Podcasts
The Retail & Hospitality ISAC Podcast
Ep 40
The Retail & Hospitality ISAC Podcast 11.22.23
Ep 40 | 11.22.23

MISP Platform Integration, CISO Spotlight, & Intel Briefing

Show Notes
Transcript

Luke Vander Linden: Hello, everyone. This is Luke Vander Linden, Vice President of Membership at the Retail & Hospitality Information Sharing and Analysis Center, and you're listening to the RH-ISAC podcast. [ Music ] Big governance news coming out of the RH-ISAC, big for us anyway, this is the time of year where we have elections for our own board of governors. Yes, like any organization, we have a board and our directors, governors, whatever you want to call them, are selected via a very competitive election. I won't go into all the details, except to tell you that every member company can cast one ballot and directors must be the highest-ranking information security employee at their company. So, as you might expect, we end up with some very, very impressive board members. I am very pleased to announce that Diane Brown, Vice President of IT Risk Management at Ulta Beauty, and Jason Stead, CISO for Choice Hotels International, were both re-elected for three-year terms on the board. Diane has more than three decades of IT experience in the retail environment. She's also the co-chair of the National Retail Federation's IT Security Council. And Jason, in his 20-plus-year career has not only worked in hospitality but also a couple of stops at financial services groups. So, congratulations to them. Newly elected to the board include Ngozi Eze, global CISO for Levi Strauss. His previous positions include deputy CISO for the Federal Reserve System, wow, and chief business security officer at ADP. And quite serendipitously, I got to interview Ngozi while we were at our cyber intelligence summit at Plano, Texas, in October. So, we've moved that interview up to this episode so you can learn more about him. Also newly elected to the board is John Scrimsher, global CISO at Kontoor Brands where he oversees the security and compliance of iconic brands such as Wrangler, Lee, and Rock & Republic Jeans. Big, big year for jeans-makers with the RH-ISAC. John, of course, is no stranger to the podcasts. He was on a few months ago to talk about our partnership with the National Association of Corporate Directors and their board certification program. By the way, I attended the Aspen Institute's Cyber Summit in New York City last week. There was a lot of talk there about the FCC's new reporting rules which go into effect in December. If you think about it, CISOs and their teams and our traditional government partners in the US like CISA and the FBI have a strong cyber defense as their mission and goal. Of course, that would go for our traditional partners in other countries too like the NCDC in the UK, and ENISA in the EU, etc. But the FCC's goal is different, it's to protect and ensure "well-functioning markets." And that is what these new rules are about. If an event occurs that would affect the decision of a reasonable investor whether to invest in a company, the FCC wants that to be transparent and reported. So, as a result, CISOs now have a seat at the table, a very important table. Boards and C-suite will have to better understand the work of cybersecurity. And to that point, several of the speakers at the Aspen event noted the dire need for cybersecurity expertise on corporate boards. We are trying to do our little part with the program John participated in, in training and certifying CISOs for board service with that NACD partnership with about a dozen member CISOs going through the program right now. We're probably going to get another cohort together right after the New Year. If you're interested, you know where to find me. I'm very sorry about that tangent upon tangent. The Aspen summit was great. And by the way, John has done more than participate in that NACD certification program. He's also been very involved in our third-party risk management working group and a great all-around guy. He will make a great addition to the board. Finally, there is one more newly elected board member and that's Teresa Joyce, the CISO at Williams-Sonoma where she provides cybersecurity leadership for lots of brands, including Williams-Sonoma, Pottery Barn, West Elm, Mark and Graham, Rejuvenation, and Outward. And speaking of Williams-Sonoma, we will also be joined on this episode by Manpreet Kang, one of Teresa's team members. Manpreet and Williams-Sonoma have been at the forefront in automating the ingestion and sharing of cyber threat intelligence using MISP. He will be joined by the RH-ISAC's own JJ Josing and Ian Furr to talk about their journey. So, I started out by saying how impressive the work and the teams of our board members are. We're very lucky to have their support and contributions in our organization's leadership. So, congrats to Diane Brown and Jason Stead on their re-election. And Ngazi Eze, John Scrimsher, and Teresa Joyce on their new election to the RH-ISAC board. Finally, as this is the second episode of the month, I will also be joined by Lee Clark, the RH-ISAC's cyber threat intelligence analyst and writer for the briefing. And I think, I suspect he may have the holiday season on his mind. As always, if you have something cybersecurity-related you would like to tell us, send us an email at podcasts@rhisac.org. Or if you are a member, hit me up on Slack on member exchange. And if your company is not yet a member of the RH-ISAC, what are you waiting for? Go to rhisac.org/join to learn more and to start the process. That being said, let's get to it. [ Music ] All right. Now, I am joined on the RH-ISAC podcast by three guests. We have JJ Josing from our intel team and Ian Furr from our engineering team, and Manpreet Kang from -- he works in security automation at Williams-Sonoma. Gentlemen, thank you very much for joining us to the podcast. So, we've talked quite a bit about MISP on our show, particularly around when we launched it last year, and then as we've added different galaxies like threat actor profiles and the newer work, you guys in the intel team are doing on fraud and more granular tagging by subsector. There's a lot in there that can be explored by people, but the real power in the way we use MISP is how it can be integrated with many of our members' tools as a way to automate the ingestion and sharing of threat intel. So, JJ and Ian, you guys presented a session on our last Cyber Intelligence Summit on this exact topic. As a result of that session, I think there's been a lot more interest from our members in automating, sharing, and ingesting from MISP. One of the members that was an early adopter was Williams-Sonoma. So, welcome, let's talk about that.

