NCSC's Early Warning service

Early Warning helps organisations investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds.

Early Warning is a free NCSC service designed to inform your organisation of potential cyber attacks on your network, as soon as possible. The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, which includes several privileged feeds which are not available elsewhere.

Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names you provide, correlates those which are relevant to your organisation into daily notifications for your nominated contacts via the Early Warning portal.

Organisations will receive the following high level types of alerts:

- Incident Notifications – This is activity that suggests an active compromise of your system.

For example: A host on your network has most likely been infected with a strain of malware.

- Network Abuse Events – This may be indicators that your assets have been associated with malicious or undesirable activity.

For example: A client on your network has been detected scanning the internet.

- Vulnerability and Open Port Alerts – These are indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet.

For example: You have a vulnerable application, or you have an exposed Elasticsearch service.

Cyber security researchers will often uncover malicious activity on the internet or discover weaknesses in organisations security controls, and release this information in information feeds. In addition, the NCSC or its partners may uncover information that is indicative of a cyber security compromise on a network. The NCSC will collate this information and use this data to alert your organisation about potential attacks on your network.

Full details at www.ncsc.gov.uk/information/early-warning-service