Yes we scan Belgium

As a company or organization you don’t become a victim of a ransomware attack because of who you are. It is to say, not primarily. You become a victim because you had a vulnerability and the access to your networks was sold on the Dark Web by an Initial Access Broker. There are two main intrusion vectors that put you on their lists. First they compromise credentials using phishing campaigns or info stealer malware in the browser for instance. Second they scan the Internet for vulnerable systems with unpatched software of configuration mistakes. The Initial Access Broker specializes in compromising credentials or exploiting vulnerabilities without starting the operation to exfiltrate and encrypt data. That is most often done by another group who will look for interesting compromised victims. During this second phase it does matter who and how interesting you are as a target of course.

Decent Multifactor Authentication (MFA) will already protect you significantly against the intrusion by leaked credentials, but how to protect against an intrusion exploiting a vulnerable system? The answer is easier said than done. Even our Cyber Fundamentals level Basic indicates that “Software platforms and applications used within the organization are inventoried”, “Patches and security updates for Operating Systems and critical system components shall be installed”. Most of the time this is done well, but you only have to miss patching one system or one Internet facing software and you are vulnerable.

Government cybersecurity agencies send out generic warnings about vulnerabilities that are being actively exploited, but these warnings have a limited effect. Not many read these warnings and companies do not feel directly addressed or do not sufficiently sense the threat. For new vulnerabilities criminals will develop exploits as fast as possible and will scan the internet for vulnerable systems. Sometimes the access will be secured by installing a backdoor like a Webshell.

At the Centre for Cybersecurity Belgium we go a step further than sending out generic warnings. For almost one year now we have implemented the concept of “spear warning”. Just like criminals do, we identify vulnerable systems in Belgium and notify the owners directly. Spear Warning gains in importance with some important ransomware gangs targeting also mid-sized and even small businesses.

The objective of Spear Warning is to get one step ahead of cybercriminals and identify and protect vulnerable systems before they can attack them.

Spear warning is one of the main missions of our Cyber Threat Research and Intelligence Sharing (CyTRIS) team. There are some distinct step in this process :

• Together with a commercial partner, Recorded Future , we constantly evaluate the “most likely to be exploited vulnerabilities” in our country.
• Then, we scan the Belgian IP space for vulnerable systems. As countries don’t have exact IP borders, we can only scan those IP-ranges that can be considered with an high confidence being in Belgium. Admitted that this “Belgian IP space” is a bit fuzzy, but the portion that cannot be scanned because of that is trivial.
• The next step is to identify the owners of the vulnerable systems. Most of the time we have to split up the list of IP addresses and timestamps per ISP and ask for the identification (name and contact information) of the owners.
• Finally these owners are notified in a very direct way. The emails are usually sent to the IT manager of the vulnerable system. This direct notification by the national authority for cybersecurity for one of their own systems has a much better effect than a generic warning about the vulnerability. But still not all of them apply the necessary and urgent software updates immediately. Quite often the actively exploited vulnerabilities are not so recent resulting in a reduced sense of urgence on the IT managers level. That is why we also send out letters on paper to the management of the organization. These letters have the logos of CCB and of the Prime Minister and are signed by me as Director General. We address the C-level of the organization with a vulnerable system in their language, talking about risks to their business,the potential business impact and reputation damage in consequence of a ransomware attack or data leakage. If we can see this vulnerability in your network, hackers and criminals probably have already seen it too; please react immediately.

One of the hardest parts in setting up a spear warning service on national level was getting all necessary legal provisions. Scanning a network or even a country for vulnerable systems can be seen as an attempt to break in and is therefore by default illegal.? It took us quite some effort to find the right balance and convince the political authorities. We now have the legal mission to detect cyberthreats and vulnerabilities that could lead to significant cyberattacks and damage. Respecting proportionality, only collecting information necessary to identify the vulnerability, with the sole purpose to immediately inform the owner of the vulnerable system we can conduct non-discriminatory and non-intrusive scans.

These five conditions give us just enough authority to already detect a lot of systems in Belgium with an important vulnerability and to notify the owners. Another legislative initiative was needed to allow our CCB to get the identity and the contact information. Thanks to this new legal framework and a constructive collaboration with the Service Providers we can identify and notify most of the companies at risk within a few days after detecting the vulnerability.

The first three quarters of 2023 we were able to send out 8.000 spear warnings. Depending on the vulnerability we can measure a fast reduction ranging from 50% to 90% within days, rather than weeks or months. The effect is significant, even for older vulnerabilities for which several general warnings have already been published.

?Beside the warnings for vulnerabilities we have also started sending out warnings for leaked credentials and for Malware infections that might lead to significant damage. Recently we have sent out 280 spear warnings for SystemBC infections that quite often lead to a ransomware attack. Although we will never know exactly, we can assume that thanks to this campaign we have prevented at least some ransomware incidents.

It took us a few years to have all building blocks in place, but I really think that directly warning the owners of vulnerable or threatened systems is an important service in the whole package of measures that governments can take.