JJ Josing: Yeah, why don't we start things off with the general one here? Manpreet, how long has Williams-Sonoma been using MISP?

Manpreet Kang: Hey, JJ. Thanks for having me on here. We've had MISP running in our environment since 2020. So, it's been about three years now, pushing on four actually.

Ian Furr: That's super cool, Manpreet. So, you guys have been able to see MISP grow and change as a platform, what made you choose it initially as your tip?

Manpreet Kang: So, with MISP, there were actually many aspects that we liked. I think the biggest selling point for us was that it is free and open source, definitely love that. But apart from that, it's very customizable. So, we can really make it our own and tune it toward specific needs. And then lastly, I would say a community is a big plus. They're incredibly active and passionate about what they do. And they're always pushing out new features. I mean, it's like every month, there's a new version of MISP out there.

JJ Josing: Now, I know when it comes to open-source tools sometimes, you know, members can be a little bit hesitant to want to stand them up due to the fact that they are open-source. However, when I was recently in Luxembourg for the Hack.lu Summit, I found out that Circle does have a company Zigram Security, and they've been tasked by the Luxembourgian army to continuously test MISP in some of their other open-source projects. And just within the last year, this company has gotten 13 different CVEs, including a few critical vulnerabilities. So, despite of being open-source, there is some continual testing for the application with security in mind for those that are using it.

Luke Vander Linden: Who knew that you rub shoulders with the Luxembourgian army there, JJ?

JJ Josing: I could have but I don't know definitively if I did or not.

Ian Furr: Manpreet, why don't we talk a little bit about the journey that your team has gone through to set up MISP, some of the things like how many people were needed on the project and more importantly, how long did it take to go from, you know, the idea of building it out and then getting it operationalized.

Manpreet Kang: So, back in 2020 when we were initially setting it up, it was just me and one threat intel analyst person. And originally, like we wanted to set it up for just storing our threat intel data. And I would say the process for setting it up was pretty straightforward, relatively painless because we use Docker so it was just a couple of Docker commands to pull the image, spin up the container, and we were off to the races ready to go.

Ian Furr: That sounds like it was a pretty easy startup process. You had mentioned earlier that one of the pros for MISP on your team was the ability to customize it. Do you want to get into some of the customizations you've made over time?

Manpreet Kang: Well, a lot of that is using the features that they have such as the feeds, such as being able to create your own tags, being able to create your own jobs. And using the API that they have, I think MISP really embraces automation with the API that they have and we try to take full advantage of that.

JJ Josing: For sure, I mean, I know over on the integration side of things that the API is super friendly. And one of the reasons we've chosen to push for it as hard as we do over on the ISAC side. So, part of that, do you want to talk about consuming the RH-ISAC intel into your MISP events and the process that you went through to get that all set up?

Manpreet Kang: Of course, it was -- it was an interesting process. It took a while to get to where we are now and the RH-ISAC intel feed, it provides us with a tremendous amount of value. And I can take you through that journey a little bit. So, back in the days of the RH-ISAC's ListServe, when that was still around, we were originally just manually consuming the intelligence so every day an analyst would go in and look at all of the intel that came in over the last 24 hours and then hunt based off of those indicators against respective logs. So, emails would be hunted in email logs, IPs and URLs would be hunted in firewall logs, and it was fairly time-consuming so we've said, hey, let's automate this and eventually what we used was a Python script that would free text IOC import using MISP's free text parser and create MISP events out of that, and then we would use our SOAR platform to ingest those, and then run a hunting playbook against that intel. Oh, and if the playbook came back with any hits, we would leave the ticket open, if they came back with nothing, we'd just leave it closed.

Ian Furr: That's a great way to operationalize a lot of the intel that we produce. So, you had mentioned the ListServe part of that. Can you talk about how that process has changed since we've moved away from the ListServe over on the ISAC side and really embraced MISP?

Manpreet Kang: Yeah, and I think that was a huge improvement because now instead of, you know, having to run additional scripts against the ListServe, we can simply just sync our MISP incidents with the RH-ISAC MISP incidents and then do a fetch and then it just brings the event in pretty seamlessly. Oh, and I would also like to mention that a great resource for setting that MISP-to-MISP fetching was within the member exchange. I think, JJ, you pointed me out to document which kind of outlined the few steps needed to get that set up. So, that was all super helpful in getting us to this point.

JJ Josing: Yeah, not only do we have the documentation for setting up the MISP synchronization, we also have several other documents available for members to use. Just general, you know, getting started how do I share intel, how do I, you know, add attributes to that, how do I do tagging? And basically, everything you need to get started with either consuming or contributing to our MISP incidents. And in addition to that, there's also some video tutorials that follow PDF documentation. So, you know, whether you like watching, you know, video resources or just having a PDF, there's definitely a lot there to help you get started. But going on that same thread of, you know, the MISP synchronization process, can you talk a little bit about how you're sharing data back into the RH-ISAC in the programmatic fashion?

