The NCSC Early Warning Service - an Overview
Cyber Security Risk has once again reached the headlines in response to the ongoing conflict Ukraine, due to the history of Russia utilising cyber warfare alongside traditional military actions. The western world’s reaction to this conflict has been to sanction Russia, with the Channel Islands following suit in apply economic sanctions, which landed Jersey on Russian’s ‘Unfriendly Countries’ list - Jersey ‘unfriendly’ to Russia - Jersey Evening Post.
Response to this ongoing conflict has seen response to the risk of cyber attack be heightened, with directions from various agencies recommending increasing your cyber defence posture. A regularly recommended set of tools are provided for free by the National Cyber Security Centre, including the Early Warning Service. In the following blog piece CIISF member Ewan Traynor provides information on this service and insight as to why you should be using this, if you’re not already using a similar toolset.
What is NCSC’s Early Warning Service?
The NCSC’s Early Warning Service is a free and open product, for organisations in the UK or Crown Dependencies, that enables you to be informed of potential cyber-attacks on your network as early as possible. This service does not conduct any active scanning itself, instead it utilises many cyber threat intelligence feeds and correlates this data to find any of the domain names/IP address that you have supplied to be monitored.
How do you sign up for it?
As long as you are an organisation in the UK or Crown Dependencies you are eligible to be signed up for free, including Crown Dependencies. To sign up visit the following link “NCSC Registration”. Once you have created your NCSC account, you will be able to sign up for the early warning service. You will then just need the name of your organisation, public IP’s/domain names, name, and email address you would like the alerts to go to.
How do you use it?
Once you have supplied the early warning service with all the information that is needed, you will start to receive alerts daily to the email address you provided and weekly vulnerability alerts. Both come in the same format but do have differences, which we will discuss later.
How does it work?
The early warning service is a tool that uses cyber threat intelligence feeds (open source, closed source, and several privileged feeds) to correlate data. It then applies filters applicable to the business on the data that is being ingested, searching for anything to do with the IP addresses and domain names you have given it to monitor. It then bundles up these alerts up into a csv file and they are sent to an email address you have chosen.
Why use it?
It is a free service, that enables organisations to be alerted on the presence of malware/vulnerabilities/intrusions affecting your network. This tool can be used to enhance your awareness of assets, incidents and vulnerabilities that may not have been picked up. The service is something that can be incorporated into your already existing security tool kit to provide further enrichment to your security events and incidents.
It is also common for a potential attacker to utilise similar scanning methods on the public internet to look for ‘low hanging fruit’, you can utilise the functionality of this service to check whether you’re not exposing your environment and any associated weaknesses to the internet and where identified, mitigated said weaknesses.
Weekly Vulnerability Alerts
The following image is the report that contains alerts related to vulnerabilities and open ports. It can be used as a great way to observe your environment from an attacker’s point of view, enabling you to better understand weak spots in your attack surface.
In the above screenshot some of the information has been redacted to ensure safety of the particular assets. In the weekly report you can see we have numerous types of vulnerabilities, anything from an open port to a weakness that can be used to gain remote access on the host. Using this information, it makes it relatively easy to then locate the host and start to remediate the vulnerability.
Daily Threat Alert
The daily report contains alerts for network abuse and incident notifications. This is where you can start to spot compromises that may have not already been picked up within your organisation.
In the above screenshot we have our daily threat alert csv we have received. The first two alerts here are for two different hosts that have been compromised and now are part of a botnet. The last alert is letting us know that a host has been engaged in port scanning or web scraping activities. Using this information, we can then locate the host and begin our analysis to remediating the infection.
For more information, including case studies we recommend visiting: Early Warning - NCSC.GOV.UK
- Ewan Traynor