|
In a big open office 30 feet from me, a team of US Veterans speak intently on the phone to businesses large and small, issuing urgent warnings of specific cyber security threats. They call to get stubborn, confused people to take down hidden ransomware distribution sites. They call with bad news that a specific computer at the business has malware that steals login credentials. They call with good news—you can beat the bad guys this time by not sending the money—minutes before an email arrives to the business with fraudulent wire transfer instructions.
I’ve eavesdropped as “the Veterans” powered their way through over 4600 of these calls, diligently fulfilling a DHS funded research project. Today I’m sharing observations, insights and the unexpected trends I have noted.
Assess Notification Motive
Businesses typically see three motives for incoming “cyber security notifications”:
If the call passes the sniff test for motive, verifying the reported IoC (Indicator of Compromise) is a direct route to convert the notification to company asset protection. Verifying the identity of the caller is less important and more time consuming, adding little benefit.
You can find and verify the cyber security problem in your network based on a timestamp, hostname, ip:port or credential. However, who makes you aware of the problem almost doesn’t matter. The notifier just needs to accurately convey the data points needed to track down the affected device in your logs or network monitor.
Suspicion is Healthy – Rudeness is Optional
Frustration is at an all time high as we are beset on every side by scams. The Veterans making calls for the project are often mistaken for scammers or salesmen despite a friendly, down-home style, quickly slipping in the essential reassurance: “This is not a sales call.”
“YOUR FULL OF S**T!!!” the email reply screamed in all caps. The notified company was a prestigious accounting firm.
“I AM REPORTING YOU TO THE FBI” blasted another. With the senior researcher on the project being an Infragard member, that worked out ok—leading to an invitation to speak about the project at a regional chapter.
“YOU NEED JESUS” added another helpful notification recipient who thought the Veterans were the scammers. (Still could be good advice, most days.)
“Scammer! Scammer! Scammer!” shouted another. Nevertheless this notification turned into a win. The call raised the suspicion level of the business, resulting in vigilance against the fraudulent wire transfer email that arrived a short time later.
Polite Professionals Capture Max Security Value
Negative responses actually have been rare. By contrast there are many exemplary companies with a polite and professional culture. These companies share back results demonstrating leadership and proactive incident handling steps taken.
ACTIONS:
BENEFITS:
Conclusion: Proper Handling of Notifications is Essential to Defense in Depth
Every business has substantial assets at risk of loss to cyber criminals. Again and again we see big business enterprise brought down via cyber security errors that start at a small business vendor, escalating via trusted channels into the larger entity networks. I predict you’ll soon be contacted about a cyber security issue affecting your vendors, which could in turn affect you.
Accepting and acknowledging cyber security IoC notifications is a high impact yet low cost addition to your defense in depth strategy.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global