Retailing Another Threat Landscape Story

Posted on by Dan Holden

It’s no secret to anyone that retail has suffered its share of breaches over the last few years.  To some, our industry became a cautionary tale, and to others, our headlines underscored the simple truth that a breach can happen to any company. While the fervent media coverage has somewhat died down, a retailer’s day-to-day offense and defense is in continual evolution according to the ebbs and flows of attackers. So what do today’s threats look like from the retail front? 

Much of the retailer’s challenge is like others: phishing, malware and DDoS attacks. However, the transactional nature of a retailer’s business puts them at risk of becoming part of the attacker infrastructure. PoS malware has stolen millions of credit card numbers and gift cards are being used for money laundering. Retailers are caught in a tough game of assessing whether a real account is being used legitimately or illegitimately, or determining if it’s a fake account altogether. 


Many organizations prioritize around technologies and countermeasures, while others place emphasis on actionable threat intelligence as the missing link. The chase for magical threat indicators has proven to be a lot like the pot of gold at the end of the rainbow. At the Retail Cyber Intelligence Sharing Center (R-CISC), collaboration is core to enhancing the retailers’ ability to combat threats and reduce risks. While threat intelligence has been an industry buzz word for years, experience provides us with solid examples of gaining maximum value from threat intelligence and technology investments by approaching and leveraging threat intel from all aspects of the technology, people, and processes. 

What have retailers been doing over the last few years to bolster their capability and how does the R-CISC help to enable that mission? While many have, or want to leverage threat intelligence for improved automated incident prevention, this is harder than it sounds. Simply exchanging large black lists does not make for confident blocking of threats. The exploration and corroboration of threat intelligence is needed and often leads organizations to further operate other security protocol such as incident response and remediation activities. Core to these functions is building out a central threat intelligence function or group so that intelligence is constantly flowing throughout the larger organization and enabling both IT security process and business risk modeling for decision making. 

After years of debate around the usefulness of cyber attribution, some sophisticated organizations have found value from tracking attacker TTP’s over time to determine attacker capabilities and anticipate potential targets. Strategies include real-time monitoring of botnets and sink holing and passive DNS monitoring and malware family updates for timely assessment of risk. Monitoring attackers, rather than attacks better enables ongoing business risk assessment of many security practices. While no organization will ever know about every threat they might be facing, the more prescriptive organizations are regarding ongoing risk, the better understanding they have of the threat campaigns and ROI made in threat intelligence overall. Having a solid foundation across real-time monitoring of the retail environment, and that of the retail-related threat actors enables the ability to push for more and more areas of proactive security. 

Threat hunting is an increasingly popular activity with strong fundamentals in incident response and threat monitoring. Leveraging threat intelligence from both internal and external sources allows security analysts to look for compromised systems and attackers at various stages of the kill chain rather than having to wait for a potentially detrimental breach to occur to kick-off response and remediation. While threat hunting can have an up-front investment, the potential payoff of a successful hunt can make it all worth the time and investment of doing so. 

Operating as the retail ISAC, the R-CISC serves as the conduit for collaboration, threat intelligence sharing and cooperation between cybersecurity teams within the retail industry. The R-CISC focuses on building and sustaining valuable programs, partnerships and opportunities for members to grow trust-based relationships, strategic knowledge and tactical capabilities. Members of all sizes come together to share cyber intelligence on incidents and threat vulnerabilities, and work together to create guidelines and standards for industry-wide cyber security practices. 

For more information on R-CISC membership, visit us at

Dan Holden

CTO & Intelligence Director, Retail Cyber Intelligence Sharing Center (R-CISC)

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community