Earlier this year, Britain’s National Cyber Security Centre (NCSC) published some promising figures for its Early Warning service set up to give U.K. organizations a rapid heads-up about developing cyberattacks, including ransomware.
Formally launched in 2021 as part of the NCSC’s wider Active Cyber Defence (ACD) program, Early Warning is available at no cost to any U.K. organization with a fixed IP address.
The service draws its intelligence from a variety of sources, but as a government organization its pitch states that this includes “several privileged feeds which are not available elsewhere.”
Latest ACD Report
“Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names provided by our users, correlates those which are relevant to their organisation into daily notifications for their nominated contacts,” the NCSC explains in its latest ACD report.
Early warning notifications include news of malware compromise, odd traffic emanating from inside a network, the discovery of open software ports or data/services, and the detection of compromised credentials being circulated on the dark web (a recent feature).
In 2022, 2,939 organizations signed up to the service, bringing the total using it to 7,819 by the end of the year, the report said. That meant that 2,270 were warned about vulnerabilities, 1,193 were warned of possible activity from inside their network, and 570 were told that active malware had been detected.
Exposed RDP Ports
Early Warning ingested 1.49 billion events from its data sources, leading to it sending out 41,000 daily email notifications regarding possible malware activity. In terms of ransomware, Early Warning was able to notify 56 organizations about malware infection associated with this threat type.
A common route for ransomware compromise to begin is through exposed Remote Desktop Protocol (RDP) ports, on which score:
“On average, Early Warning users receiving these alerts left the RDP service exposed for 19.7 days, whereas IP addresses that did not belong to our users left this service available for 49.3 days.”
So, not surprisingly, being told about an exposed RDP port leads to it being addressed more quickly.
The United States is slightly behind in this area but in 2023 Cybersecurity and Infrastructure Security Agency (CISA) announced the Ransomware Vulnerability Warning Pilot (RVWP) which had notified 93 organizations during an early trial.
Getting Ahead of Ransomware Threats
What’s curious about Early Warning and the RVWP is why nobody thought of the idea sooner.
Despite a layer of technological innovations and learning about ransomware, defending against it is arguably much the same as it was a decade ago. This is focused on assembling traditional technical defenses and policies, locking up data, and investing in well-planned incident response should the worst happen.
If this misses an important pillar it’s probably that of threat intelligence and crowdsourced information, which plenty of organizations would argue have become critical to understanding the ransomware risk they face in real time.
But it’s hard to escape the feeling that threat intelligence alone has never quite lived up to its early promise. Drawn from a variety of sources including the dark web, an underlying problem is time delay; by the time some threat indicators reach criminal forums, it might be too late.
But perhaps by adding nation state intelligence to the mixture, defenders might in some cases be able to get ahead of the attackers for the first time. It’s too early to decide whether systems such as Early Warning will make a meaningful difference, but future years’ detection statistics will make interesting reading.