Since probably some of us have watched the 1983 movie War Games, we can picture intercontinental ballistic missiles (ICBMs), flying through the air. Cut into a dark situation room somewhere underground, and an alarm goes off signalling the impending doom.
A more recent example might involve an earthquake somewhere in the Pacific Ocean outside Japan and the resulting tsunami wiping out coastal habitation and causing the Fukushima nuclear power plant to fail.
Physical world phenomena, such as missile attacks, earthquakes, and volcanic eruptions all are familiar territory for thinking about early warning. The cyber realm, however, has traditionally been more of an uncharted territory.
For more than a decade, however, I personally have been supporting various parties build and maintain cyber early warning systems for their stakeholders. Originally these systems have been called something else, but below I will try to shed light on what a modern cyber early warning system actually looks like.
The field of early warning in the traditional sense is an established one and the opening statement from the proceedings of the Third International Conference on Early Warning sums up its motivation quite succinctly:
Early warning is a major element of disaster risk reduction. It prevents loss of life and reduces the economic and material impact of disasters. To be effective, early warning systems need to actively involve the communities at risk, facilitate public education and awareness of risks, effectively disseminate messages and warnings and ensure there is constant state of preparedness.
Developing Early Warning Systems: A Checklist.
Even if the cyber risks have not yet materialized as large-scale loss of life, ransomware operators have made sure that the economic and material impact of cyber attacks is felt. Below, I will use the United Nations Office for Disaster Risk Reduction’s (UNDRR’s) Sendai Framework to break down the four elements of people-centred early warning systems and adapt them to the cyber realm based on my experience in the field.
Risk knowledge in the cyber realm
In the physical world, early warning systems build upon the knowledge of hazards and vulnerabilities at a particular location. Since the cyber realm only obeys the speed of light, to understand cyber hazards, we must focus our efforts on trying to understand risks globally. Consequently, this means that we must collect information on cyber threats globally and independently of our target audience.
What is a cyber hazard?
When a volcano erupts, the molten rock that spews out presents a clear and present danger to anything in the area. Cyber hazards, however, are not easily identifiable threats, which is why we need to understand the vulnerabilities and exposures threat actors are actively exploiting. Moreover, the effects of an incident are not necessarily local, since the users may be situated anywhere in the world.
As Juhani ‘Jussi’ Eronen and I have pointed out, a good starting point for understanding actual cyber threats is the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities Catalog. Armed with that knowledge, we can start systematically collecting observations on vulnerabilities and exposures that are of higher priority, especially if exposed to the whole Internet. Theoretical knowledge alone is not enough, nor focusing on just the exploited vulnerabilities, since often the root cause for the exploitability is Public Exposure, instead of vulnérabilité du jour.
Tip: To help prioritize cyber threats, we must classify the collected data in terms of urgency — how fast you should run when you receive a warning on a given issue affecting your organization.
Monitoring and warning — looking at the right things
Above, I stated that in the cyber realm, our threat data collection needs to be global to be effective. I would add that it also needs to be automated and continuous for the same reason. Collecting data alone is not enough. That is why we need to connect the dots between cyber threats and those they affect. This used to be much simpler twenty years ago when an organization mostly had to worry about on-premises equipment associated with IP ranges registered to them via a Regional Internet Registry (RIR).
Currently, continuous attack surface discovery is the only way to really assess your public exposure. To that end, most of the systems and services you care about have an identifiable DNS resource record. The practical challenge, especially in large organizations, seems to be the arms race to catalogue even the apex domains. Too often, the marketing department or the DevOps team has registered a domain and set up shop somewhere in the cloud without necessarily keeping track of this newly established attack surface.
Tip: As with threat data collection, attack surface discovery needs to be continuous and automated so that warning of an emerging threat can be effectively communicated to the right recipient.
Dissemination and communication — focusing on prevention
For early warning to be effective in the cyber realm, we must focus on notifying the right recipient of issues, which can help them prevent a disaster. Telling an organization that they had a remote desktop open to the Internet after they have been held for ransom is not really an early warning, now is it?
This brings us to the question of coverage. To be impactful, our risk knowledge needs to react to new threats, but at the same time make sure that systemic issues from 2014 do not bite our stakeholders in the ankle. In this sense, the ambulance chasing often associated with new vulnerabilities is often a sign of something else, for example, our configuration management having too lax access policies.
When communicating issues to organizations, we must make sure we inform the recipient at least of the following things in a people-centred manner:
- What is this issue?
- How urgent is it?
- Why is it a problem?
- How can the issue be validated?
- Which asset is affected?
Based on the information above, the recipient can assess the:
- Business impact
- Severity
- Course of action to follow
Response capability — reacting to the issue at hand
Even if an organization receives an early warning of an urgent issue clearly outlined and delivered promptly to the right recipient, the success or failure of an effective response boils down to the following question:
Are people prepared and ready to react to warnings?
Traditionally, information security is seen as an interplay of people, processes and technology. If one aspect fails then the other two are rendered useless. Knowing how to react when you receive a warning largely depends on a well-rehearsed response plan. Consequently, knowing who to contact internally to address the issue is key to any successful remediation work.
The goal of cyber early warning — preventing disasters
In contrast with physical early warning systems, cyber early warning systems need to focus on attack surface reduction, instead of monitoring for cyber threats.
Cyber attacks can cause as far-reaching consequences as forces of nature. That is why the end goal of cyber early warning systems is to raise the bar for the attackers. Too often, we see organizations fall victim to ransomware attacks, which could have been avoided if the focus had been on proactive measures instead of reactive ones.
Ultimately, it all comes down to practising good cyber hygiene and having a hand on the external attack surface. Taking out the direct attack vectors is likely to make threat actors focus on easier prey. Regular patch cycles and continuous monitoring of assets and issues are key elements in effective cyber defence.
Once this baseline has been reached, we can start focusing on activities such as threat hunting or even making the more skilled attackers part of our risk analysis. Before that, I would focus my attention on basic persistent threats.
Lari Huttunen has been working in cybersecurity since the late 1990s, with an interest in early warning, researching the impact of known vulnerabilities and exposures on a global scale, and understanding cybercrime from the victim’s perspective.
Originally published on Public Exposure.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.