The Retail & Hospitality ISAC Podcast 6.28.23
Ep 30 | 6.28.23

Securing the Store of the Future & Intel Briefing


[ Music ]

Luke Vander Linden: Namaste, everyone. This is Luke Vander Linden, VP of Membership at the Retail & Hospitality Information Sharing and Analysis Center. I'm proud to be host of the RH-ISAC Podcast. Thanks for joining us.

[ Music ]

For those of us in the northern hemisphere, I hope you're enjoying the sunshine of summer, and for our friends down south, that you're having a mild and brisk winter. For some, this is the time of year where things slow down a bit, but not for us. June has been a whirlwind of activity mostly because of the number of organizations with which we partner. Three of our team members traveled down to Dallas, Texas for the National Retail Federation's Protect Conference. Historically, this conference has been about physical security, but cyber and physical continue to merge. Threat actors certainly don't see a distinction if they see an opportunity. Our own Kristen Dalton and Bryon Hundley, who've both been on this podcast before, got to do a panel with some of our members on business risk and the value of cybersecurity programs. Thanks to Becky Goza from Love's Travel Stops, Tae Kim from Albertsons, and Ryan Clark from Black Rifle Coffee for lending their expertise to that panel. Clair Green from our Membership Team was also there. It was a great event, and we love our partnership with the National Retail Federation. At the same time, our president, Suzie Squier, who we haven't had on the podcast in a while -- we need to fix that soon, if only for my own job security -- was up in Montreal at the first conference. There she was on a panel with three other ISAC leaders, Denise Anderson of the health-ISA, Faye Francy of the Auto-ISAC, and Bridgette Walsh of the Financial Services ISEC, all women by the way. Their session was on information sharing, joining forces to protect the universe, a lofty goal. They each spoke of their own journeys and about the challenges, opportunities and rewards of leading ISACs. Depending on how you count them, there are two or three dozen other ISACs out there, serving different sectors. We're all separate organizations, and we each do things differently, but our partnerships with other ISACs are very important to us, especially as we work to grow and serve the good guys. Speaking of which, our third event this month was in London at the Infosecurity Europe Conference, where we partnered with other ISACs as part of the fairly new European Council of ISACs, again, an opportunity to support the good work that other ISACs do, and I'm happy to say I got to go to that one. And then finally, we had a couple sessions at the American Hospitality and Lodging Association's Hospitality Show in Las Vegas to close out the month. I got to go to that one, too, but again, it was Kristen Dalton up on the stage, anchoring a panel with several of our members. So, thank you to Steve Benea [phonetic] from Wynn, Las Vegas, Ken Haertling from Las Vegas Sands, and Charles Fedorko from Sage Hospitality, and also to our own Intel analysts and all-around great guy Lee Clark, who also did a bit of presenting there. Speaking of Lee Clark, let's get down to what we have in store for us today on this episode. We welcome him back as we do every other episode for "the Briefing", but this is a very special segment this time. Verizon has just published their Data Breach Investigation Report, or DBIR. As we have done for the last several years, we publish our own report, comparing and contrasting their findings for the retail and hospitality sectors against RH-ISAC community sharing data that our analysts and intelligence teams have assembled. So, we will go over those findings for us, but first, we'll be joined by Shad Taylor, solution architect for Retail and Hospitality at Fortinet. Fortinet is, of course, a great associate member and supporter of the RH-ISAC and of this podcast from the very beginning. Shad and I will discuss securing the Store of the Future. What is the Store of the Future? Well, it's a lot. We'll define it, but it's always on, has a lot of IoT, a lot of data, so a lot to protect. So, a pretty packed episode. As always, we welcome your thoughts about the podcast or anything else. Shoot us an email at or if you're a member, hit me up on Slack or Member Exchange.

[ Music ]

All right, I'm now joined by Shad Taylor, solution architect for Retail and Hospitality from Fortinet. Welcome to the RH-ISAC Podcast, Shad.

Shad Taylor: Yeah, thanks for having me, Luke.

Luke Vander Linden: So, solution architect, retail and hospitality, tell me what that means. What do you do at Fortinet?

