External Threat Notifications: A Strategy for Response

Organisations regularly receive external notifications about potential threats and vulnerabilities. How your team processes and responds to these notifications can help you effectively respond to the important stuff and prevent you from wasting precious resources on false alarms or low-priority issues.

Sources of Cyber Threat Notifications

Organisations can receive cyber threat notifications from multiple sources, each with varying levels of credibility:

1. Government (ACSC/Law Enforcement) - Highly credible notifications about compromises, including those received from foreign law enforcement partners. 
2. Your vendors - Notifications when they've identified or suspect a breach in their systems that may affect your organisation, or have identified an incident in your systems that they have visibility of.
3. Threat intelligence vendors - These organisations often contact you if they spot your data in leaks or on dark web forums. They typically provide useful context but may have limited insight into your specific environment, and can be limited by the reliability of the original source.
4. Security researchers - Both legitimate researchers and "beg bounty" individuals may report vulnerabilities. Quality and motives can vary dramatically, requiring careful evaluation.
5. Media - Journalists might request comments if they identify or receive tips about suspected incidents involving your organisation. Their information can be fragmentary but might indicate broader awareness.
6. Threat actors - Actors can contact you directly with claims of compromise. Their claims are often untruthful and should be carefully scrutinised alongside the information they provide to support their claims.

How to Analyse Incoming Threat Information

When evaluating notifications, the information in front of you will help you make a decision about what to do next:

1. Source reliability - Begin here as it dictates your overall response urgency. A credible source warrants more immediate attention, while dubious sources might justify more measured approaches.
2. Indicators of Compromise (IOCs) - These tangible technical elements (IP addresses, file hashes, domains) provide concrete evidence to search for in your systems. Their value lies in allowing rapid indications of whether you're actually affected.
3. Tactics, Techniques, and Procedures (TTPs) - Understanding the attacker's methodology helps identify similar patterns in your environment and informs your defensive strategy. TTPs are particularly valuable when specific IOCs are absent or vary between the threat actor’s campaigns and targets.
4. Claimed data impact - Scrutinise the data that is allegedly compromised, where it's stored in your environment, and in what forms. This helps assess potentially impacted systems and impact.
5. Vulnerabilities - Verify if the claimed vulnerability applies to your technology stack and whether you've already addressed it. This assessment determines if your environment is even susceptible.
6. Impacted assets - Focus your investigation on specific devices, services or infrastructure claimed to be compromised, making your response more targeted and efficient.

Creating a Response Strategy

1. Prioritise based on source credibility - Law enforcement notifications demand immediate attention, while automated extortion notes sent through customer contact forms may not merit the disruption of your important but non-urgent work. This triage prevents wasting resources on low-quality reports.
2. Leverage your detection capabilities - Organisations with robust security telemetry can quickly validate or dismiss threat notifications. Those with limited visibility may need to do some painful threat hunting or engage external expertise for validation.
3. Establish appropriate communication channels - Develop protocols for engaging with different notification sources. Maintain open dialogue with reputable sources while establishing clear boundaries with less reputable entities to prevent time wastage.
4. Be prepared - Pre-mapping your critical assets and where they live dramatically speeds up investigation when notifications arrive. Similarly, developing playbooks for how you’d respond to external notifications can make for a faster response during a real incident.

Making Response Decisions

When evaluating potentially impactful threats, consider employing this decision framework based on source reliability and information actionability - should the claimed threat have a material impact if it were to eventuate:

High Reliability + High Actionability: This quadrant represents the clearest case for immediate, full-resource response. When trusted sources like government agencies provide specific, actionable information, mobilise your incident response team immediately. Example: ACSC notifies you about a specific actor they suspect has intruded on your environment, with details on affected assets.

High Reliability + Low Actionability: These situations require response despite being challenging to investigate. When credible sources provide vague information, a methodical investigation is necessary even if frustrating. Example: One of your vendors notifies you of a potential breach but can only remind you of the access they retain to your systems.

Low Reliability + High Actionability: Worth investigating if resources permit and volume is manageable. The actionable nature means verification is relatively quick for your organisation. Example: An unknown researcher provides detailed technical information about a specific exposed database that can be quickly validated for authenticity.

Low Reliability + Low Actionability: These situations rarely justify diverting resources from more productive security activities that form a security team’s day to day workload. Example: A generic extortion message is left through a contact us form on your website.

Remember, this framework should only be applied to notifications with potentially material impact; trivial threats with minimal harm potential may not warrant structured analysis regardless of source reliability or actionability.