In cybersecurity, a number of associated however divergent meanings have been ascribed to the phrase “crimson flags.” The phrase has roots in fraud and insurance coverage, popularized by the FTC as a part of the 2003 Purple Flags Rule beneath the Honest and Correct Credit score Transactions Act requiring credit score issuers to construct packages that detect identification theft through warning indicators of fraud.
In some context, cyber crimson flags are the evident warning indicators that one thing is already going fallacious or lacking, akin to an alert from an intrusion detection system, a knowledge exfiltration indicator, or a threat and compliance management hole. As a result of these indicators typically fall beneath the Detect operate of the NIST Cybersecurity Framework, they typically manifest when an adversarial occasion has already occurred, particularly when adversaries are utilizing ways like lateral motion or malware deployment aligned with MITRE ATT&CK strategies.
Whereas this imagining of cyber crimson flags has its place in a wholesome data safety program, it’s extremely restricted in its focus upon indicators that register solely after preliminary compromise. Whereas the newest Verizon Knowledge Breach Investigations Report highlights timelines in breach detection, it is very important make clear that detection typically happens in weeks relatively than months. Relying on the trade, some breaches should still go undetected for over 100 days. Relying solely on reactive indicators locks organizations right into a detect-and-respond posture, slamming the door shut after the intruder is already inside.
“Purple flags” is a typical phrase in cyber broking and M&A contexts as effectively, the place it’s used barely in a different way. In these circles, “crimson flags” are usually gaps in a company’s perimeter safety posture. They’re typically probably the most primary and demanding cybersecurity controls representing the blocking and tackling of breach prevention. Inside this context, utility vulnerabilities seen from an unauthenticated, exterior scan or failure to implement Multi-Issue Authentication (MFA) on perimeter techniques are frequent crimson flags: detectable from the general public Web, discrete and tactical in nature, and infamous for his or her contributions to previous safety incidents.
As soon as once more, categorization of those controls has its advantages. Within the short-to-medium-term, they’re almost certainly to contribute to a cybersecurity incident and needs to be triaged for remediation. A good smaller subset of insurance-focused crimson flags includes the notion of pre-deal cyber diligence crimson flags, which may be materials to the well being of a transaction. In an M&A context, typically solely probably the most egregious safety gaps rise to this degree, with something extra delicate slated for remediation after a deal is closed. An understanding of a company’s cybersecurity posture as aligned with some of these crimson flag controls is efficacious, however nonetheless incomplete. They will skew towards the descriptive and the superficial, with out providing extra predictive insights from deeper evaluation.
To shut that hole, organizations must shift consideration to predictive indicators, which will be each tactical and strategic. Tactical indicators may be known as “precursor indicators” or “anomalies,” and may embody uncommon reconnaissance scanning, atypical authentication makes an attempt, or uncommon phishing hyperlink clicks. These early warnings typically seem lengthy earlier than ransomware begins encrypting recordsdata. By recognizing precursor exercise, typically known as Indicators of Assault (IoAs), safety groups can intervene within the earliest phases of an assault. These indicators typically floor by means of consumer and entity conduct analytics instruments, SIEM techniques, or risk intelligence feeds. Catching them early can dramatically scale back dwell time and related prices. Research by the Ponemon Institute discover that organizations that detect threats sooner can save as a lot as fifty p.c in contrast to those who react later.
Underlying strategic indicators are sometimes extra delicate and require discussion-based evaluation or intensive audit sampling to uncover. Are Knowledge Loss Prevention efforts reliant upon the handbook tagging efforts of a single, overworked infrastructure engineer? Is entry to a myriad of cloud purposes managed in a spreadsheet, with inconsistent password requirements and authentication necessities throughout every platform? These potential weaknesses lurk beneath the floor of a typical cyber crimson flags evaluation however can undoubtedly contribute to incidents or different poor cybersecurity outcomes.
Contemplate the long-term dental well being of a affected person with out a common brushing schedule. A superficial assessment of his enamel may not reveal any seen cavities, however a deeper evaluation may uncover poor well being of the gums. Additional dialogue with the affected person might in flip reveal an ad-hoc and unrefined dedication to oral upkeep. These precursor indicators would counsel a chance of future oral well being considerations not evident from a superficial dental assessment.
This proactive posture suits inside trendy resilience methods, akin to these articulated in NIST SP 800-160. The NIST normal frames safety as a continuum of prevention, detection, and restoration. Incorporating consideration to precursor exercise strengthens prevention and permits speedy restoration if compromise happens.
This isn’t to low cost crimson flags utterly. Somewhat, they need to be seen as a part of a spectrum: late-stage indicators or management gaps that complement early warning indicators and deeper data safety program well being checks. By layering detection throughout that spectrum, organizations achieve true pre-emption.
Past improved detective capabilities, companies are incentivized to spend money on self-analysis past the lens of crimson flags by cyber insurance coverage carriers, who’re more and more anticipating proof of preventative controls and infrequently elevate premiums or deny protection for ignored or unaddressed warnings. Monitoring anomalies not solely improves safety posture but additionally aligns with insurance coverage necessities and reduces monetary and reputational threat, and this monitoring is enriched and improved when pushed by means of cybersecurity opinions of risk, vulnerability, and residual threat.
Wrapping up, the adoption of the phrase “Purple Flags” in cybersecurity borrows the post-event detection framework typically from its precursor in Fraud Prevention, however its adoption within the context of cyber posture towards the highest underwriting considerations should not preclude evaluation of extra foundational flaws. At the moment the sphere wants language and fashions that emphasize anticipation and early disruption relatively than ready for disaster or aligning a cybersecurity program to antiquated phrases to mis-prioritize management parts of a program.
The content material supplied herein is for normal informational functions solely and shouldn’t be construed as authorized, regulatory, compliance, or cybersecurity recommendation. Organizations ought to seek the advice of their very own authorized, compliance, or cybersecurity professionals relating to particular obligations and threat administration methods. Whereas LevelBlue’s Managed Menace Detection and Response options are designed to assist risk detection and response on the endpoint degree, they don’t seem to be an alternative to complete community monitoring, vulnerability administration, or a full cybersecurity program.