Manpreet Kang: Of course. So, this is data going in the opposite direction now. So, the original data would come from our SOAR instance where our analysts are working to take its closing tickets out as malicious. Within here, the sharing is powered by automation where after an analyst closes a ticket out as malicious and they classify it as, hey, this is bad, we make sure it automatically extracts certain data fields that are relevant to us and generate a MISP event out of those, and then after that MISP event is generated, we would publish that out to the RH-ISAC MISP for distribution. One of the key points in there is the data fields we pick. A lot of that is driven by the RH-ISAC templates you guys have for sharing.

JJ Josing: Right. And for those listening, those templates that we have in those that are also familiar with our old ListServe, they pretty much mimic the templates that we used to use when sharing via email and they've just translated that over within to MISP. Staying with, you know, the sharing and automation, how much time do you think is being saved, you know, by having this process, you know, for the most part, automated out rather than needing to have an analyst go, you know, and work on an incident internally and then capture all of that data, and then create a share whether that's a MISP or going, you know, to Slack and showing that out.

Manpreet Kang: I would say per share, per every event that we push out, it would be approximately, you know, anywhere from 15 to 20 minutes reduced down to less than five, I would say. Because I used to do some of that manual work too back in the day, I would have to, you know, get into the SOAR platform, find all the tickets, run some filters, go into the tickets, scroll through analyst notes, and it was not very fluid at all.

Ian Furr: Jumping back a sec, Manpreet, one of the questions that I get pretty often when talking to members is what type of data is valuable for us to share. Can you get into the specific types of intelligence you're sharing with the community?

Manpreet Kang: Sure. And, for example, with phishing it's important to share out the phishing URL, the landing page URL, who is sending the phishing email such as, you know, the email sender. Sometimes even the subject can be important too because sometimes the threat actors aren't really changing the subject. Or another one is the email sender IP. It goes on and on. Each indicator has inherent value and then, depending on the context of the campaign, there may be additional value.

Luke Vander Linden: So, Manpreet, mentioned how his SOAR platform is connected with MISP, what other integrations make sense for members to set up with our MISP platform on their own?

Manpreet Kang: So, I think we've only really done the SOAR platform. I can't think of another integration that we have set up. Actually, I take that back. We also have set in this instance up with our firewall EDLs. And that allows us to ingest certain indicators and automatically push them into our firewall EDLs for preventing going forward.

Luke Vander Linden: Ian, you work with a lot of our members on setting up these integrations, what other tools have you had experience with?

Ian Furr: Yeah. I think Manpreet covered some of the classic examples. With the tools, I mean, there's a myriad of tools that our members use that they like to pull data into. A lot of it comes down to the broad categories that way they keep this applicable to everybody. But people pull into their AV or EDR platforms a lot so that they can get that immediate block detection action from some of our IOCs. So, pulling straight from MISP, and pull those vetted ISEs into say CrowdStrike. That way, if somebody publishes a hash that we've put through, it immediately eliminates that risk, or at least mitigates it. Other platforms people pull into their SIEM and SOAR platforms, like Manpreet mentioned, into their firewalls for IP and website-blocking and things like that. And then there's also a lot of email intelligence that gets shared. So, being able to block those senders or spoof domains, things like that has also been a huge draw for many of the members that are consuming our intel. And other one I just saw these last few days was CurveBall which is a tool that will let you pull IOCs from MISP and then adjust that directly into your log-in pipeline. So, you can pipe it to anywhere that you have CurveBall set up to export IOCs to, which opens up the door to publish into a lot more platforms than just those that are going to work with MISP or work with the scripts that we already have set up.

Luke Vander Linden: And all these things are automated so that the amount of time it takes to ingest and use these alerts next to nothing compared to having to do it manually like Manpreet described with ListServe.

Ian Furr: Exactly. Yeah. And it's not even reducing the time to next to nothing, it's reducing the time so that you don't have to worry about it. It just happens automatically in the background.

JJ Josing: Now, what's our total number of main platform integrations up to, Ian? Is it 18? Eighteen different platforms that we've helped integrate with?

Ian Furr: I want to say we're just under 20. And that's not including variations of tools for like different tiers. But probably just under 20 with the introduction of CurveBall and the ability to push to anything that that can push to opens it up way more.

JJ Josing: Ian, that's just, you know, one of the many, many main benefits, you know, of us utilizing this is that there is no one-size-fits-all when it comes to integrating. And it really comes down to, you know, what is -- you know, what tools do your teams have available to you, what do your workflows currently look like, and what makes the most sense to integrate in terms of, you know, where should this intel be sent to, what tools do you want it in to really help, you know, maximize the efficiency of your team to produce the amount of work, you know, additional work that would be required.

Luke Vander Linden: So, I guess, Manpreet, do you have any words of advice for any other members that are looking to get started with MISP? Anything to make it easier? Especially those that want to share data back into the community but don't know where to start.

