Home / Blogs

Good Samaritans with Network Visibility

April Lorenzen

In a big open office 30 feet from me, a team of US Veterans speak intently on the phone to businesses large and small, issuing urgent warnings of specific cyber security threats. They call to get stubborn, confused people to take down hidden ransomware distribution sites. They call with bad news that a specific computer at the business has malware that steals login credentials. They call with good news — you can beat the bad guys this time by not sending the money — minutes before an email arrives to the business with fraudulent wire transfer instructions.

I've eavesdropped as "the Veterans" powered their way through over 4600 of these calls, diligently fulfilling a DHS funded research project. Today I'm sharing observations, insights and the unexpected trends I have noted.

Assess Notification Motive

Businesses typically see three motives for incoming "cyber security notifications":

  • Legit but annoying salespeople offering cyber security solutions.
  • Scammers seeking private info, cash, or control of computer.
  • Altruistic public service notifications with no ulterior motive.

If the call passes the sniff test for motive, verifying the reported IoC (Indicator of Compromise) is a direct route to convert the notification to company asset protection. Verifying the identity of the caller is less important and more time consuming, adding little benefit.

You can find and verify the cyber security problem in your network based on a timestamp, hostname, ip:port or credential. However, who makes you aware of the problem almost doesn't matter. The notifier just needs to accurately convey the data points needed to track down the affected device in your logs or network monitor.

Suspicion is Healthy – Rudeness is Optional

Frustration is at an all time high as we are beset on every side by scams. The Veterans making calls for the project are often mistaken for scammers or salesmen despite a friendly, down-home style, quickly slipping in the essential reassurance: "This is not a sales call."

"YOUR FULL OF S**T!!!" the email reply screamed in all caps. The notified company was a prestigious accounting firm.

"I AM REPORTING YOU TO THE FBI" blasted another. With the senior researcher on the project being an Infragard member, that worked out ok — leading to an invitation to speak about the project at a regional chapter.

"YOU NEED JESUS" added another helpful notification recipient who thought the Veterans were the scammers. (Still could be good advice, most days.)

"Scammer! Scammer! Scammer!" shouted another. Nevertheless this notification turned into a win. The call raised the suspicion level of the business, resulting in vigilance against the fraudulent wire transfer email that arrived a short time later.

Polite Professionals Capture Max Security Value

Negative responses actually have been rare. By contrast there are many exemplary companies with a polite and professional culture. These companies share back results demonstrating leadership and proactive incident handling steps taken.


  • Shared confirmed threats with everyone in the company including C-level, finance, and frontline contact people.
  • C-level sets a policy that urgent instructions to send money or sensitive information be confirmed via channels other than email.
  • Review detail level of contact info on website; review wording of out-of-office auto replies.


  • Employees on alert to protect the company.
  • Reduce confusion and enhance awareness.
  • High value assets won't be handed over to cyber criminals, even if executive impersonation email manages to bypass technical blocking solutions.
  • Thwart social engineering criminals.

Conclusion: Proper Handling of Notifications is Essential to Defense in Depth

Every business has substantial assets at risk of loss to cyber criminals. Again and again we see big business enterprise brought down via cyber security errors that start at a small business vendor, escalating via trusted channels into the larger entity networks. I predict you'll soon be contacted about a cyber security issue affecting your vendors, which could in turn affect you.

Accepting and acknowledging cyber security IoC notifications is a high impact yet low cost addition to your defense in depth strategy.

By April Lorenzen, Chief Data Scientist at Zetalytics. April is an Internet security researcher specializing in the preemptive discovery of miscreant and crimeware resources in the domain name system. She is the primary architect of the free open source data visualization tool "Mal4s” as well as operating IoC security feeds continuously since 2004, overseeing one of the world's most geographically diverse passive DNS systems in her work as Chief Data Scientist at Zetalytics.

Related topics: Cyberattack, Cybercrime, Cybersecurity, Networks


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

DNS Security

Sponsored by Afilias

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Mobile Web Intelligence Report: Bots and Crawlers May Represent up to 50% of Web Traffic