Shad Taylor: Yeah, so what I do at Fortinet, what we have is a concept of an overlay team. So, my focus is everything retail and hospitality. We like to say eat, drink, play, stay. So, it covers a huge swath, but my responsibilities primarily are to help retailers large and small solve some of their most difficult problems, help set a good market strategy, and basically just ensure that we're creating solutions that resonate, because it's bidirectional. If we're doing that, that means that we're helping solve problems and providing business outcomes for retailers, and they're going to want our products. So, it's just that simple.

Luke Vander Linden: You know, eat, drink, play, stay, I might have to steal that, because that's basically how we define retail and hospitality as well. That's great. So, I hear a lot of talk about the Store of the Future and obviously particularly for retailers. So, can you explain a little bit about what that means, if you can, if it's something that's easily definable, since it is of the future?

Shad Taylor: Yeah, you know, I get asked all the time, "What does the Store of the Future look like?" You know, and there's a couple of different ways to define it, and I will at times say, "Well, there's the Store of Tomorrow", which is just thinking about all the pain points that you have today with the technology of today and what can you change, but then there's also emerging, you know, it's meeting that consumer expectation. It's making sure that you can provide the exceptional guest experiences, right? And so, we're seeing a lot of trends inside of retail and hospitality at the consumer level that are driving some fundamental changes inside of their landscape.

Luke Vander Linden: So, like, what are some of the trends that you're seeing?

Shad Taylor: Yeah, so, you know, we like to call it digital differentiation. Most retailers in the pandemic really sped up the last 36 months. I say it was an expedited evolution more than a revolution. It wasn't that retailers and hoteliers didn't want to be or leveraging some of the techniques and some of the systems that they leverage today, but they were forced to get there quickly, so that marriage of digital and physical in order to meet the consumer expectation where they want to be met. This can be things like, you know, contactless check-in or buy online pickup curbside. We're seeing that that trend is continuing to emerge, you know, really reducing the friction even more than we already have, you know, essentially, like, creating interactions and customer interactions that can be started on a mobile device. Almost every consumer inside of North America has a mobile device, and they expect to be able to interact with your brand on that mobile device, and that could be, you know, remotely or that could be inside of your location. But what we're also seeing is that's forcing change and to unify commerce. You know, unified commerce is this new term. It kind of started about three years ago, and really, it's just taking an omnichannel and saying, hey, omnichannel used to be the ultimate where everyone wanted to be, reaching your consumers in any channel that they wanted to be reached, however, what we found over the past 36 months is that those channels don't necessarily share information, right? They don't have visibility into each other. So, unified commerce is really taking that approach to maturing omnichannel in a manner in which you can now focus on customer interactions, where each channel has visibility into itself.

Luke Vander Linden: You know, that's great, because I talk- when I'm talking to, particularly QSRs or grocery stores, things that weren't necessarily online, before the pandemic, I would say, "Now, we're all ecommerce companies." But it's really more than that. As you say, consumers, individuals expect to have the same experience or that continue to experience whether it's their mobile device, whether it's through a computer, whether it's being in person that is- they think they're interacting with one entity, but those systems have been so disparate for so long.

Shad Taylor: Yeah, you know, and those interactions can occur at any time and from anywhere, and what that's truly making- that's- what that's doing to the landscape, the retail landscape is it's making that landscape pause, you know, essentially reflect and reevaluate and then reshuffle what their priorities are. Like I said, you know, we already- we went through a phase of providing new ways to reach our customers, but now we're asking ourselves, "Are we reaching them the most effective way? Is it the most efficient, is it the most secure way to reach our customers?" It's no surprise that a lot of retailers- this might have been the first time they ever had, you know, a cloud environment in their landscape. It might have been the first time they ever configured, you know, an S3 Bucket or something similar. So, going back and making sure that you made the right investments and inside of that when you migrated or you're starting to mature you omnichannel experience into unified commerce is key here.

Luke Vander Linden: So, as you say, they're creating new experiences. They're adding new technologies, and what that means is new exposure. So, how should retailers, hoteliers, anybody in this sphere look to be able to protect all those new things and those new vulnerabilities that they've now brought on?