Manpreet Kang: For the first half of that question, I would just say try it out, it takes next to nothing but time to stand it up, I would say MISP is as popular as it is because it meets the requirements of a lot of organizations. So, it might be about meeting yours as well. For the second question, for those that don't really know where to start, like with everything, it seems the answer is to start with phishing. Because everybody is familiar with phishing, everybody has a process for it. And there's plenty of live examples to follow. And who knows, maybe that phishing share-out that you send out, it may help a peer organization catch something that would have otherwise gone undetected for them.

Luke Vander Linden: Excellent. And of course, our own Ian and JJ are here to help any of our members who want to look into this as well.

JJ Josing: Yeah. Feel free to reach out to us over Slack, shoot us an email, whatever you're comfortable with. And if you have any, you know, MISP-specific questions or inquiries, we do have a MISP Slack channel with quite a few members in there already. So, if you're not already in there and you're curious about MISP or interested, you're working on, you know, building out your own or any question MISP-related, that would be a great resource to leverage.

Ian Furr: Absolutely. And to add on to what JJ said, if you have an upcoming check-in call with any of the ISAC staff, feel free to add a note in there that says you want to talk about integrations because then we can bring some notes and some materials to get you and your team just that much further ahead in the integration process.

Luke Vander Linden: Excellent. Excellent advice. I'm on most of those calls so I'm happy to help facilitate that as well. Guys, thank you very much for joining us again on the podcast, Ian, JJ, and Manpreet. [ Music ] Excellent. We are joined now by Paul Suarez, CISO and VP at Casey's General Stores. Welcome to the RH-ISAC podcast.

Paul Suarez: It's good to be here. Good to be here, Luke.

Luke Vander Linden: Excellent. It's good to see you again. I think I saw you last at the NRF big show in New York, that was great. You were very active in the retail cybersecurity community and you're a native New Yorker I think. So, you're visiting home at that --

Paul Suarez: Born in Queens. Absolutely.

Luke Vander Linden: That's excellent. So tell us a little bit about how you got to where you are today at Casey's General Stores.

Paul Suarez: Okay. Well, I'll try to make a long story short.

Luke Vander Linden: Okay. That's okay.

Paul Suarez: Born in New York City, raised in New Jersey, wanted to be a pilot for the Air Force so I went to the Air Force Academy. Colorblind so I didn't apply for the Air Force but I still served the career because I was enjoying it, it was in technology. And towards the tail end of my career, I was doing some cybersecurity-related things for the Air Force and I realized this may be a big industry. I should consider going into this after I retired. Had the fortune of joining a startup, NetWitness, a cybersecurity startup. So, for my first three years after I retired from the Air Force, I was working with cybersecurity manufacturers, NetWitness, OVIA for the first three years. But I wanted to get back into the operation side, and so that's what led me to Walmart, I moved down to Bentonville, Arkansas security engineering, international CISO at Walmart, and then Casey's came calling, and I said, yes, I will move from Arkansas to Des Moine, Iowa, be the first CISO for Casey's and I've been now in Des Moine with Casey's for about two and a half years.

Luke Vander Linden: That's great. And probably a big change for a boy from New York to get --

Paul Suarez: My first time living in the Midwest and I think I had only visited a handful of times in my entire life so yes, I'm learning about the Midwest, I'm trying to get out and visit as many sites as I can and kind of be a Midwesterner.

Luke Vander Linden: Excellent. Well, thank you for your service in the military. We have a lot of veterans who work in our industry which is kind of neat and it's a great area for training for cybersecurity it seems like.

Paul Suarez: It is. And that's one of my passions, Luke, is trying to hire and develop veterans to be able to work in this industry because there's a natural path for many of us into the defense industry business, basically selling back to the US government. But I chose this path, working on the civilian side if you will in industry. And I think there's a lot of opportunities for veterans to do that because like you said, we're naturally guardians if you will in a personality type of construct. And so, cybersecurity is just a natural fit for many veterans. And yes, I'm very passionate about that. And have seen a number of veterans in the space, which is refreshing.

Luke Vander Linden: Yeah, that's great. So, Casey's General Stores I think is the third largest C-store owner-operator in the country. Is that right?

Paul Suarez: Correct, yeah, third.

Luke Vander Linden: And I'm not in the service area so I've never been to one, but I hear pizza is a big deal.

Paul Suarez: Correct. Yeah. So, that's Casey's made their name with pizza. Gas station pizza, it's a thing in Iowa. We love talking about it. But third largest convenience store chain in the US, fourth highest number of liquor licenses in the country. We obviously sell beer and wine in all of our stores. And the fifth-largest pizza chain in the US.

Luke Vander Linden: That's amazing. And how many locations are there?

Paul Suarez: Casey's is at 2500, moving toward 2600 locations in a 17-state footprint centered around Iowa and the Midwest. But we just bought our first stores and we're starting into Texas with an acquisition of a chain called Lone Star.

Luke Vander Linden: Okay. So, that's a pretty quick growth, and is most of it organic, or is most of it through purchasing of other properties?

Paul Suarez: A combination of the two. I asked that same question when I started with Casey's. We still build, we call them NTI, new-to-industry stores in the neighborhood of 30 to 60 per year, and then we've added through acquisition the remainder because to stick with our three-year strategic plan, we need to add about 100, 110 stores per year so that we can get to the number that we've promised the street, which is 350 over our three-year strategic plan period, which this is the first year of it.

