RSA Conference 2017
Key takeaways from the R-CISC’s week at RSA Conference

Hi, I’m Alex Brown. As Community Manager at the R-CISC, I’m thrilled to begin working with and learning from all of you on how to best facilitate conversations and disseminate information that drives value for you within your organizations and in the retail cybersecurity space. Kicking off what I hope to be an ongoing conversation, I wanted to share some information on what we’ve been up to thus far in 2017 and what we’re planning for all of you in the coming months.

Like many of you, the R-CISC team just wrapped up a brilliant week full of thoughtful conversation, strategy, development, and important security conversations at the 2017 RSA Conference. We connected with many from the ISAC and ISAO community, retailers, government agencies, associate members, and media partners. We’re energized and excited to move forward with partnerships that amplify opportunities to support the retail cyber intelligence community.

The R-CISC hosted several events at RSA. One session informed members of our 2017 initiatives that guide our advancement. We’re amplifying existing partnerships and building new ones to increase information sharing capabilities and enhance our access to intelligence that heightens strategic knowledge exchange. The R-CISC also facilitated a peer-to-peer discussion on digital transformation that focused on customer attack vectors, attacker innovation, strategies for mitigating risk, challenges and best practices in the field. Lastly, we had an open house on Friday morning for more informal conversation and connections with members. To those of you who took the time to attend our sessions, thank you for engaging and supporting the R-CISC community. We hope that your time spent with us was valuable.

Our inspired group of R-CISC staff are now diving head first into the 2017 Retail Collaboratory, the next big meeting for information security professionals within retail. This event, taking place May 9-10 in Frisco, Tx is a unique, two-day forum designed with workshop and whiteboard style sessions intended to shepherd meaningful dialogue that addresses retail critical subjects.

Look for an announcement in the coming week that highlights some of our exciting speakers and sessions. Interested in attending? Please go here to learn more about qualifications to attend, hotel information, and to register today.

Interested in participating in the agenda? Questions about the Collaboratory? Please reach out to me directly at

Read More
The Retail ISAC (R-CISC) Presents our Holiday Guidance Series for Retailers

The Retail ISAC (R-CISC) is pleased to invite all eligible retailers to join in our upcoming Holiday Guidance webinar series designed to arm information security professionals from retail, restaurants, hotels, hospitality, and our partner sectors with actionable insight, strategies, and peer discussion opportunities throughout this most busy time of year! Interested individuals can email for registration details and join prepared to engage and share during these lively, interactive sessions. For more information on the R-CISC email

As many of you are aware, on October 21, 2016, a series of distributed denial-of-service (DDoS) attacks against Dyn DNS impacted the availability of a number of sites concentrated in the Northeast US and, later, other areas of the country. Impacted sites included: PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, and RuneScape. While the attacks were still ongoing, Flashpoint was able to confirm that at least one portion of the attack was initiated by a Mirai Command and Control server. R-CISC Core/Core+ members and eligable, non-member retailers are invited to join on Wednesday, November 2 from 11-12p pacific/2-3p eastern for An After-Action Analysis of the Mirai Botnet Attacks on Dyn. During this session, Allison Nixon, Director of Research, and Zach Wikholm, Research Developer at Flashpoint, will discuss the anatomy and implications of the attacks. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

Next up, the R-CISC will host a Q3 Threat Briefing on Thursday, November 3 from 10-11a pacific/1-2p eastern to evaluate the retail cybersecurity threat landscape and preparations for the coming holiday season. This interactive session is led by Executive Director, Brian Engle and Research Director, Wendy Nather and includes an overview of Q3 observed threats as well as analysis of observed significant events, current threat trends, and anticipated threats as we approach the upcoming holiday season. The briefing is designed to be interactive, and participants are encouraged to join prepared to share and contribute to the session as we together anticipate the threats that may be in store, along with the priorities for preparing to defend against them in advance of the holiday season. This session is classified TLP:Green and is open to Core/Core+ members and eligible non-member retailers, only. 

The R-CISC is proud to support the information security community in these important conversations and to serve as the conduit for collaboration, information sharing and cooperation among retailers worldwide. We are stronger together.

*The R-CISC leverages the The US-CERT Traffic Light Protocol (TLP)  to specify how and where contributed threat intelligence may be shared. TLP Green indicates that the information  may be passed around a general community, but should not be shared in public. For example, a notification about a phishing campaign affecting everyone who uses a particular POS system could be shared even outside the R-CISC with other retailers, but should not be discussed on Twitter or Facebook where adversaries could see it; nor should it be shared with the media.
Read More
Beyond the Cybersecurity Breach: To the Right of Boom

A series of cybersecurity breaches in the 2013 to 2014 timeframe were the shot heard throughout the industry for many retailers. For some retailers the shot has resulted in a direct hit, while for others it has served as a warning fired across the bow. In all cases, the impact of these events has resulted in significant changes in strategies for retailers as they fortify their defenses and protect the payment channel from cyber criminals.