Shad Taylor: Yeah, so the infrastructure landscape has changed immensely for retailers and hoteliers. You know, I said previously that that interaction can happen anywhere at any time, but you have to be able- you're only as strong as your weakest link, you know? So, we're adding an immense amount of complexity, and complexity is the enemy of security. So, you have to think about your entire landscape. You have to think about how- what is traversing inside of my infrastructure for one single customer engagement? That customer may start their engagement on their mobile phone while they're in their car or while they're at home, but they want to continue that interaction while they're on-site, while they're inside of your Store of the Future, and you may want to have, you know, different devices interact with them in real time. It may be something as simple as they may want to scan and pay on their phone. They may want to check your inventory in real time. So, when you think about all the devices that we're starting to put in, when you think about all the transactions that have to maybe traverse your store, your headquarters, your campus environment, your distribution, your cloud environment, maybe you have multiple or you're a hybrid cloud environment, it can be extremely daunting task in order to provide the performance, because, you know, it can't be slow. It has to be highly performing. The consumer expects that to be almost instantaneous in a response on their mobile device. So, you have to think about items like zero touch. You have to think about really treating your inside like you treat your outside, and that's difficult to do at scale. You know, you have to be able to provide those patterns and lay out those patterns and enforcements at scale. That way you provide that consistent experience for the consumer.

Luke Vander Linden: Right, and then beyond the technology that you add, there's all kinds of physical IoT technologies that you're adding in stores as well to be able to do all those things like inventory and who knows what else.

Shad Taylor: Yeah, I like to say that the automation revolution is here, and it's real, and IoT is essentially enabling that to occur, whether it be to provide new exceptional customer experience or guest experiences, all the way to eliminating mundane tasks for your workforce, so they can interact. We have to remember that people still like to interact with people. You know, just because we may try to augment or have a self-service kiosk or something of that nature or scan a barcode or a QR code in order to provide your order, there's still going to be an ambassador of your brand. They're still going to interact with someone. So, freeing them up in order to do that is what we're doing on the operational automation side, but I think that what you have to think about here is, you know, we have items, whether it can be self-cleaning robots or it can be walk-in cooler temperature sensors or it can be something more advanced like computer vision and mapping out your location or maybe collecting consumer sentiment. Those things help and go a long way to create that exceptional guest experience, but you have to be able to secure those devices. You have to be able to say what-- one, you have to have visibility. So, you have to identify that a device has been installed inside of your environment. You have to be able to microsegment that device. You know, that is kind of a concept of zero touch, again, treating your inside like your outside. So, you shouldn't just deploy these devices and assume everything is great. You know, what device are you deploying? What is that organization that created the device? And unfortunately, we have to think about those things and what I call the digital supply chain. So, the digital supply chain is the aspect of what is the firmware on that camera that you installed or on that sensor, how old is the company that created that sensor. If they go through [inaudible] security profile of that- is it calling home every three months, is it opening a backdoor into your environment? I'm a big fan that we have to- in order to, you know, I talked about the marriage of physical and digital, I talked about, you know, the expectations of the guests. So, that moves at a very fast pace. So, you have to be able to provide a safe harbor, a space for creative disruption inside your organization, and what I like to think about is when you look to initially deploy a new function, a new IoT device inside your environment, go ahead and collect all the data. So, analyze all the traffic for three months, put it in a lab, and then pilot it in a single store, and that store maybe you're inspecting, collecting all traffic for a three-month period. Understand in baseline what that traffic type looks like, and then build your policies around it. So, as you deploy it to the rest of your landscape, you're not going to have any sort of issues with lateral movement inside if there is a problem with that IoT device, and you're going to be able to exude confidence that you deployed something in the most secure manner possible.

Luke Vander Linden: That's incredible advice, and I know a lot of our members, maybe most of them, maybe all of them have like the sandbox stores that they can install the new technologies in and then play with them for a couple months to see how they work. But there's really nothing better than that real world kind of test to see what is really going on with these new technologies, whether they're actual programs and technologies or they're IoT.