Luke Vander Linden: That's incredible. And for you in your role to have to protect that expanse and so quickly, that's a lot of challenges, I imagine.

Paul Suarez: It is because there's the due diligence of the assets we're going to buy. Are they set up to accept payment card industry standards, are there any other digital risks that are out there with this acquisition once we do buy them? There's a transition period, while they still operate under their former logo. And so -- but we're responsible for care and feeding of the entity and then we'll convert them to Casey's at some point, and then that's what we bring in our full security stack and make them like every other Casey's which is the scale that we bring is that economy of scale that allows us to do what we do.

Luke Vander Linden: Can you do like security in a box and have like this is the new store kind of kit?

Paul Suarez: We actually call it store in a box and that's exactly what we do, we have a standard set of tools that go in with a new store to include all of the other points of sale, pan-held devices, things like that. That is exactly what we do so that there is a very repeatable, predictable process for buying and outfitting a new store.

Luke Vander Linden: That's great. That routinization probably helps in great deal.

Paul Suarez: It does. Yeah, and it minimizes the challenge for my team, it was actually a question I asked the CEO when I was interviewing was how Casey's approached acquisitions. In my previous company, a lot of the acquisitions were only partially integrated or they would operate as an independent entity, and yet, there was a demand to have, you know, read-and-write access in the outlook space over the Microsoft tools and sharing that, but they weren't integrated. So, it produced a lot of challenges. There was a phrase we had in the company's non-networked entity. So, it meant the company bought something but we hadn't integrated them, but you were still responsible, I was still responsible for their security. Casey's doesn't do it that way. We tend to have our store in a box, we bring it in. And so, it becomes another extension of our enterprise when we rebrand and you'll see a new logo on the outside.

Luke Vander Linden: Right. So, pizza, liquor, I imagine you also have lots of fuel, right?

Paul Suarez: We sell gasoline as well.

Luke Vander Linden: So, that's another layer. We have a lot of fuel retailers, some of who are pure-play fuel and that's primary, but also supermarkets that are in the fuel business. Skimmers are huge problems, that physical security is still a big deal.

Paul Suarez: Yeah, you're right. Physical and also digital security because one of the challenges we have with fuel is we can't use the same point of sale inside the store outside because there are a lot of fleet users that come to a Casey's. We have truck stops and they're going to fill up with, you know, a couple of hundred gallons and so a regular consumer pump won't work for them. And so, we have fleet fuel or commercial fuel set up and that's a totally different payment methodology. There is different discounts they give for the volumes. And so, it's a different point of sale and therefore a different technology, and then we have to also provide the security against. There's still pump scammers but also there's a lot of fuel fraud that goes on when you sell five billion gallons of gasoline in a year, and we have to defend against that. And more importantly, look for the early indicators of fraud so we can pretty much nip it in the bud.

Luke Vander Linden: Right. Do you find -- because we have a couple of other more like truck drop operators like you, do you find collaborating with them on those particular unique issues valuable as part of the RH-ISAC?

Paul Suarez: We do. As a matter of fact, my team actually reached out to other convenience stores that are selling fuel and created like a mini group within the RH-ISAC. I don't know what they call it but it's a fuel and fuel fraud-focused group that we share intelligence, what's, you know, going on in the industry, and also trying to figure out what's the best way that we can engage our law enforcement partners to help us collectively defend against the fraud that happens, you know, usually at a very regional nature.

Luke Vander Linden: Sure, yeah. Because of the physical nature, it's probably often regional

Paul Suarez: Correct. And there's one thing that's unique about fuel fraud is you have to present yourself at one of our stores to defraud us. You know, you're eventually going to come by at Casey's to get the gas and then we just have to be able to try to intercept that transaction and not allow it to happen or to detect it after the fact so that the third or the fourth time you visit we're not going to allow you to continue to defraud us. Yeah.

Luke Vander Linden: So, something that our listeners may not know is that we're actually recording this in person with each other at the RH-ISAC Summit, which is exciting for us, and I'm glad you could join us in person. You were on a panel earlier this morning and you talked about how to share, how to create a kind of culture of sharing within your department. Can you talk to us a little bit about that?

Paul Suarez: Yeah, I think one of the values of the RH-ISAC, and I think it's something that any practitioner in cybersecurity should search for is what are the groups that I can collaborate with to help myself raise my level of awareness, raise my level of knowledge of what's going on in the industry, RH-ISAC is a wonderful tool for that, the ability for us to, not just share org structures and tools that we use and maybe metrics I've used to ask, hey, what kind of metrics do any of the other members use, but then the intelligence-sharing space is hugely important because -- and I'm looking at, you know, some notes from the previous summit -- we're stronger together, you know. And as long as we can protect as one, my, you know, attack against me, if I can share it as quickly as possible, then maybe it will, you know, help the rest of the membership defend against it and not allow that hacker to be successful.

Luke Vander Linden: Right. That's terrific. I appreciate that a great deal. One of the newer ways that we spun up to share is our instance of MISP, which is a great platform for cyber threat intelligence sharing. One of your colleagues, Diego, is doing a panel on that as well. And how do you guys implement that in your shop?

