The NCSC’s Early Warning system is one attempt to halt hacks.
The cat and mouse game between cybercriminals and their victims just got a little more interesting. An initiative, quietly launched by the UK’s National Cyber Security Centre (NCSC) last month, aims to act as a caution to companies who could fall foul of cyberattacks.
The Early Warning system, which is a free service offered by the NCSC, is “designed to inform your organisation of potential cyberattacks on your network, as soon as possible,” the UK agency says. Early Warning appears to bring together a list of open and closed source intelligence signals to monitor when attacks are being planned and launched – or when systems are broken into prior to launching an attack – and inform companies who may be vulnerable to such attacks to take pre-emptive action.
“Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via the Early Warning portal,” say the NCSC.
Prevention, rather than cure
The goal is to try and prevent, rather than mop up, the results of any attacks. By stopping them before they happen by encouraging potential victims to patch up holes that have been identified, the idea is that fewer people will fall foul of attacks.
The NCSC says their Early Warning system will provide organisations who sign up with three types of alert. The first is incident notifications, telling companies that there has been an active compromise of their system based on NCSC intelligence, and encouraging them to act. This would be triggered in the event of a high probability of a host on a company or organisation’s network being infected with some sort of malware.
Network abuse events are the second type of warning the NCSC plans to send out. “This may be indicators that your assets have been associated with malicious or undesirable activity,” the NCSC say – giving an example of a client on a network being detected through a rudimentary scan of the internet.
The third type of warning is a vulnerability and open port alert. These would be more like the Minority Report-style pre-crime reports, where you’re told that there are hints that something on your network may be vulnerable to attack – for instance, an unpatched application or an exposed Elasticsearch service.
“This is the government making a serious effort to help organisation be forewarned,” says Alan Woodward, a cybersecurity professor at the University of Surrey.
“They may not be able to stop attacks but they can help you learn from others being shot at so that you can dodge the bullet if it comes in your direction. Why wouldn’t you do it?”
Indeed, the NCSC give an example of an attack they’ve already foiled thanks to one organisation signing up to its Early Warning service. A critical infrastructure owner in the UK which had many suppliers encouraged those companies it works with to sign up to the Early Warning system.
Doing so meant that the NCSC could inform them of a web shell on its service, related to the 2021 Exchange vulnerabilities, even after initial checks and patching had taken place which failed to uncover the problem. “Without the Early Warning service, it is possible that an adversary could have remained hidden on this system, able to access information that neither the supplier nor our organisation would want to be exfiltrated,” the organisation said in a statement.