Shad Taylor: Yeah, I mean, you know, we like to say- we'd like to think that we can test everything in the lab. It's prohibitively difficult to do that. We- there's a lot of tool sets to do that not every retailer is going to have and every hotel owner is going to have the same amount of resources in order to test these things. Not only that, but you have to think about, you know, the landscape we're talking about, it's highly licensed, it's highly franchiseed, you know, and those business owners, they want [inaudible], and they want to reach their customers the way that they want them to be reached. So, how do you identify it? How do you then provide them access in order to do that? They're not going to have a lab. They're just going to put it directly into operation. So, what can you do to marginalize and minimize that risk? And there are techniques that you can do in order to do that, things like microsegmentation, policy enforcement. If something did occur, they wouldn't have any additional access other than what that service needs. The good thing about these IoT devices, most of them are client-to-client communication. It's a client-server relationship. They're opening a TLS tunnel or an SSL tunnel to a cloud somewhere, and so that's all the access they need. So, there's some very basic- the foundation and the fundamentals are at play here, and as long as you do that, you're going to reduce that security risk vector and that attack vector significantly just by following some of the fundamentals.

Luke Vander Linden: Right. Well, you're quickly sliding into one of my favorite topics, third party risk. Obviously, a business can't do this alone. They have to have partners, technology partners, service partners to enhance the offerings that they're making for their guests and customers. So, how's the security of those integrations insured to prevent, you know, potential vulnerabilities, backdoors that could be exploited?

Shad Taylor: Yeah, that's a really good question. I like to look at this kind of through three- two different lenses, the first being system integration. Almost every retailer today, they have system integration, API calls. I don't think you can sit on a call with a vendor or a partner and not talk about APIs at a certain extent, in order to integrate with systems to offload functions that maybe you don't want to handle. It could be anything from your loyalty landscape or it could be third party integration for delivery services. The second is the augmented workforce, meaning, you know, these IoT devices that you're installing, you're probably not going to have the workforce in order to perform maintenance or if something goes wrong in order to support them. So, not only that, but the company in which you were licensing those devices through, they're probably going to want to perform some level of support to that device remotely. So, as we move more and more into this environment in which we're putting additional devices from third parties that are going to need connectivity into our stores and into our hotels, then we need to think about remote access differently. We need to make sure that that is secure. We need to make sure that we're sandboxing it, that we're man trumping it, that we're recording everything. But going back to the first ones, which is system integration, you know, basic API security, a lot of times you'd be surprised how basic authentication and security mechanisms for API calls are being performed. Now, with a lot of the big third party system integrations, absolutely, but it doesn't mean- the responsibility is still yours. It's still your brand to protect. You- no one's going to care more about your brand and your environment than you do. So, you need to have that conversation with any system integrator with anything that you're going to install. You need to talk about how secure are you. Do they perform security evaluations? Do they have a third party? Do they audit themselves? Do they get a third party audit? Maybe have a questionnaire formed there, because not only that, but when we do see something occur, when we do see if a breach occur, you know, things like ransomware, malware, wipers, the threat actors know that your environment now is well-connected, and it's more well-connected than it's ever been before. So, they're going to explore, and they're going to see is there any additional connectivity, not only inside of your environment to additional storefronts, but to any partners, to anybody, and they're going to do the same if they were to breach one of your system integrators. If they were to breach them, do they have access to your systems now? And they'll use that against you. So, doing some due diligence and thinking about, you know, when you install this device, when you install this robotic vacuum or mopping robot, how's it going to be supported remotely, if it goes offline? Those questions need to be considered, and I think that it'll pay dividends in the long run.

Luke Vander Linden: Yeah, you know, you said we've been doing some kind of looking at third party risk and trying to figure out if there's something that we can do to support that huge environment, the huge ecosystem out there, and our research so far has led us to tens of thousands of vendors out there that our members rely on, that retailers rely on. And it's just- it's so complex, and as you said before, this was something that was evolving anyway, but really, the pandemic kind of pushed us along faster and faster, and we're scrambling to keep up in some times, yeah.