Paul Suarez: Diego drove that implementation. I think we've realized there's a lot of intelligence sources out there, intelligence feeds. I'm all about having the intelligence feeds be as machine-to-machine level as possible, take the human out of the middle of it, try to make it something that's consumable because the more textual it becomes, the harder it is for us to be able to build that into our defenses, build that into our tech, and MISP is beautiful in that when that information is posted, there are IOCs we can use for hunts, there are specific mechanisms we can use, depending on the security stack that we're using to defend against things. And so, I love the flexibility that it offers us, also the search capability for looking for like kind of risks out there, Luke. And so, it's proven to be a huge benefit for us. And I brag about, you know, our ability to ingest intelligence and use that to cue us as to where the next attack is coming from.

Luke Vander Linden: Yeah, the automation potential with MISP is incredible and that frees up your analyst time to do more human being-related things and more instinctive to them.

Paul Suarez: Exactly.

Luke Vander Linden: So, you've been in this industry for a long time, as you told us, so what are some of the changes you've seen over the course of your career of involvement in cybersecurity?

Paul Suarez: You know, I think the one that's been surprising to me and it's actually -- it's cybersecurity awareness month right now, and so I'm using it as kind of the pivot point in my discussions and that is if we're asking you to do something to protect Casey's information when you're a team member of Casey's, it's probably a good idea for you to do that in your personal digital lives as well. There is nothing I'm going to ask you to do whether it's MFA, whether you use a password vault, whether it's locking down your browser that you probably should also do on your personal lives, and I think the surprise is you should be, hey, let me share that with my, you know, immediate family members and children. We need to share it with our grandparents and our older family members now because they have digital personas as well. And so, if you're doing something at your company and you're not using that, leveraging that on the personal side, I think that's a little bit disingenuous and nowadays, that should never happen because if it's good for the company, it's actually good for you personally.

Luke Vander Linden: Right. So, it's like security awareness from a human being level, to your customers too, to your family members, to your employees, all around that protects everything.

Paul Suarez: Right, yeah.

Luke Vander Linden: And then looking forward to the future, if you had to predict what -- any new hot things. And I haven't brought those two letters, but you can feel free to -- A and I -- you can feel free to mention anything you like but what do you think is coming up in the future to look forward to?

Paul Suarez: You know, I think the thing that still surprises me is the desire to monetize information. I mean, the hackers really -- when, you know, I had to come up with the top threats to Casey's, clearly data and data leakage is a huge threat whether it's our guests or our team members. And people ask me why is that. Because it can be monetized. And I think we're sharing more information, generative AI will make it easier to share because everything will -- a lot more things will look legitimate. And so, I think that for us to monetize personal information will only continue and will only get worse because the ability for hackers to get our information is going to become easier and therefore, how I protect guest and team member data is critically important. Leveraging it, alerting on it, is it on a third-party platform somewhere, is it on-prem, do I know if that third party does have the data who they're sharing it with? And so, that's the area that I think is going to become much more of a challenge for us is that desire for monetization will make hackers looking for that personal information much stronger and actually much easier to get because they'll be able to leverage generative AI and it will be at a much higher degree of quality basically.

Luke Vander Linden: Right. Well, Paul Suarez, VP and CISO at Casey's General Store. Thank you so much for joining us on the RH-ISAC podcast. And thank you for being such an active and engaged member for -- and a great model for you, your team, and our other members as well.

Paul Suarez: You're welcome, Luke. It is my pleasure. [ Music ]

Luke Vander Linden: All right. Join me in welcoming back to the podcast Lee Clark, cyberthreat intel analyst and writer for the Briefing.

Lee Clark: Hello, everybody. Thanks for having me again, Luke.

Luke Vander Linden: So, what are we going to discuss today? I feel that there may be some bells in the air, maybe we're thinking about a certain fat man coming down the chimney.

Lee Clark: I don't appreciate jokes about that, Luke, but today we're going to be discussing the Holiday Threat Trends Report that we just released here at the RH-ISAC.

Luke Vander Linden: Excellent. Tell me all about the Holiday Threat Trends Report. And, no, I wasn't talking about you, Lee.

Lee Clark: Sure. So, essentially, we started this process maybe last year or the year before. And every year, we release a report for the public. It's a TLP-clear report that we post for the public. And it essentially is a retrospective look at what holiday threat trends have been in the recent past and what we predict they're going to be like this year because for the sectors that the RH-ISAC covers, the holiday period, that being October until the end of December of every year, is actually not just the busiest time of the year in terms for actually doing business and making money but also for being targeted by threat actors, right? So, we produce this report every year.

Luke Vander Linden: So, how is the report organized?

Lee Clark: So, we start with a retrospective look at statistics from previous years. We have a stellar research capability here at the RH-ISAC that reviews data analytics, that resource being Sierra, our data expert here. Sierra looks back at what major threat trends sharing from prior years are for the holiday period. And I compare that data to the current period to get a trend line. Then we break that down in a couple of ways essentially. Part of the report is based on member perspectives where we ask key subject matter experts at member organizations to provide some insights on what threats they're seeing and what preparations they're making. Then we give a statistical rundown of the threats that membership have reported to us. Then we typically have a point of view from an associate member, this year it's ACHEMA, providing a little bit of analysis on what they've seen. This year, ACHEMA gave us a lot of information on malicious bot traffic and increases in Magecart-style attacks which was really awful. And we usually close it off with like a special topic on analysis from the RH-ISAC. This year, it was a retrospective on the massive increase in ransomware that we've seen this year compared to last year.

