Active Cyber Defence (ACD) has been hailed by the UK’s official National Cyber Security Centre (NCSC) in a report. Web Check, DMARC, Public Sector DNS and a takedown service were launched last year, to aid basic cyber security by disrupting commodity cyber attacks that affect UK citizens.
The technology, free at the point of use, blocks fake emails, removes phishing attacks and stops public sector systems veering onto malicious servers. The NCSC reports that since the ACD was introduced;
– UK share of visible global phishing attacks dropped from 5.3pc (June 2016) to 3.1pc (Nov 2017)
– removed 121,479 phishing sites hosted in the UK – and 18,067 worldwide spoofing UK government
– takedown availability times for sites spoofing government brands down from 42 to ten hours
– a drop of scam emails from bogus ‘@gov.uk’ accounts (total of 515,658 rejected in year)
– average 4.5 million malicious emails per month blocked from reaching users (peak 30.3m in June); and
– more than one million security scans and seven million security tests carried out on public sector websites.
The NCSC has found more registering of deceptive domains to try to make cyber-criminal campaigns more effective. These domain names are intended to look like the real brand being used as the hook for the campaign and are often quite complex to further confuse attentive recipients who try to check the site address. The modus operandi appears to be for criminals to register the domains and host benign content on them for a few weeks. Only after that do they switch to hosting malicious content and then send out their email campaigns trying to drive people to the site.
Dr Ian Levy, Technical Director of the NCSC, was author of the 69-page paper. As for who the cyber actors are, he said: “Certainly, some nation states invest huge sums of money and significant highly skilled resources in their cyber programmes and use those for various things that are detrimental to the interests of the UK. However, the vast majority of people in the UK will not be directly harmed by these actors. They are much more likely to fall victim to cyber crime, whether directly by being targeted or indirectly through one of their service providers being compromised.”
Dr Levy said: “Through the National Cyber Security Centre, the UK has taken a unique approach that is bold and interventionalist, aiming to make the UK an unattractive target to criminals or nation states. The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks.
“The results we have published today are positive, but there is a lot more work to be done. The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt. Our measures seem to already be having a great security benefit – we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way.”
The report lists scam domains promoted by phishing emails that have now been removed, such as onlinehmrc-gov.uk, refunds-dvla.co.uk and nationalcrime-agency.com and shares examples of real phishing emails they have prevented from being delivered.
It also records the ten most spoofed government brands in the year; HMRC is the most targeted, by far, with 16,064 fake websites taken down. Second comes the overall gov.uk domain. Also in the list are the DVLA, the Student Loans Company and the Crown Prosecution Service (CPS). The report also breaks down the brands which have been most successfully protected from criminals for each month. Among the bodies best defending themselves from spoof attempts thanks to implementing ACD are local authorities such as Northumberland County Council (59,405 attempts in August), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).
Dr Levy added: “This report shows that simple things, done at scale, can have a positive and measurable effect and the British UK public should be safer as a result of these measures. As these measures are scaled up, people should be asked less often to do impossible things, like judge whether an email or website is good or bad, less often.
“The NCSC has committed to being transparent and publishing data. We think the results here show that the first year of our Active Cyber Defence programme have been successful – and the following years will be really interesting.”
The report outlines the NCSC’s intention to broaden sharing of detection events between UK ISPs, building on BT’s new MISP threat sharing platform launched in December.
Comments
Rob Wilkinson, Corporate Security Specialist at internet security company Smoothwall, said: “On a bigger scale, attacks by foreign countries and governments are usually the ones that make the headlines in the UK. But in fact, it is usually the smaller, more common and far more infectious malware and phishing cyber attacks that cause the most damage to the population as a whole. The “Great British Firewall”, as it has been dubbed in a report released by the GCHQ today, is said to have prevented 54m online attacks in the UK alone last year – but when you consider that their “active defence program” has led to only a 2% reduction, the scale of the problem is there for all to see.
“While the Government is certainly best equipped to tackle many of the online threats in 2018, there is a case to be made for many companies and institutions training their staff to know how to recognise signs of a cyber attack. Businesses should already have the latest defence systems in place to combat cyber attacks in the form of ongoing threat monitoring. However, an added layer of protection in the form of employee training is a sure-fire way of keeping workers – and the companies which they are employed by – safeguarded from malicious attempts at stealing sensitive information, infiltrating systems and generally causing chaos.”
Mark James, security specialist at ESET, said: “Many attacks are opportunistic, utilising vulnerabilities and exploits in software that has not been patched. Alternatively, cybercriminals will also rely on the public clicking on malicious links, filling in illegitimate forms or making mistakes online. As a result, we need to be on our guard all the time. Malware does not rest; the cyber-criminal world operates 24/7 and doesn’t stop for lunch or have working hours in a day. We need to be vigilant when logging into websites, manage our passwords to ensure we don’t reuse any from one site to another, and we need to understand that cybercriminals may not play nice and will utilise events that tug on our heart strings to achieve their goal.
“HMRC has always been an easy weapon for the cybercriminal industry. It has all the ingredients for a successful attack because everyone is affected. We all pay taxes, the urgency to act on the correspondence is bred into us from an early age and, for most, it’s not something that we will ignore or “leave for another day”. If you mix that with the fact that these types of attacks will in often involve dealing first hand with payment options it’s an easy win for malicious actors.”
And Bryan Campbell, Senior Security Researcher and Fujitsu Distinguished Engineer at Fujitsu UK and Ireland, said: “Cyber-attacks are a critical threat to the lifeblood of any business, and with news of a breach or an attack making headlines almost on a daily basis, it has certainly heightened awareness around the issue. Whilst this report from the NCSC highlights a significant and promising effort in the crackdown against cyber-crime, more still needs to be done.
“Cyber-crime in today’s digital landscape is never going away, and so it has never been more important for private and public companies, of all shapes and sizes, to ensure they are protected. Organisations need to continue to invest in technical and security controls, whilst doing more to proactively identify and manage threats instead of waiting for breaches to happen.
“But, as one of the most common occurrences for a cyber-attack or data breach is due to human error, organisations must ensure technical investments are not made in vain by also educating employees on the risks and dangers of cyber-threats. In fact, phishing emails sent directly to an employee of an organisation, with a hidden malware exploit, are the number one way of compromising an organisation. Upskilling employees and making them more cyber aware therefore is one of the most crucial and cost-effective ways of reducing the probability and impact of human error.
“With our latest report revealing a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, every single organisation has an obligation to make data protection as much of a priority as the public. After all, cybercrime is not a probability, it is an inevitability and it will be the way in which businesses prepare for it however, that can make all the difference.”