Shad Taylor: Absolutely. You know, the speed in which we're having to innovate or to meet the consumer where they want to be met and the guests where they want to be met is at a pace we've never seen before, and it's- I'd like to say, you know, we gave our guests an engine, they're taking a mile and all for the right reasons, right? All for the right reasons. I mean, I'm spoiled to it. I, you know, I am a guest, I am a consumer. So, I expect things to work, you know? I expect certain levels of frictionless sort of interactions on a day-to-day basis, and the only way we're going to get there is by third party We can't do it alone, but we're only as secure as our weakest link. So, make sure that anytime you're bringing a new vendor in, whether it be a device or with someone to augment your workforce, that you're doing the right measure. You have to be this tall to ride this ride, as I like to say. So, there has to be some level of questionnaire. There has to be some level of due diligence on is it meeting the security posture that you want for your organization?

Luke Vander Linden: So, we've talked a lot about devices. We've talked a lot about technologies to serve. We haven't talked a lot about data. So, when we talk about serving customers or guests, we have to know a lot about them, you know, data analytics, customer insights, so we can improve those operations and enhance their experience. So, what are your thoughts on maintaining the integrity and confidentiality of that kind of data?

Shad Taylor: It's only going to get harder is the short answer, but let's go into a little bit of details here. So, you know, first off, it's the responsibility of you, right, as an organization. If you have guests, if you're servicing any amount of customer consumer in order to secure their data, their PII data, whether- in all aspects. You know, we've had a lot of advancements, thankfully, in the past decade on- most people are now ETDE encrypted, encrypted swIPe. So, when we think about PCI data, it's not as much of a concern, and, you know, I have these conversations all the time of, well, my network is out of scope or my environment is out of scope, and I think about, well, are you collecting any amount of data both on your workforce, right? So, this can be your CRM and ERP programs and on your back of the house PC. Are you protecting the consumer data? So, it's PII data in general. When you think about compliance or regulations like GDPR and the right to erasure and you think about video analytics, and, you know, how is that occurring? Are we learning the faces every single time? What if that didn't occur? What happens if that regulation changes and the same amount of recording that we use for loss prevention, security, and safety is now under the same guys as GDPR when it comes to, you know, video analytics? That would be a very large gap in what we do today, because we don't learn faces if it's a safety issue, right? We hand that over to law enforcement. So, making sure that those links are disabled. So, basic items, like encrypt data at rest, encrypt data in flight, but you have to do that everywhere. The data- as I said before, define what the edge is, where's the data? It can be at the store level or your storefront level. It can be in the cloud. It can be inside your data center somewhere or your [inaudible] data center inside your campus headquarters. Is it consistent? It is a very large problem, and it is only going to get worse as we collect more and more data on consumer in order to reach them where they want to be reached, right, where we can track them and we can say, hey, it can be basic things like Incap, you know, and going in and saying, "I want to change my storefront, and I want to change my heat map", or it can be complex things like consumer sentiment. Is this resonating with them or is it not? That data, any PII data at all should always be encrypted at all points in the environment.

Luke Vander Linden: Right, right. Wow, so it's very complex. It sounds like the Store of the Future, as you said, is really the Store of Tomorrow. I mean, it's here. We're dealing with it now. So, getting out your crystal ball -- I ask guests this a lot -- what do you see further down the line? And this is kind of an unexpected question, just putting you on the spot here, but what do you see really in the store of the more distant future that we have to be thinking about?

