One year later, the UK’s Active Cyber Defence is seeing good results

Progress in the fight against public sector phishing.

One year later, the UK's Active Cyber Defence is seeing good results

The National Cyber Security Centre (NCSC), which tasks itself with “helping to make the UK the safest place to live and do business online”, has published an impressive report into the progress it has made with what it calls its “Active Cyber Defence” programme.

Active Cyber Defence is aimed at tackling those high volume cyber threats which most directly impact the lives of everyday Brits like you or me, rather than the rather more sneaky and subtle targeted attacks.

Much of the focus is on phishing attacks, and in particular phishing attacks which attempt to exploit public sector departments (such as HMRC) in their attempt to trick users into handing over credentials and personal information.

As the report explains, the Active Cyber Defence initiative can be split into different sections. Here are some of the key elements:

Takedowns

  • During 2017, the NCSC reports it removed 18,067 phishing sites that posed as UK government brands. Their action has resulted in 65.8% of such sites now being down within 24 hours, compared to 39% previously.
  • Non-government phishing sites haven’t had it easy either - the NCSC removed 121,479 unique phishing sites physically hosted in the UK, reducing their median availability from 26 hours to three hours. 76.8% of such sites are now said to be down within 24 hours, compared to 47.3% previously.

Making government email more trustworthy

  • Internet standards like DMARC can help tackle spoofing - making it harder for online criminals to send out phishing emails that pretend to come from what many might consider a trusted address (for instance, taxrefund@gov.uk).
  • NCSC says DMARC adoption is rising, and over time more public sector bodies will feel comfortable setting their domain policies to ensure that spoofed emails are automatically rejected by recipients.

Automated scans of government websites

  • The NCSC would like to be in a position to scan all government websites for vulnerabilities automatically. Although it isn’t technically difficult to scan a website to determine if it is running out-of-date or known vulnerable software, if it is using HTTPS correctly, or if website certificates have expired, the challenge is to gain the confidence of different public sector bodies - who may not appreciate being scanned for vulnerabilities in an automated fashion without notice. As ever, the challenge is not purely a technical one…

UK’s Public Sector DNS service

  • This was already exists, and claims to be “actively blocking 70,000 attempts to access known malicious sites each week.”

The UK government has clearly taken notes from the financial industry, which historically has had the most to lose from online criminal behaviour.

The difference for the UK government is that, unlike most online businesses, it has literally hundreds if not thousands of websites under its control - all of which need to be configured properly, and checked to see that they are running the latest updates.

Most commercial enterprises will not be taking anything like the steps that the NCSC describes in its report to protect their websites, brandnames and users. While there’s always room for improvement, there’s a lot here which other organisations could learn from.

Alongside the report, NCSC has also published its latest guidance on how organisations and staff can defend against phishing attacks.

Phishing Attacks: Defending Your Organisation is not a set of hard rules. It is the starting point to help you decide your approach. We know that your organisation’s anti-phishing capability depends on many things. If you can’t implement all of our recommendations, try to address at least some of the mitigations from within each of the layers of defence you can see in the Infographic below. As a result, you’ll be in a much better place to minimise the damage from those phishing attacks that do get through.

I like their pragmatic stance a lot.

Reading the “Active Cyber Defence - One Year On” report, I found myself impressed by the advances that the NCSC has made.

But we mustn’t be complacent. Online criminals are more organised than ever, and are prepared to adapt their methods when obstacles are put in their way.

The NCSC is working hard to reduce opportunities for cybercriminals to exploit government agencies in their attacks, and that makes that part of cyberspace that much safer for all of us. But businesses and other governments around the world need to be encouraged join forces to make life harder for online criminals everywhere on the net.

Further reading:

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:

,

One Response

  1. john

    February 10, 2018 at 2:52 pm #

    While this all sounds like a good start, the two big Questions I have is what’s NCSC position with regards to the encryption debate? I’m not hearing anything from them on this mater just politician’s

    second Question, If NCSC Discovers a vulnerability somewhere, and it turns out that GCHQ have been exploiting the same vulnerability what’s it’s policy on disclosure.

    it would be Great Graham if you could interview with Ian levy one on one.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.