Home / Blogs

Good Samaritans with Network Visibility

In a big open office 30 feet from me, a team of US Veterans speak intently on the phone to businesses large and small, issuing urgent warnings of specific cyber security threats. They call to get stubborn, confused people to take down hidden ransomware distribution sites. They call with bad news that a specific computer at the business has malware that steals login credentials. They call with good news — you can beat the bad guys this time by not sending the money — minutes before an email arrives to the business with fraudulent wire transfer instructions.

I've eavesdropped as "the Veterans" powered their way through over 4600 of these calls, diligently fulfilling a DHS funded research project. Today I'm sharing observations, insights and the unexpected trends I have noted.

Assess Notification Motive

Businesses typically see three motives for incoming "cyber security notifications":

  • Legit but annoying salespeople offering cyber security solutions.
  • Scammers seeking private info, cash, or control of computer.
  • Altruistic public service notifications with no ulterior motive.

If the call passes the sniff test for motive, verifying the reported IoC (Indicator of Compromise) is a direct route to convert the notification to company asset protection. Verifying the identity of the caller is less important and more time consuming, adding little benefit.

You can find and verify the cyber security problem in your network based on a timestamp, hostname, ip:port or credential. However, who makes you aware of the problem almost doesn't matter. The notifier just needs to accurately convey the data points needed to track down the affected device in your logs or network monitor.

Suspicion is Healthy – Rudeness is Optional

Frustration is at an all time high as we are beset on every side by scams. The Veterans making calls for the project are often mistaken for scammers or salesmen despite a friendly, down-home style, quickly slipping in the essential reassurance: "This is not a sales call."

"YOUR FULL OF S**T!!!" the email reply screamed in all caps. The notified company was a prestigious accounting firm.

"I AM REPORTING YOU TO THE FBI" blasted another. With the senior researcher on the project being an Infragard member, that worked out ok — leading to an invitation to speak about the project at a regional chapter.

"YOU NEED JESUS" added another helpful notification recipient who thought the Veterans were the scammers. (Still could be good advice, most days.)

"Scammer! Scammer! Scammer!" shouted another. Nevertheless this notification turned into a win. The call raised the suspicion level of the business, resulting in vigilance against the fraudulent wire transfer email that arrived a short time later.

Polite Professionals Capture Max Security Value

Negative responses actually have been rare. By contrast there are many exemplary companies with a polite and professional culture. These companies share back results demonstrating leadership and proactive incident handling steps taken.


  • Shared confirmed threats with everyone in the company including C-level, finance, and frontline contact people.
  • C-level sets a policy that urgent instructions to send money or sensitive information be confirmed via channels other than email.
  • Review detail level of contact info on website; review wording of out-of-office auto replies.


  • Employees on alert to protect the company.
  • Reduce confusion and enhance awareness.
  • High value assets won't be handed over to cyber criminals, even if executive impersonation email manages to bypass technical blocking solutions.
  • Thwart social engineering criminals.

Conclusion: Proper Handling of Notifications is Essential to Defense in Depth

Every business has substantial assets at risk of loss to cyber criminals. Again and again we see big business enterprise brought down via cyber security errors that start at a small business vendor, escalating via trusted channels into the larger entity networks. I predict you'll soon be contacted about a cyber security issue affecting your vendors, which could in turn affect you.

Accepting and acknowledging cyber security IoC notifications is a high impact yet low cost addition to your defense in depth strategy.

By April Lorenzen, Chief Data Scientist at Zetalytics – April is an Internet security researcher specializing in the preemptive discovery of miscreant and crimeware resources in the domain name system. She is the primary architect of the free open source data visualization tool "Mal4s” as well as operating IoC security feeds continuously since 2004, overseeing one of the world's most geographically diverse passive DNS systems in her work as Chief Data Scientist at Zetalytics. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.



New TLDs

Sponsored byAfilias


Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

Brand Protection

Sponsored byAppdetex


Sponsored byThreat Intelligence Platform


Sponsored byVerisign

Domain Names

Sponsored byVerisign