Shad Taylor: A lot of these changes- if you think about how we secure information, if you think about networking and security and how we've really moved towards this concept of edges can be anywhere, I think it's going to force vendors. I think it's going to force providers to come up with more pragmatic solutions, more efficient solutions. You can only protect what you can see. So, you can't talk about security and not talk about availability, resiliency. So, resiliency, security, and reliability, we've mainly focused so far on the security portion, but reliability and resiliency are a key aspect. I have not met one CIO or CISO that has said, you know, there's an expectation for a less performant environment so your transport is going to become more paramount, how you're connected to these systems, bandwidth. I don't think it's any surprise that most retailers out there, they're not on an SLA protected circuit. They're on consumer grade broadband. It's a margins issue, right? We have retailers that are single percentage margin. So, I think as we think about, you know, technologies that we've come up with over- that are really starting to propagate out like SD-WAN or things of that nature are going to become more and more key. I also think you're going to see items like parallel networks inside. So, if you do store and store, I think that we're going to say, "Why are we terminating three or four businesses continuity mechanisms inside the same environment? How can we build efficiencies here? How can we create a multi-tenant environment and still have that separation of church and state between those organizations?" So, I think that we're going to see more and more of that. I think the adoption of 5G is going to start to occur, and I think things like LEO satellite is going to really enable a lot of retailers that are in a digital desert to provide a more consistent brand experience. So, I think that those are things that are still a struggle today. Our geography is different. It's difficult in the US. I have conversations in EMEA, and some of the things aren't- it's not the same sort of topics, because that transport methodology can be consistent and more well-connected. So, I think that is still a barrier of entry that we're starting to break down. We're starting to tear down that barrier bit by bit, and I think that as we become more well-connected, we're, you know, the sky's the limit. The capabilities are just going to get higher and higher.

Luke Vander Linden: Shad Taylor, thank you very much, solution architect for Retail Hospitality from Fortinet great supporter of the RH-ISAC. I really appreciate you coming on. Any final words for our listeners?

Shad Taylor: No, you know, just thank you for having me. It's been an honor and a privilege. So, thank you so much.

Luke Vander Linden: Excellent, thank you very much.

[ Music ]

All right, I'm once again joined by the RH-ISAC's own Lee Clarke, cyber threat intelligence analyst and writer extraordinaire. Thank you very much for coming on the show again, Lee.

Lee Clark: Hey, look, it's always great to talk to the Membership.

Luke Vander Linden: And you normally come on to do "the Briefing", but we have a very special segment of "the Briefing" this time. Tell us about it.

Lee Clark: Sure. So, this month, we thought for "the Briefing" we would give a little overview and dive into some of the key findings from our recently released comparison report with the Verizon DBIR.

Luke Vander Linden: Right, DBIR, Data Breach Investigation Report. So, you shouldn't say DBIR Report, because that'd be like saying ATM machine, but they do a great analysis, I guess from their perspective of what's going on in the world, and then we compare it, you compare it to our own data.

Lee Clark: Yeah, 100%. I believe this year is their fifth or sixth time producing this report. Every year, they release it in the summer, and pretty much every cybersecurity expert that works in our industry basically takes the time to read it, see what trends they've reported for the previous 12 months. We're no different at the RH-ISAC, and starting last year, we decided to use our internal data tracking that we do for our Membership to see how threats reported by the RH-ISAC member analyst community match up to what the Verizon Data Breach Investigation Report findings are.

Luke Vander Linden: That's great, and it is amazing in some ways how similar the Verizon Report is to what our own members are concerned about, but then there's also some big differences.

Lee Clark: Sure, sure. So, a few of the major similarities we find is that phishing, ransomware, and credential harvesting are the top-of-mind threats for our community, which aligns perfectly with what Verizon finds, right? The other big similarity is that Verizon talked about the sharp spike in business email compromise, BEC attacks, and they're also pretty top-of-mind for our Membership over 2022. Interesting divergence here is that Verizon reports one of the top key threats globally being denial-of-service or DoS attacks, and while those are present among the reporting we see from the RH-ISAC community, they don't rank anywhere near the top reported threats for our particular community.

Luke Vander Linden: That's interesting, and so I'm guessing we maybe just have access to such a sheer volume and granularity of data from our own members' actual activities, or maybe it's the sophistication of MISP. What do you attribute some of those differences to?

