Exploring the Realm of Cyber Early Warning Systems

  • When you think about the concept of an early warning system, what kind of a mental image does it evoke?

Well, since probably some of us have watched the 1983 movie War Games, we picture intercontinental ballistic missiles, ICBMs, flying through the air. Cut into a dark situation room somewhere underground, an alarm goes off signaling the impending doom.

A more recent example might involve an earthquake somewhere in the pacific ocean outside Japan and the resulting tsunami wiping out coastal habitation and causing the Fukushima nuclear power plant to fail.

Physical world phenomena, such as missile attacks, earthquakes, volcanic eruptions all are familiar territory for thinking about early warning. The cyber realm, however, has traditionally been more of an uncharted territory.

For more than a decade, however, I personally have been supporting various parties build and maintain cyber early warning systems for their stakeholders. Originally these systems have been called something else, but below I will try to shed light on what a modern cyber early warning system actually looks like.

The field of early warning in the traditional sense is an established one and the opening statement from the proceedings of the 3rd conference on Early Warning sums up its motivation quite succinctly:

Early warning is a major element of disaster risk reduction. It prevents loss of life and reduces the economic and material impact of disasters. To be effective, early warning systems need to actively involve the communities at risk, facilitate public education and awareness of risks, effectively disseminate messages and warnings and ensure there is constant state of preparedness.

Even if cyber risks have not yet materialized as large scale loss of life, ransomware operators have made sure that we are aware of the economic and material impact of cyber attacks. Below, I will use the UNDRR four-field to break down the four elements of people-centered early warning systems and adapt it into the cyber realm based on my experience in the field.

Risk Knowledge in the Cyber Realm

In the physical world, early warning systems build upon the knowledge of hazards and vulnerabilities at a particular location. Since the cyber realm only obeys the speed of light, to understand cyber hazards, we must focus our efforts on trying understand risks globally. Consequentely, this means that we must collect information on cyber threats globally and independent of our target audience.

  • What is a cyber hazard?

When a volcano erupts, the molten rock that spews out presents a clear and present danger to anything in the area. Cyber hazards, however, are not easily identifiable threats, which is why we need to understand the vulnerabilities and exposures threat actors are actively exploiting. Moreover, the effects of an incident are not necessarily local, since the users may be situated anywhere in the world.

As I and Jussi have pointed out, a good starting point for understanding actual cyber threats is the CISA Known Exploited Vulnerabilities Catalog, KEV. Armed with that knowledge, we can start systematically collecting observations on vulnerabilities and exposures which are a higher priority, especially if exposed to the whole Internet. Theoretical knowledge alone is not enough, nor focusing on just the exploited vulnerabilities, since often the root cause for the exploitability is Public Exposure, instead of vulnérabilité du jour.

To help prioritize cyber threats, we must classify the collected data in terms of urgency, i.e. how fast you should run when you receive a warning on a given issue affecting your organization.

Monitoring and Warning - Looking at the Right Things

Above, I stated that in the cyber realm our threat data collection needs to be global to be effective. I would add that it also needs to be automated and continuous for the same reason. Collecting data alone is not enough. That is why we need to connect the dots between cyber threats and who they affect. This used to be much simpler twenty years ago, when you as an organization mostly had to worry about on-premises equipment associated with IP ranges registered to them via RIPE for example.

In the current day and age, continuous attack surface discovery is the only way to really assess your public exposure. To that end most of the systems and services you care about have an identifiable DNS resource record. The practical challenge especially in large organizations seems to be the arms race to catalog even the apex domains. Too often, the marketing department or the devops team has registered a domain and set up shop somewhere in the cloud without necessarily keeping track of this newly established attack surface.

As with threat data collection, attack surface discovery needs to be continuous and automated so that warning of an emerging threat can be effectively communicated to the right recipient.

Dissemination and Communication - Focusing on Prevention

For early warning to be effective in the cyber realm, we must focus on notifying the right recipient of issues, which can help them prevent a disaster. Telling an organization that they had RDP open to the Internet after they have been held for ransom is not really early warning, now is it?

This brings us to the question of coverage. To be impactful, our risk knowledge needs to react to new threats, but at the same time make sure that systemic issues from 2014 do not bite our stakeholders in the ankle. In this sense the ambulance chasing often associated with new vulnerabilities is often a sign of something else, for example our configuration management having too lax access policies.

When communicating issues to organizations, we must make sure we inform the recipient at least of the following things in people-centered way:

  • What is this issue?
  • How urgent is it?
  • Why is it a problem?
  • How can the issue be validated?
  • Which asset is affected?

Based on the information above, the recipient can assess the:

  • business impact
  • severity
  • and course of action to follow.

Response Capability - Reacting to the Issue at Hand

Even if an organization receives an early warning of an urgent issue clearly outlined and delivered in a timely manner to the right recipient, the success or failure of an effective response boils down to the following question:

  • Are people prepared and ready to react to warnings?

Traditionally, information security is seen as an interplay of people, processes and technology. If one aspect fails then the other two are rendered useless. Knowing how to react when you receive a warning largely depends on a well-rehearsed response plan. Consequently, knowing who to contact internally to address the issue is key to any successful remediation work.

The Goal of Cyber Early Warning: Preventing Disasters

In contrast with physical early warning systems, cyber early warning systems need to focus on attack surface reduction, instead of monitoring for cyber threats.

Cyber attacks can cause as far reaching consequences as forces of nature. That is why the end goal of cyber early warning systems is to raise the bar for the attackers. Too often, we see organizations fall victim to ransomware attacks, which could have been avoided if the focus had been on proactive measures instead of reactive.

Ultimately, it all comes down to practicing good cyber hygiene and having a hand on one’s external attack surface. Taking out the direct attack vectors is likely to make threat actors focus on easier prey. Regular patch cycles and continuous monitoring of assets and issues are key elements in effective cyber defense.

Once this baseline has been reached, we can start focusing on activities such as threat hunting or even making the more skilled attackers part of our risk analysis. Before that, I would focus my attention on the BPT, Basic Persistent Threats.

Give Us Feedback or Subscribe to Our Newsletter

If this post pushed your buttons one way or another, then please give us some feedback below. The easiest way to make sure that you will not miss a post is to subscribe to our monthly newsletter. We will not spam you with frivolous marketing messages either, nor share your contact details with nefarious marketing people.

comments powered by Disqus