Luke Vander Linden: So, in addition to the ransomware segment, what were some of the key findings?

Lee Clark: So, in the past, we've seen familiar malware like LokiBot, Qbot, Emotet, and Dridex ranked at the top of the list of threats that members report. And this year, it's interesting we did not see them rank as prevalent tools leveraged by threat actors. That's a divergence from the previous year. Credential harvesting, phishing, imposter domains ranked as the top threats. Now, one thing I'd like to note here is those threats qualify more as tactics, techniques, and procedures, TTPs than they do specific malware families or types of indicators. That actually is a pretty good sign for our membership that they're developing their cyber defense maturity over time, right? It's a pretty good sign. Then we saw a couple of Milum malware at the end of the list of the top most important trends being Agent Tesla in form, but specifically. So, for the current threat actors season, social engineering and fraud types are ranking overwhelmingly as what members are reporting. So, if we talk about key trends specifically, we saw credential harvesting holding first place. And actually rising in prevalence from the previous period. We saw phishing increased significantly statistically in the current period. And then we saw the imposter domain statistically holding steady, which is interesting because when we ask members for their direct perspective, they highlight imposter domains as a key threat specifically despite that the prevalence of that statistical reporting not increasing, right? So, that's a little bit interesting.

Luke Vander Linden: Yeah. So, what were some of the other key member perspectives in the report?

Lee Clark: Sure. So, we ask members a number of questions, right, what their primary threat focuses are, what defensive measures they're focusing on, anything different from previous years in the threat landscape, common gaps and defensive operations, and then major advantages. So, what we find overwhelmingly is that the primary threats members report are social engineering, ATO, bots, and fraud. The biggest change members report is an exponential explosion that they think they're seeing in imposter domains and MFA bypass. This is targeting both the enterprise, that is member organizations themselves, and their customers in basically equal measure, right? That's the biggest change they talk about. Follow-up change a couple of members mentioned in emails that's not cyber, we went ahead and mentioned it in the report, is that organized retail theft which we would basically describe as smash-and-grab type thefts in brick-and-mortar stores. Members report that increasing. And I guess both prevalence and intensity like smash-and-grab operations appear to be getting a little bit more aggressive toward store personnel which can, you know, be pretty threatening at this time of the year, right? And then if we talk about gaps, members cited the same sort of gaps that they had talked about last year, which is it's hard to communicate between all the different departments inside their organizations because their organizations are running customer support, they're running brick-and-mortar operations, they're running accounting, they're running e-commerce applications, right? And making all of those different organizations within a firm work together can be challenging, right? But to combat that, one of the things they talk about in terms of advantages is increasing cyber maturity in the form of both analytical capability and in mature security controls, things like implementing identity and access management for guest accounts. And I think an analytical capability, what we talked about earlier, like starting to track more on TTPs as opposed to the indicator of malware-based tracking that helps you block quicker based on attacker behavior, not on specific say file types that attackers are leveraging, right? And then for what threats are gaining the most focus, members overwhelmingly talk about significant fraud activity of various types, especially refund as a service fraud, return fraud, gift card fraud, and loyalty points fraud. And just a quick plug here, the RH-ISAC recently launched a fraud galaxy and MISP to help members combat this. We've released a blog about this on our public blog. And that's essentially a catalog of all the major fraud types that our members report experiencing and that's indexed by industry type, and it's indexed by TTPs leveraged in those fraud types as well. So, we're hoping that can end up being a resource for the community to help defend against this.

Luke Vander Linden: Yeah, don't need to make that a quick plug because it's a tremendous resource. So, thanks for bringing it up again. So, going back to ransomware, what did your review of the ransomware threat landscape show?

Lee Clark: Sure. So, you and I talked about this a little bit a couple of months ago on the podcast as well as members who attended the summit. One that -- I did a TLP Amber's Church Chatham House Rules talk specifically talking about ransomware incidents within our community. So, this report is based on data that came from that talk but sort of redacted for the TLP clear version. So, I'm pretty sure in the last podcast I said, and it's worth repeating again, that even if a CLOP hadn't exploited the MOVEit vulnerability to hack -- what, a thousand organizations at this point -- I'd still be reporting on a massive increase in ransomware activity targeting our membership. And in the larger industries that we try to protect in addition to those paying members. We're the ISAC for the entire community, not just our own members. What we've seen is a sharp move to a strictly extortion model rather than encryption, right? In the old days when we talked about ransomware attacks, almost entirely what we were talking about were threat actors locking files on a victim's computer and demanding payment in return for unlocking those files, right? We're not even seeing that in most cases. And in a lot of cases because the volume of compromises that ransomware gangs are making is so high that a lot of times you don't have time to go and encrypt everyone's machine, it takes a lot more effort. So, what we see organizations moving to is -- we used to talk about double extortion, triple extortion attacks. And what we are seeing now is threat actors tend to be moving toward simply posting a company's name on their blog, giving the company a deadline for when their data will be published publicly, and demanding payment in exchange for that data not being published. And, of course, double extortion can still apply in this. There are reports of threat actors demanding organizations pay twice because we say you pay twice.