Lee Clark: Sure, so one is Verizon is taking a macro view across industries, which helps us compare with our own internal industries, but the benefit of RH-ISAC Membership at its core for organizations is that we have an insider in-depth relationship with the leading organizations within these specific industries we operate, being retail, hospitality, travel, consumer facing goods, right? And our data set that we get comes directly from these organizations. So, in the Verizon comparison report that we've produced for the RH-ISAC, none of the data we rely on for the RH-ISAC comes from anywhere outside of the Membership. All of the data that we report there comes straight from them. So, that would be the first one, and the second one would be our Membership reports to us based on the prevalence of what they themselves see, and threats to their industry are going to be more focused on the specific nuances of their industries, right? So, the targeting of customer payment data becomes one of the top three threats for RH-ISAC members, and that doesn't align with Verizon macro view globally, but it does align with the granular industry-specific metrics that they provide for the industry and what they call accommodation sectors, and accommodation aligns pretty closely with the hospitality designation that the ISAC gives.

Luke Vander Linden: Got it. So, they do break it down by sector, but we- our data just is so much deeper in the sectors that we serve. So, that's interesting. So, you mentioned that this is the annual report for 2022 calendar year, and as we all know, last year kicked off with a bang with the Log4Shell, Log4j vulnerability. I imagine that ranks pretty high in everything that you're saying.

Lee Clark: Yeah. So, Verizon notes so, you know, a massive increase in Log4j reporting in the first half of 2022, and specifically, they noted a large percentage of comments, an overwhelming percentage of comments on vulnerability-based reports that they received have Log4j related things in the comments. So, it was the number one sort of discussed vulnerability in the first half of 2022. That matches pretty closely with what we saw at the ISAC. Everyone was talking about incident response, patching procedures, security controls, best practices, policy adjustments to handle Log4j. Now, of course, the industry moved really, really quickly to mitigate the potential crisis that could have resulted from Log4j. And so, after, you know, the patches were released and the industry started getting a handle on mitigation strategies, we saw, just like Verizon did, a massive drop off in Log4j, and that will probably create a pretty interesting point for us for comparison for next year, because Log4j will rank as one of the top vulnerabilities discussed, one of the top threats discussed for this year. And my prediction is that next year it won't even be on the list, because we've moved past it now, right?

Luke Vander Linden: Excellent. I love predictions on this podcast. So, one other thing you mentioned was phishing. Always near the top of the list, is it always the top of the list for everything that we see?

Lee Clark: Mostly. So, what's interesting about phishing here at the RH-ISAC for the way we track it with our Membership, we track based on the granularity of information given to us by members. So, phishing is always going to be in the top two or the top three, but it trades places with credential harvesting on occasion. Like for this particular year, credential harvesting was the top share threat topic, and phishing dropped from first to second place. That can be for a few reasons. It can be, because the delivery of credential harvesters has changed over time, or it can be, because our members' capabilities are increasing, just as our MISP capability increases over time, and they are able to report threats to us more granularly, for instance, credential harvesting is often a follow-up action to phishing. If you click the phishing message, it leads you to a credential harvesting function, right? So, when we see credential harvesting overtaking, what we have there is a more granular level of threat reporting than just the overarching phishing label.

Luke Vander Linden: Of course, that makes sense. Phishing is the way in, but then thereafter some other techniques get after what they're really after. So, what other trends did you see from our members on our sharing platforms, or whether we're talking about threat intelligence or strategy or anything like that?

Lee Clark: Sure. So, we saw a couple of interesting changes for this year. We saw agent tests for reporting rise from fourth place in 2021 to third place this year. We saw that big spike in Log4j that we've already discussed, and then we saw a few other increases like formbook reporting came up to fourth place from sixth, Emotet reporting did not make the list of top threats at all in 2021, and it came in at fifth this year, the same for socgholish. Socgholish did not make the list in 2021 and came in at sixth this year. So, we see both of those malware trends increasing over time and targeting our Membership.

Luke Vander Linden: That's great. Anything from a strategy standpoint that we're seeing, or is this mostly threat intelligence that you're looking at?

