The National Cyber Security Centre (NCSC) Early Warning System helps organisations investigate cyber-attacks on their network by notifying them of malicious activity that has been detected in information feeds.
This is a free NCSC service designed to inform your organisation of potential cyber-attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.
The system filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via an early warning portal.
Organisations will receive the following high level types of alerts:
- Incident Notifications – This is activity that suggests an active compromise of your system.
For example: A host on your network has most likely been infected with a strain of malware.
- Network Abuse Events – This may be indicators that your assets have been associated with malicious or undesirable activity.
For example: A client on your network has been detected scanning the internet.
- Vulnerability and Open Port Alerts – These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet.
For example: You have a vulnerable application, or you have an exposed Elasticsearch service.
Early Warning does not conduct any active scanning of your networks itself, however some of the feeds may use scan derived data, for example from commercial feeds, and is available for all UK organisations who hold a static IP address or domain name.
See: Early Warning - NCSC.GOV.UK