Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/30/2014
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Retailers Now Actively Sharing Cyberthreat Intelligence

The retail industry's R-CISC has been up and running for four months now and is looking for more retailers to sign up.

When a threat alert arrived about a new malware threat during a recent industry gathering of retailers, a group of them immediately left the room to check in with their home networks. The intel came in the form of an email via the retail industry's new intelligence-sharing program, the Retail Cyber Intelligence Sharing Center (R-CISC).

"We happened to be having a meeting... and someone got intel on some malware. Immediately, people got up [and left the room] and checked on their systems and detected it," says Suzie Squier, senior vice president of the Retail Industry Leaders Association (RILA), which spearheaded the formation of the R-CISC. 

R-CISC, which RILA announced back in May, has been up and running for about four months now, gradually ramping up to 100 member retail organizations participating in the industry's information sharing and analysis center (ISAC). Target, American Eagle Outfitters, Gap, JC Penney, Lowe's Nike, Safeway, VF, Walgreens, and other major retailers, sit on the board of directors of the R-CISC, a portal-based threat intelligence-sharing platform for retailers that includes feeds from government and other industry sources, and provides threat analysis. It's open to all retailers -- not just RILA members -- including small merchants and online-only e-commerce sites.

R-CISC also offers education and training for participants, and shares threat information with the US Department of Homeland Security, the US Secret Service, and the FBI.

Calls for an official threat intel-sharing mechanism for the retail industry intensified in the wake of Target's epic data breach late last year. The retail industry at the time had no formal threat and attack intelligence-sharing mechanism like financial services, the defense industrial base, and other industries have, and concerns arose that the industry was being blindsided by attacks and malware.

[After the Year of the Retail Breach, retail's annual holiday shopping season "freeze" on new technology and some security patching is just around the corner. Read Retailers Facing Intensified Cyberthreat This Holiday Season.]

Another retail association, the National Retail Federation (NRF), earlier this year also began forming an intel-sharing platform, sparking concerns of dueling intel-sharing mechanisms. But the NRF, which represents many smaller retailers, grocery chains and restaurants, now says it plans to ultimately integrate its platform with the R-CISC.

NRF has been running a threat alert system since early June that's generating some 15 to 20 alerts per day, says Tom Litchford, vice president of retail technologies at NRF. The NRF's platform is linked to the financial services industry's ISAC, FS-ISAC. "We're connected at the hip with the financial services industry. US-CERT is providing stuff to us [as well]," Litchford says. There are also plans to link with private industry threat intelligence feeds, he says.

The government's July 31 alert about the notorious Backoff malware that struck multiple retailers' POS platforms that was sent to NRF members via the intel-sharing mechanism actually helped quell some attacks, he says. "One of our members used it to check and sure enough, found evidence of a [Backoff] breach. They were able to limit or mitigate it to less than one percent of their stores," Litchford says.

NRF is also working closely with RILA to integrate its platform with the R-CISC. Litchford, who sits on the R-CISC advisory board, says one big concern is to ensure the smallest retailers who can't afford the thousands of dollars in dues to join the R-CISC will also be able to participate.

R-CISC dues are based on corporate revenue and range from $2,000 per year for a company with less than $250 million in revenues to $35,000 for a company with greater than $10 billion in revenues.

"We have 12,000 members, down to the smallest mom and pop shop. They've got to have some level of information-sharing without spending thousands of dollars to join an ISAC," Litchford says. At the least they need to receive critical threat notifications, he says.

Law enforcement officials say small businesses, including small merchants are often ground zero for new malware variants. That makes them valuable members of the R-CISC, too. There currently are some small retailer members, and RILA is well aware that pricing has to be affordable for them to participate.

RILA's Squier says the R-CISC is working on outreach to smaller merchants, via other trade associations who represent them.

All sizes of retailers need to be sharing intel and working together against unprecedented levels of threats and attacks, says Nick Ahrens, vice president of cybersecurity and privacy at RILA.

No silver bullet
But no one expects the R-CISC to eradicate attacks on retailers.

"I don't think there are any guarantees, but we absolutely think this is a critical tool in the toolbox. This is a team sport... You can only win by all fighting together," Ahrens says, adding that retailers increasingly are sharing more and more intel, and their confidentiality concerns are starting to wane.

Ahrens says merely investing in security technology and resources isn't enough for a retailer today, especially at a time when even JP Morgan and the White House are also getting hit by cyberattacks.

One of the next phases of the R-CISC will be to automate the ingestion of the intelligence within members' networks. That's the Holy Grail of intel-sharing ISACs, and several industry standards are gradually becoming adopted that allow for machine-readable intel to go straight to security tools to defend against the latest threat.

“We absolutely have to get to that," Ahrens says. "You have to remember that the retail industry is broad and deep and has varying levels of [technology] sophistication among members. Some have the ability to integrate machine-readable information into their systems more than a smaller retailer would."

Ahrens says as the R-CISC evolves and begins collecting dues (its first few months have been gratis), its capabilities will be upgraded as well, including adding "real-time, machine-readable information."

RILA's Squier says the R-CISC has come a long way in a short time period. "The fact that in just four months we already have a very vigorous dialog going on is really a kudos to the industry. Not only [sharing] threat indicators, but leading practices," she says.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 3:40:42 PM
Re: Finally!
So true, @Robert. The Dairy Queen and Jimmy John's breaches were franchise-dependent, so they could serve as cautionary tales.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 2:51:08 PM
Re: Finally!
I would hope that the mother company would realize the benefit to helping the franchisees is critical to maintaining customer faith in their brand name.  Many franchisees, even though they have a big time name, are often small operations and don't have the resources to handle these threats on their own.  A breach at a Franchise McDonalds, for example, is just as damaging to the brand name as a breach at the corporate office.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 1:33:17 PM
Re: Finally!
Good question. I think it depends on the chain itself and how they "regulate" the franchises. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/31/2014 | 12:24:15 PM
Re: Finally!
Kelly, where do the franchisees fit in in this spectrum of small to mega retailers? Are they getting support from the big guys or are they on their own?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 9:59:38 AM
Re: Finally!
Great question. The retail industry folks didn't share a lot of details on this, but one thing they are working on is getting alerts via the intel-sharing platforms about the latest malware targeting retailers to these smaller firms. They also offer education and training on security issues, etc. 
Broadway0474
50%
50%
Broadway0474,
User Rank: Apprentice
10/30/2014 | 10:55:55 PM
Re: Finally!
Kelly, I would assume some of these mom and pop retailers --- maybe most --- aren't sophisticated technology wise or are lacking in significant resources to implement security. How are the big boys helping out with those issues?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2014 | 5:49:09 PM
Re: Finally!
The smaller retailers need threat information as well, but may not have the tech resources to apply them. While RILA and NRF wouldn't share some details of the inner workings of the sharing, there was definitely a common threat of making the intel useful and actionable for the smaller retailers as well. The key is getting the word out to some of mom-and-pops and giving them guidance on how to use the information to protect their operations, something NRF is very focused on.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/30/2014 | 3:31:41 PM
Finally!
This is a great start and a much-needed collaboration within the retail industry. But how closely are the needs of the two groups aligned? i would suspect that the needs and resources of the smaller retailers would be much different than the big box chains. 
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...