NCSC shows how first year affected cyber attacks on the UK

Four NCSC Active Cyber Defence (ACD) programmes have reduced phishing attacks and malicious emails, according to a comprehensive summary in a report entitled Active cyber defence – one year on.

The pioneering programmes were launched as part of the National Cyber Security Strategy to improve basic cyber security by disrupting commodity cyber attacks that affect UK citizens.

The Web Check, Dmarc, Public Sector DNS (domain name system) and takedown service are all free at the point of use, and improve defence against threats by blocking fake emails, removing phishing attacks and stopping public sector systems veering onto malicious servers.

The domain-based message authentication, reporting and conformance protocol (Dmarc) helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as though they come from a trusted address. Organisations that deploy DMARC properly can ensure their addresses are not successfully used by criminals as part of their campaigns.

The takedown service works by requesting that hosting providers remove malicious content that is pretending to be related to UK government, as well as certain types of malicious content hosted in the UK.

Web Check performs some simple tests on public sector websites to find security issues. It provides clear and friendly reporting to the service owners, along with advice on how to fix the problems.

The Public Sector DNS service provides protective DNS services to public sector bodies that subscribe to it. It blocks access to known bad domains, where the block lists are derived from a combination of commercial, open source and NCSC threat feeds. The intent of the service is not just to block bad things, but to notify system owners so they can perform remediation.

Since the programmes were introduced, the report said the UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), 121,479 phishing sites hosted in the UK have been shut down, and 18,067 spoofed UK government domains have been removed worldwide.

The availability times for sites spoofing government brands is down from 42 hours to 10 hours, resulting in a drop of scam emails from bogus @gov.uk accounts of 515,658 in a year.

In addition, an average 4.5 million malicious emails per month were blocked from reaching users, and more than 1 million security scans and 7 million security tests were carried out on public sector websites.

Ian Levy, technical director of the NCSC, said that through the NCSC, the UK has taken a “unique approach” that is “bold and interventionalist” to make the UK an unattractive target to criminals and nation states.

“The ACD programme intends to increase our cyber adversaries’ risk and reduces their return on investment to protect the majority of people in the UK from cyber attacks,” he said.

However, Levy said there is a lot more work to be done. “The successes we have had in our first year will cause attackers to change their behaviour and we will need to adapt.

“Our measures seem to already be having a great security benefit – we now need to incentivise others to do similar things to scale up the benefits to best protect the UK from commodity cyber attacks in a measurable way,” he said.

The report lists scam domains promoted by phishing emails that have now been removed – such as onlinehmrc-gov.uk, refunds-dvla.co.uk and nationalcrime-agency.com – and provides examples of real phishing emails that have been prevented from being delivered.

It also puts on record the 10 most-spoofed government brands in the year. HMRC is the most-targeted, with 16,064 fake websites taken down. Also in the list are the DVLA, the Student Loans Company and the Crown Prosecution Service.

The report shows that criminals are persistently trying to spoof trusted local councils, as well as national organisations such as the NHS and HMRC.

Among the organisations best defending themselves from spoof attempts – thanks to implementing ACD – are local authorities, such as Northumberland County Council (which blocked 59,405 attempts in September 2017), Cardiff Council (31,728 in December) and Denbighshire County Council (25,627 in May).

“This report shows that simple things, done at scale, can have a positive and measurable effect and the British UK public should be safer as a result of these measures,” said Levy.

“As these measures are scaled up, people should be asked less often to do impossible things, like judge whether an email or website is good or bad, less often.”

The NCSC has committed to being transparent and publishing data, said Levy. “We think the results here show that the first year of our Active Cyber Defence programme has been successful – and the following years will be really interesting,” he added.

The report goes on to outline the NCSC’s intention to broaden sharing of detection events between UK internet service providers (ISPs), building on BT’s new threat sharing platform and ensuring it provides real security benefit to users.

Mark Hughes, CEO of BT Security, said the government’s Active Cyber Defence strategy will make it increasingly difficult for cyber criminals to carry out relatively unsophisticated attacks, which account for roughly 80% of all cyber crime.

“BT is supporting its strategy in a number of crucial ways, including strengthening email security, internet and signalling protocols and by blocking tens of millions of malicious malware infections every week,” he said.

“We’ve also launched a collaborative online platform which sees BT share its threat intelligence data with other UK ISPs, so that they can better protect their customers should they choose to take action.”

The NCSC was set up to provide a single, central body for cyber security at a national level and is the UK’s technical authority on cyber. It manages national cyber security incidents, carries out real-time threat analysis and provides tailored sectoral advice. As part of GCHQ, the NCSC has access to the intelligence and security organisation’s skills and capabilities.