Canary coal mine detecting cyberattacks early

April 15, 2021
Michael Solomon

WRITTEN BY MICHAEL SOLOMON

Michael G. Solomon, PhD, CISSP, PMP, CISM, PenTest+, is a security, privacy, blockchain, and data science author, consultant, educator and speaker who specializes in leading organizations toward achieving and maintaining compliant and secure IT environments.
The first step in responding to a security incident is to identify that an incident has occurred, detecting cyberattacks becomes important to survival

Canary in a Coal Mine: Detecting Cyberattacks Early

Many catastrophic events are obvious, with their effects immediately visible — but not all. Fire, flood, tornadoes and earthquakes are all examples of events that can cause a substantial impact to business operation and do not require any effort to detect. Everyone can see what causes the damage.

Cyberattacks can be very different. While some cyberattacks, such as Denial of Service (DoS) attacks, cause interruptions that are immediate and visible, many other attacks are not so obvious. For example, an attack that extracts sensitive customer information likely will not raise alarms and can occur without anyone realizing what happened.

Since the first step in responding to a security incident is to identify that an incident has occurred, identification becomes important to survival. 

A recent IBM breach report states that companies that are victims of a cyberattack take an average of 207 days to identify the breach. And it takes, on average, an additional 73 days to contain it. Think about that: On average, victims of cyberattacks only realize they have been attacked after half the year has passed. Since many cybercriminals plunder their victims repeatedly after the initial breach, losses can accumulate the longer an attacker goes undetected.

A key indicator of how much damage a cyberattack may cause is how soon that attack is detected and stopped. Early breach identification is the single most important action to reduce the blast radius and increase the likelihood of surviving the attack.

Let’s look at some ways companies can place controls that provide an early alert of cyberattack activity. Like the canaries coal miners used to carry with them, an early warning of danger can help avert disaster.

Manage cybersecurity risk

Encountering business interruptions is not a new phenomenon. There are many ways an organization can run over operational “speed bumps” that reduce or completely block its ability to carry out its core business functions. These speed bumps are often referred to as risk.

Risk is the probability that something will occur that has either a positive or negative effect. Most risk is perceived as something that may cause loss, but risk can have a positive result, such as finishing a project early. We will only cover negative risk in this article.

A proven way to minimize the negative effects of realized risk is to develop plans to handle the risks that can cause the most damage. Of course, that is easier said than done. Ignoring risk is dangerous. But managing it well can be the difference between surviving and succumbing to a realized risk such as a cyberattack. The quality of your plans is directly related to your probability of success.

Business Impact Analysis

The first plan you will need to combat cyberattacks is a Business Impact Analysis (BIA). A BIA summarizes your business processes and identifies the functions that must be operational for your organization to stay in business.

These core functions are called Critical Business Functions (CBFs). Once you have identified your CBFs, you know what you must protect. If any CBF gets interrupted, your business process falters.

The next part of a BIA is to identify the risks to each CBF, and then rank the risks by probability of occurrence and severity of impact. The result is a clear picture of what it takes to stay in business and the risks that could threaten your organization.

Business Continuity Plan

Once you have a BIA, the next plan should cover what you will do if any of the identified risks to your CBFs are realized. A Business Continuity Plan (BCP) should include the procedures your personnel will follow to ensure your CBFs are not interrupted, or at least are not interrupted for very long.

A BCP should cover such interruptions as power or communication outages, labor disputes and strikes, cyberattacks, and any other risks that could stop one or more CBFs. The keys to a good BCP are to include procedures for as many risks as you can think of, and then to ensure your personnel understand the plan and are ready to enact it when needed.

Disaster Recovery Plan

The last main type of plan to keep your business running is a Disaster Recovery Plan (DRP). While a BCP covers interruptions that are generally short-term in nature, a DRP covers situations in which large parts of the supporting infrastructure have been damaged or destroyed, such as during fires, earthquakes and floods. A DRP may invoke parts of a BCP, but only after restoring the operational state of the infrastructure.

Managing risk well means having all three plans in place and up to date, with personnel ready to put them into action when needed.

Deploy early warning controls

Having the right plans in place is a great start to surviving cyberattacks, but planning is only part of the solution. Many of the organizations referenced in the previously mentioned IBM study likely had plans in place. The problem was they took too long to activate those plans. Great plans that don’t get carried out promptly aren’t all that great.

To reduce the damage of any cyberattack, you need a canary. Well, not an actual bird, but controls that act like a canary in a coal mine.

Coal mines have many dangers, one of which is methane gas exposure. Methane gas can quickly incapacitate miners and eventually lead to their death if they cannot get to fresh air quickly enough. When methane gas starts building, time is of the essence. Miners learned long ago that canaries are much more sensitive to methane than humans. It was not long until miners began to carry a canary into the mines with them. If the canary was alive and well, the air quality was safe. However, if methane gas were present and began to build, the canary would die, and the miners would be alerted to the degrading air quality before it was lethal to humans. The canary’s sacrifice gave the miners an early warning of danger.

Like the canary, organizations should deploy controls that sound an alert when unusual or dangerous activity is present. Early alerts give responders the ability to intercede quickly in an attack, possibly stopping widespread damage.

For example, suppose your organization has identified ransomware as a threat for production servers. One early warning detective control could be file-integrity monitoring software that detects changes to files. Advanced file-integrity monitors can use machine learning algorithms to help separate normal file changes from those consistent with a ransomware attack. A good advance warning control could alert personnel of a ransomware attack very early on, and a quick response could stop the attack, identify the damage so far, and provide information to recover with minimal disruption.

Respond to incidents

Like with the coal miners, the canary serves little purpose unless action is clear and decisive when the early warning alert sounds. An additional plan that rounds out the suite of preparedness planning is the Incident Response Plan (IRP).

A security incident is any actual or potential violation of your organization’s security policy. Since every organization crafts its own security policy, an incident in one organization may not be an incident in another organization.

The IRP is the operational instruction guide for identifying incidents, determining what is happening, and deciding which steps to follow in order to best respond. The IRP should also include directives for assembling and preparing the team that carries out the incident response activities, or the Incident Response Team (IRT).

It is common for the IRT to activate aspects of the BCP, and perhaps the DRP in extreme situations, to respond to specific incidents. All the plans we have covered complement one another, and all are necessary to handle situations that threaten business continuity. 

Once you have created a BIA, BCP and DRP, you can start to build your IRP. There are many ways to build an IRP, and the final plan should be specific to your organization, but most IRPs include these sections:

  • Preparation: Incorporate the BIA, BCP and DRP, and assemble and train the IRT.
  • Identification: Respond to early warning alerts and determine whether alerts indicate a valid incident. This is where the “canary in a coal mine” approach can make a difference in how much damage you suffer.
  • Containment: Once you identify an incident, take steps (planned out in advance) to limit the damage and keep the incident from spreading.
  • Eradication: After containing the damage, find and remove the root cause of the incident.
  • Recovery: Return affected resources to full operation.
  • Lessons learned: Review the incident response process to determine what went well and what did not. Do more of the things that went well and find better ways of doing the things that did not work so well for next time — because there will be a next time.

Remember that the canary and the plans go hand in hand. Without the canary, you will not know you’re in danger until it’s too late. But without a clear plan of what to do when the canary dies, the early alert will not do any good.

Develop good plans, listen to early warnings, and be ready to react before the problem becomes a crisis.


Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.