Cybersecurity efforts have largely been focused on the timeline to the left of the breach event. Strategies have included shoring up the payment transaction with end to end encryption, bolstering extensive layers of protection and defensive measures, and developing improved detection and monitoring capabilities to thwart cybersecurity breaches of payment card and customer information. Among the numerous strategic efforts was the formation of the R-CISC to enable threat intelligence and cybersecurity information sharing throughout the industry to get ahead of the threat.


These cybersecurity efforts have demonstrated a continued diligent and programmatic effort is needed to protect against the attacks of criminals. However, these efforts in and of themselves are not enough, as the impact of payment card breaches has a ripple effect of loss and costs to many organizations outside of the breached merchant. The ensuing fraud and monetization performed by criminals is costly and broadly impacting, affecting financial firms, merchants, and the consumer cardholders to the tune of millions upon millions of dollars per year. The LexisNexis 2016 True Cost of Fraud report ( provides a grim representation of fraud statistics with indications of fraud losses increasing across the board.


Activities observed and shared between retailers within the R-CISC have provided insights into the complex nature of the criminal efforts in several significant events. These observations have allowed leading cybersecurity experts to see into the expertise and division of labor at the stages of the Lockheed Martin Cyber Kill Chain that include the development of tools and weapons, the delivery of these weapons, and the eventual command and control enable leading to exploitation and exfiltration of data. The adversaries are not just working together; they are creating an economic marketplace of efficiency for attacking industries and businesses. The criminal capabilities then extend into the monetization and extraction of funds through additional stages not contemplated by the Lockheed Martin Cyber Kill Chain.


In order to disrupt the cybercriminal fraud crime chain, it is apparent that we need to see increased collaborative efforts between cybersecurity and fraud professionals, applying techniques and intelligence from all sides of the equation to combat the criminals. As we wrap up Cybersecurity Awareness Month and approach Fraud Awareness Week November 13-19, 2016, let’s put our brains and efforts together to make a real difference in our continued work to secure retail. (Or some derivative of our Securing Retail theme).


Brian Engle

R-CISC Executive Director 

Read More
Accepting the Challenge

Last week was our inaugural R-CISC Summit in Chicago. With just over 200 attendees, we had the most significant retail industry professionals covering the latest and greatest in cybersecurity issues and trends.


Kicking off the two days of deep discussions was a session with the R-CISC Board of Directors sharing their vision of the future. Building on the the critically important topic of collaboration, one of our Board Members, David McLeod (CISO, JC Penney) talked about important security measures that need to be adopted more widely within the industry. He described this as “making the minority the majority,” a theme that carried throughout the Summit, and has become a mantra for the R-CISC community efforts.


Through collaboration and discussions in the many interactive sessions that occurred over the two-day Summit, sharing was the name of the game. The National Cybersecurity Center of Excellent (NCCoE) proposed two reference architecture projects: Multifactor Authentication for e-Commerce and Securing Non-Credit Card, Sensitive Consumer Data, both of which are intended to put promotable practices into the form of reproducible technology. Attendees listed other practices they had successfully implemented, such as geo-blocking, card data tokenization, E2E and P2P encryption, and phishing awareness training. Securing eCommerce is a significant focus for our members, and a primary research topic for the R-CISC that will have many ongoing workshop efforts.


R-CISC members presented on everything from mobile payment security to practical metrics and IoT, and our Associate Members brought their expertise to the table in areas such as using threat intel for continuous monitoring, restoring trust after a breach, and first principles for network defenders. We rounded out the lineup with global perspectives, such as the geopolitical implications for retail cybersecurity and using disruptive technologies to assist in disasters. One of the things I’m really proud of is the wide variety of topics we featured; this conference showed that the R-CISC membership has a multitude of risks that are not just at the traditional Point of Sale terminal.


Everyone has their favorite high points from the summit – I have to admit that recognizing the R-CISC top contributors at our member dinner was at the top of the list, but the Q&A session with Brian Krebs was a close second. Overall, the best part for me was seeing organizations of all sizes sitting down together and learning from one another. While the Amazons, Googles, Facebooks and AT&Ts of the world may have resources the rest of us can only dream of, we can share a vision of how to make security work. And we’ll check in on our progress next year.

Read More
Sharing threat intelligence at both ends of the chain

An SC Magazine e-book came out recently, dubbed “Retail Retaliation,” which gives a good summation of some of the issues facing retailers these days. It’s an oversimplification to say it’s all about that POS, but we certainly know that attackers are going to keep exploiting vulnerabilities where the transactions occur.

Ranging from physical compromise of the POS system to malware drops, lateral attacks across the network, supply chain tampering, and application-level fraud, there are multiple layers and vectors to monitor. Threat intelligence encompasses much more than machine-readable indicators that go straight into a rule or a filter: it has to include tactics and techniques such as misusing the transaction communication system to send spam, or hijacking customer accounts to commit warranty fraud. While trading indicators on POS malware is important, we need to make sure that the information exchange goes all along the supply chain, the “kill” chain, the transaction chain, and the fraud chain.

1449522038121_retail ebook

Read More