Lee Clark: So, if we talk about strategic interests, one of the key findings from this year that matches last year is that far more of our discussions at the CISO community level focused on policy architecture best practice discussions than they did on the nitty-gritty nuances of cyber threat intelligence and technical working discussions and requests for information related to cyber awareness solutions, work from home performances, as well as data retention rate really high at the top, whereas discussions related specific scam activities and threat intel tools are ranked toward the bottom of our top RFIs, right? So, we see a lot of the top-of-mind concerns for our community, especially at the executive level, but also reflected in some level at the analyst level are with organizational structure and program development over the nitty-gritty of threat intel platforms. Now, this is pretty interesting, because a suggestion here is that our organizations in our Membership largely have the basics of their threat intel platforms down ready to go. They are effective, and they are successful at the threat intelligence mission goal and now are focusing on developing their organizations further through policy improvement, right?

Luke Vander Linden: So, you know, I know for the last year or so we've been working on developing our MISP capabilities. Has that affected our reporting at all?

Lee Clark: Sure, beginning in the Executive Summary Section, we talked about how we get a more granular level of data from our specific Membership for this community than potentially the Verizon Report can see into, because they don't have that intimate level of access. The way we now categorize and store and utilize the threat intelligence that's shared by our members is primarily through MISP, which the intelligence team has been developing over the last year, like Luke says. This is mostly the work of JJ Joseph, who longtime listeners will know from the podcast. The development of this MISP capability has allowed us for the first time this year to get a really in-depth look at technical indicators, tactics, techniques and procedures, malware tools that are reported by our Membership as targeting them. So, for the period of January 2022 through the end of December 2022, our members published over 1,300 events to MISP, and this included over 18,000 unique attributes, and an attribute can be described as a single piece of technical intelligence. So, this can be an IP address, it can be a file hash, it can be an email address sending phishing messages, all right? We've seen over the course of 2022 an exponential increase in the sharing, which gives us an excellent granular look at what the major malware and the major tactics facing our community are. For instance, malware, the top two malware were tied this year. The malware reported by the retail hospitality and travel sectors where the top place was split at 23% each for Agent Tesla and GuLoader. That's followed up by pretty well-known threats like Emote at 14%, QakBot at 6%, WarzoneRAT at 6%, right? But we're able to see that, because these are specific known indicators shared by our Membership, and we also have that same level of view into TTPs reported by Membership, right? We see overwhelmingly that spear phishing links and spear phishing attachments are by far the most common TTPs reported by members, and this is followed way, way back at a much lower level at malicious domains, remote access softwares, and registry run keys. And then finally -- this is the one that we've been most excited about lately -- we can look at indicators that can be reliably attributed to specific threat groups, right? So, listeners of the podcast will know that in the past year, the RH-ISAC launched our Threat Actor Catalog Program for MISP. This helps us feed that. This helps us cross-index these indicators we get and host them on pages where they are dedicated to those threat groups, and it helps investigators pivot based on that information to find additional information that can help in their investigations. So, for this year, the top intrusion sets that we were able to track through our Membership were- the top place, again, was split between FIN7 and FIN6 with 31% each, and then that was followed up by pretty well-known and prevalent threats like APT32 at 14% and APT 41 at 6%. So, we get these really interesting looks through MISP that aren't easily comparable to the Verizon Report, because they are so granular for our Membership. So, while that point of comparison isn't there, this year-long look into established trends over the course of the last 12 months can help a lot for programming, planning, and management of threat priorities moving forward.

Luke Vander Linden: Excellent. Well, thank you for that really in-depth look at not only the Verizon DBIR, but also our own reporting and analytics, appreciate it. I always love it when you come on, Lee. Thank you very much for joining us again, and we'll talk to you next month for another "the Briefing".

[ Music ]

A huge thank you to all of my guests today. My colleagues at the RH-ISAC Lee Clark and for our close friends at Fortinet, Shad Taylor. Please let us know what's on your mind. Our email is, or if you're a member, hit me up on Slack or Member Exchange. As always, a huge thank you to the producers who try to make me sound good for the RH-ISAC Annie Chambliss and Marisa Troscianecki, and from "the CyberWire" Jennifer Eiben, Tré Hester, and Elliott Peltzman. We'll be back in a couple of weeks with a new episode. In the meantime, stay safe out there.

[ Music ]