Luke Vander Linden: Right, yeah. That's great. And that is kind of like the version of a smash and grab in the online space, it's so much easier just to go in, grab something, and then ask for money for it not to be released.

Lee Clark: Sure. But there's also something that's interesting to note for people who aren't quite familiar with the way ransomware gangs operate, a lot of ransomware gangs do not talk to their victims as if they have robbed them. Oftentimes, ransomware groups cloak themselves in the verbiage of being red teamers, right, pen testers. We are a pen-testing startup. And we pen-tested your organization and determined that we were successfully able to exfiltrate data so you should give us a bug bounty for doing this for you. That's the way they sort of clock or cloak their operations, right?

Luke Vander Linden: You know, it's interesting, I was in Brussels a couple of weeks ago at an event that EuroCommerce, one of our trade association partners did, and there was an example of a typical ransomware interaction, and yes, they used the terms of business as opposed to kind of a more abrasive like, you know, weren't victimizing you, it was a pleasure doing business with you kind of thing.

Lee Clark: So, we should note here, in past positions I've communicated directly with ransomware threat actors, the best customer service helplines I've ever experienced in my life. And this is something that's worth discussing here is these ransomware operations do not operate according to like mob rules or something, right, they have payroll, they provide benefits to employees, they have help desks, they have IT support, right? And it's also important to note that a lot of people who work for ransomware organizations, especially in foreign countries, say Southeast Asia or Eastern Europe, Central Asia, they don't know that they're working for a scam organization, they don't know that they're working for the most prolific ransomware group. They probably wouldn't know what ransomware was if you talked to them. They think they work the IT help desk for a local tech startup. And there's a shell company on their paycheck every month, and they get insurance, and everything like that, right?

Luke Vander Linden: They come in, they clock in, yeah, they go to the cubicle. Yeah.

Lee Clark: Yeah. They have offices, they have cubicles, they have payroll, they provision machines to employees to do work in the same way that legitimate organizations should do. So, we should note like that sort of professionalization of the ransomware scam tactics, right, it's important. So, the last thing I'll note here is a couple of increases we saw, right? In 2022, our membership discussed a total of seven individual ransomware families whereas in 2023 so far, members have reported a total of 12 ransomware families. So, we've seen a pretty big increase in specific organizations that members are tracking. In addition, for 2022, members shared intelligence related to intelligence groups a total of 200 times. That means if you add up all the times one of our members told us something about ransomware that added up to 200 times, right? At the time we cut off for the data collection for this report which was at the end of September, our members had reported intelligence on ransomware operations 419 times. That's a 109.5% increase in one year

Luke Vander Linden: In only three-quarters of the year.

Lee Clark: In only the first three-quarters of the year, right? I'll be excited to see when we put together the next intelligence trends summary, and I look back on ransomware so if I see it's grown significantly higher after that as well, right? An important note to make is that members sharing intelligence related to ransomware does not indicate or preclude an attempted compromise of their organization. It could be something they found in the wild, something they found during an investigation, all those 419 shares for this year do not necessarily indicate 419 compromise attempts against a member organization. I want to make that clarification.

Luke Vander Linden: Thank you for that. And, you know, I mentioned earlier that I attended the Aspen Cyber Summit in New York City last week. Talk about ransomware as well and consistent with what they talked about there with moving to an extortion model or different ways to profit from ransomware that do not necessarily involve encryption. So, this is great. This is great stuff. Great report. If anybody wants to download that TLP Clear Report, just go to our website rhisac.org, click on the navigation under our I think it's resources, and then reports, and then it should be there, along with a lot of the other reports that we publish and that we discussed on the podcast before, Lee. Excellent. Well, thank you very much as always for joining us.

Lee Clark: Thank you for having me. [ Music ]

Luke Vander Linden: Thank you to all my guests, newly elected RH-ISAC board member Ngozi Eze of Levi Strauss, Manpreet Kang of Williams-Sonoma, and the RH-ISAC's own Lee Clark, JJ Josing, and Ian Furr. By the way, in case you haven't heard, our next summit is moving to April and will be in Denver, Colorado next year. The website is already live and you can go ahead and register, just go to summit.rhisac.org. As always, thank you to the production team who do their best to make this sound good. From N2K Networks, formally known as the CyberWire, that's Jennifer Eiben, Tré Hester, and Elliott Peltzman, and Annie Chambliss from the RH-ISAC. And thank you for tuning in. Stay safe out there. [ Music ]

The Retail & Hospitality ISAC Podcast
Podcast Info
HOST(S):
Luke Vander Linden
Luke Vander Linden is the VP of membership and marketing at the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), the cybersecurity sharing and collaboration community for the consumer-facing business sector. In his role at RH-ISAC, Luke is responsible for member growth and engagement and, as part of the leadership team, overall organizational strategy. Luke lives in Connecticut with his wife and two sons.
Schedule: Biweekly. Wednesdays.
Credits: RH-ISAC Producers are Annie Chambliss and Marisa Troscianecki, Senior Producer is Jennifer Eiben, Theme Song by Elliott Peltzman, Mixing by Tré Hester.
Creator: Retail & Hospitality ISAC
The Retail & Hospitality ISAC Podcast