How the UK created her majesty's cyber service

The British government's plan for "actively defending" the U.K. against high-volume commodity cyberattacks has had an immediate, positive impact, according to a new report.

The National Cyber Security Centre's Active Cyber Defence program was founded in October 2016 to protect "the majority of the people from the majority of the harm from the majority of the attacks the majority of the time," according to the Feb. 5 report detailing ACD's progress so far.

Rather than beef up cybersecurity by issuing guidance to industry and citizens, the plan was "to use government as a guinea pig for all the measures we want to see done at national scale," according to a 2016 blog post by the Ian Levy, the author of the report and technical director of the U.K. National Cyber Security Centre.

"We’ll be eating our own dog food to prove the efficacy (or otherwise) of the measures we’re asking for, and to prove they scale sensibly before asking anyone else to implement anything."

The new report details ACD's 2017 work on the key interventions and security services it offers public sector organizations. Highlights of that work includes:

Takedown service that asks hosting providers to remove malicious content that purports to be related to U.K. government as well as certain types of malicious content hosted in the UK. By removing phishing sites using a government brand, those physically hosted in the U.K. and compromised U.K. sites launching attacks, ACD greatly reduced the availability of those sites.  Even though the volume of global phishing has increased nearly 50 percent over the last 18 months, the report said, the U.K.'s share has reduced from 5.5 percent to 2.9 percent.

DMARC deployment in the public sector, which will make it more expensive or riskier for attackers to spoof messages that appear to come from the government. Getting all government domains to use  Domain-Based Message Authentication, Reporting and Conformance will demonstrate that the technology can be implemented at scale. DMARC adoption went from 5.58 percent to 18.3 percent in the last year, and use of spoofed gov.uk addresses fell consistently. About 10 percent of agencies use ACD's open source Mail Check platform to assesses their email security posture. It analyzes DMARC reports and extracts relevant information that is stored in a set of databases that has a dashboard for analytics.

Web Check service that automatically tests public sector websites to identify security issues, provide clear and friendly reporting to the service owners, along with advice on how to fix the problems. The service verifies the domain, checks HTTP redirects, attempts to determine the software used for servers and content management systems is supported, runs a full SSL/TLS vulnerability assessment and checks for artifacts of WannaCry.  Web Check found that agencies had issues with security certificate management and patching software. "[It] has shown that simple tests, at scale, can have a measurable positive effect on the security of the web sites involved," the report said, though work is needed to ensure public-sector agencies can respond to vulnerability reports.  

Public Sector DNS service that provides subscribing agencies with protective DNS services that block access to known malicious domains and analyzes the resolution data to find other security issues. Analysis has found traffic linked to malware such as WannaCry and Conficker in nine organizations as well as domain-generation algorithms that create a large number of domain names that can be used for malware to contact its command and control servers. In the last two months of 2017, the service blocked over 2.5 million malicious resolution requests.

Signaling and Routing research to make both source and destination IP address spoofing much harder, which could help prevent U.K. infrastructure from being used in DDoS attacks and traffic hijacking.

The Threat-o-Matic platform, which links all ACD's services and experiments and provides automated analysis, feedback tracking, workflow automation and threat intelligence. ACD plans to move it to beta in 2018, offering analysis on DMARC reports and linking malicious detection events to the ISP community.

In addition to the report, National Cyber Security Centre also released extensive guidance on preventing phishing with a multi-layered approach:

• Make it difficult for attackers to reach users by employing anti-spoofing controls, reducing the amount of publicly available information on employees and blocking incoming phishing emails.

• Help users identify and report suspected phishing emails by making it easier for them to recognize fraudulent requests and creating an environment that empowers them to ask for help.

• Protect organizations from the effects of undetected phishing emails by protecting devices from malware, keeping users from malicious websites and accounts and deploying effective authentication schemes

• Respond quickly to incidents by encouraging users to report incidents as soon as possible and instituting an incident response plan.

The report outlined how a financial company used this kind of multi-layered approach to defend itself against a phishing campaign that contained variants of Dridex malware. Of the 1,800 phishing emails claiming to be an invoice that needed attention company employees received, 1,750 were caught by filtering software. Of the 50 messages that reached inboxes, 36 were ignored or reported by employees using a button in their email client, which notified IT staff that an attack had penetrated the initial filtering defenses. Fourteen of the malware-bearing emails were clicked on, but the malware failed to install in all but one case because devices and software were up to date and patched. That single instance of malware was detected when it called back to its controller.

The phishing guidance also provides step-by-step instructions for IT managers to help them implement these policies.

Read the full report, Active Cyber Defence -- One Year On, here.