford says.

NRF is also working closely with RILA to integrate its platform with the R-CISC. Litchford, who sits on the R-CISC advisory board, says one big concern is to ensure the smallest retailers who can't afford the thousands of dollars in dues to join the R-CISC will also be able to participate.

R-CISC dues are based on corporate revenue and range from $2,000 per year for a company with less than $250 million in revenues to $35,000 for a company with greater than $10 billion in revenues.

"We have 12,000 members, down to the smallest mom and pop shop. They've got to have some level of information-sharing without spending thousands of dollars to join an ISAC," Litchford says. At the least they need to receive critical threat notifications, he says.

Law enforcement officials say small businesses, including small merchants are often ground zero for new malware variants. That makes them valuable members of the R-CISC, too. There currently are some small retailer members, and RILA is well aware that pricing has to be affordable for them to participate.

RILA's Squier says the R-CISC is working on outreach to smaller merchants, via other trade associations who represent them.

All sizes of retailers need to be sharing intel and working together against unprecedented levels of threats and attacks, says Nick Ahrens, vice president of cybersecurity and privacy at RILA.

No silver bullet
But no one expects the R-CISC to eradicate attacks on retailers.

"I don't think there are any guarantees, but we absolutely think this is a critical tool in the toolbox. This is a team sport... You can only win by all fighting together," Ahrens says, adding that retailers increasingly are sharing more and more intel, and their confidentiality concerns are starting to wane.

Ahrens says merely investing in security technology and resources isn't enough for a retailer today, especially at a time when even JP Morgan and the White House are also getting hit by cyberattacks.

One of the next phases of the R-CISC will be to automate the ingestion of the intelligence within members' networks. That's the Holy Grail of intel-sharing ISACs, and several industry standards are gradually becoming adopted that allow for machine-readable intel to go straight to security tools to defend against the latest threat.

“We absolutely have to get to that," Ahrens says. "You have to remember that the retail industry is broad and deep and has varying levels of [technology] sophistication among members. Some have the ability to integrate machine-readable information into their systems more than a smaller retailer would."

Ahrens says as the R-CISC evolves and begins collecting dues (its first few months have been gratis), its capabilities will be upgraded as well, including adding "real-time, machine-readable information."

RILA's Squier says the R-CISC has come a long way in a short time period. "The fact that in just four months we already have a very vigorous dialog going on is really a kudos to the industry. Not only [sharing] threat indicators, but leading practices," she says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 3:40:42 PM
Re: Finally!
So true, @Robert. The Dairy Queen and Jimmy John's breaches were franchise-dependent, so they could serve as cautionary tales.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 2:51:08 PM
Re: Finally!
I would hope that the mother company would realize the benefit to helping the franchisees is critical to maintaining customer faith in their brand name.  Many franchisees, even though they have a big time name, are often small operations and don't have the resources to handle these threats on their own.  A breach at a Franchise McDonalds, for example, is just as damaging to the brand name as a breach at the corporate office.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 1:33:17 PM
Re: Finally!
Good question. I think it depends on the chain itself and how they "regulate" the franchises. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/31/2014 | 12:24:15 PM
Re: Finally!
Kelly, where do the franchisees fit in in this spectrum of small to mega retailers? Are they getting support from the big guys or are they on their own?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 9:59:38 AM
Re: Finally!
Great question. The retail industry folks didn't share a lot of details on this, but one thing they are working on is getting alerts via the intel-sharing platforms about the latest malware targeting retailers to these smaller firms. They also offer education and training on security issues, etc. 
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:55:55 PM
Re: Finally!
Kelly, I would assume some of these mom and pop retailers --- maybe most --- aren't sophisticated technology wise or are lacking in significant resources to implement security. How are the big boys helping out with those issues?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2014 | 5:49:09 PM
Re: Finally!
The smaller retailers need threat information as well, but may not have the tech resources to apply them. While RILA and NRF wouldn't share some details of the inner workings of the sharing, there was definitely a common threat of making the intel useful and actionable for the smaller retailers as well. The key is getting the word out to some of mom-and-pops and giving them guidance on how to use the information to protect their operations, something NRF is very focused on.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/30/2014 | 3:31:41 PM
Finally!
This is a great start and a much-needed collaboration within the retail industry. But how closely are the needs of the two groups aligned? i would suspect that the needs and resources of the smaller retailers would be much different than the big box chains. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...