Introduction
Unfortunately, it is all too common that the first a company hears about being a victim of cyberattack, the source is law enforcement. Law enforcement typically contacts the company’s chief legal officer, who may or may not have a cyber specialist to whom to forward the call. The cyber legal counsel often also wears a regulatory compliance hat, so may be inclined be extremely careful about sharing the information before its applicability to the company can be independently verified. That is, they may elect to hire a Private Investigator before notifying their own cybersecurity team.
Internet old-timers have long been thoroughly disgusted by this turn of events. In the 1990s, the Internet Engineering Task Force (IETF) wrote a specification for “Mailbox Names for Common Services, Roles and Functions” wherein they noted that abuse@domain.com, trouble@domain.com and security@domain.com were in use and should be more widely adopted (see https://www.ietf.org/rfc/rfc2142.txt). As a CISO, I have been a recipient of email sent to those addresses, but they are fewer and farther between as time goes by.
The twenty-first century introduced a new normal: when someone observes a new vulnerability exploit in the wild, they get paid to report it. So unless you are trolling on the dark web, you are unlikely to hear about a new known exploited vulnerability until it is announced by the Department of Homeland Security's Cybersecurity & Infrastructure Security Agency (DHS CISA). That is, unless you are taking advantage of someone else’s research into your infrastructure’s potential vulnerabilities via an Early Warning Platforms (EWS).
Early Warning Platforms
The original early warning platforms were little more than email notifications as envisioned by the IETF. Ambitious entrepreneurs would hire smart technologies to scour the dark web and associated social engineering platforms for their client’s names, domains, and phone numbers. They summarized the findings in weekly reports, and if there was a really interesting one, they would call it in to Security Operations. Now there are so many threat intelligence sources but public and private that it is hard to maintain this level of customization without significant automation. EWS platforms use both human and artificial intelligence to comb through a wide variety of data sources for threats, then use similar levels of intelligence to filter those threats to corporate requirements. The challenge is now: how to incorporate such actionable threat intelligence enterprise into an enterprise cybersecurity program?
EWS Program
In our observation, companies who have successfully incorporated early warning platforms have made use of similar building blocks. In summary:
- Devote resources to the EWS program. Treat it like any other important public-facing business process. Engage legal and public relations to ensure that a central cybersecurity team is the main point of contact for threat intelligence from any source, even if the only initially expected source is an EWS vendor. This layer the groundwork for process integration and cooperation as needed without having to engage CISO-level communications for prompt investigation.
- Form a SWAT team responsible for immediate response to EWS input. We adopt the acronym for Special Weapons and Tactics (SWAT) teams that have long been common in physical defense, but are just catching on in cyber. It is understood that smaller firms likely will have fewer resources to devote to such SWAT, the trick will be to cover the 7x24 resource requirement, so in small businesses the Cyber SWAT will likely be connected to or a subteam of a central infrastructure operations center.
- Reward the SWAT team. In cyber, it is much more common to see these SWAT teams in cyber-offense. The red team has had so much demand and absorbed so much technical skill that jobs in cyber defense seem boring in comparison. Companies have long struggled with the concept of independent technical contributor. When someone has been promoted to the highest level position where their sole responsibility is individual contributor, they also hit a salary cap. For such contributors, the only way to advance their career has been to become self-employed. SWAT membership help companies keep great people.
- Empower all members of the SWAT team (not just the leader who one day will inconveniently be on vacation) to call ANY member of any technology group with a request to learn how their technology works and get an immediate answer. Investigations that have to be scheduled around developer’s scrum meetings could end up being very costly. Of course, this power should be used prudently.
- Integrate the SWAT team with Security Operations. It is likely that many of its members will be from security operations, so this is not typically a very difficult step to accomplish.
Conclusion
As with any warning system (such as for weather events), the goal of a cyber early warning system is to give insight to decision makers that prompts timely preventive action. Cybersecurity teams are well-versed in response to known exploited vulnerabilities, and the earlier such teams understand they are a target, the sooner those responses may be put into motion. Devoting technical expertise to the analysis of threat intelligence is fast becoming a systemic requirement for cybersecurity programs. Planning for the expertise to be readily available is fast becoming industry best practice.