lolloj - Fotolia

National Cyber Security Centre to trial cyber defence initiatives on government

NCSC technical director Ian Levy details some of the initiatives being pursued as part of its Active Cyber Defence Programme

The new UK National Cyber Security Centre (NCSC) has promised to test and prove with government departments everything it recommends.

“Our strategy is to use government as a guinea pig for all the measures we want to see done at national scale,” said Ian Levy, technical director of the NCSC.

“We’ll be eating our own dog food to prove the efficacy – or otherwise – of the measures we’re asking for, and to prove they scale sensibly before asking anyone else to implement anything,” he wrote in a blog post.

In the National Cyber Security Strategy published on 1 November 2016, the government sets out its vision to ensure that the UK is secure and resilient to cyber threats and is prosperous in the digital world.

To realise this vision, it said it will work to ensure the UK has the means to respond to and defend against evolving cyber threats.

It also said the UK is a hard target for all forms of aggression in cyber space, so the NCSC aims to ensure the UK has the ability to take offensive action if necessary, while also growing an innovative cyber security industry.

A key part of the first objective is the Active Cyber Defence (ACD) programme, which is intended to tackle –in a relatively automated way – a significant proportion of the cyber attacks that hit the UK.

Automation means the measures scale much better. “It is not a panacea, but should help us mitigate the impact of a significant proportion of the attacks we see,” said Levy.

“It won’t affect the really targeted attacks – at least initially – but we’re hoping that we can reduce the noise enough to make the defenders’ jobs easier when tackling those very targeted attacks,” he said.

The ACD programme is broadly aimed at fixing the underlying infrastructure protocols, improving email security, hunting down and blocking malicious activity, filtering out malicious domains, helping government and critical national infrastructure to improve security practices, and encouraging innovative ways to identify and authenticate online.

Fixing the underlying infrastructure protocols is about changing the implementation of the border gateway protocol (BGP) used to sort out IP routing between carriers and SS7, the international telecoms signalling protocol.

“If the BGP work succeeds, we should be able to say that hijacking a UK prefix by BGP is harder,” said Levy, adding that it will not be easy to hijack UK machines for DDoS attacks.

“Once we have proved this works, we intend to work with the international ISP and IX community to have similar protections built in other major exchanges, which will make DDoS and prefix hijacks globally much harder prospects,” he said.

The SS7 hardening work is aimed at making traffic re-routing more difficult, but could also make phishing by text message (smishing) more difficult in the UK.

Dmarc will be ‘mandatory’ for government

Making email more secure is about taking the onus of email recipients to recognise malicious emails by using internet standards that can help tackle spoofing, like SPF, DKIM and Dmarc.

Dmarc will soon become mandatory for government, according to Levy. “We’re already pushing hard to get all the domains in the – and, in due course, other domains that public sector uses – namespace to have Dmarc records, which will stop people spoofing email addresses,” he said.

Levy said he hopes that by doing Dmarc for government, it will show that anyone can implement it. The NCSC will then talk to the major industry sectors that have brands with high public trust and confidence to get them to do the same, at scale. 

The NCSC is also talking to industry about a new standard that would present high quality risk information to the user to help them make a judgement.

“Basically, we’re talking about a reputation system for email domains and addresses, run by the industry. There’s a lot of work to do in this area. The hard bit of Dmarc and other things like it is the processing of the failure reports and we’re centralising that for public sector,” said Levy.

“The idea is this central processing function, that should only process bad messages that fail some validity checks, will be able to pull out things such as the sending mail server, any attachments or links in the message or even which brand is being abused, and we can automatically take action with that data,” he said.

Filtering malicious domains

As part of hunting down and blocking malicious activity, the NCSC is conducting experiments with pioneering UK small to medium-sized enterprise (SME) Netcraft.

“They’re looking for phishing and webinject malware hosted in the UK, and phishing anywhere in the world that targets a UK government brand. When they find it, they ask the hosting provider to take down the offending site. It’s surprisingly effective and generates data we can use. We’ll definitely do more in this space,” said Levy.

Filtering out malicious domains is about reducing the impact of cyber attacks against the UK, but Levy said some media reports have misunderstood what the NCSC is doing in this regard.

“No one – not even me – is daft enough to suggest that GCHQ, through the National Cyber Security Centre, should be running the UK’s DNS for everyone,” he said, echoing what he had previously told told a CW500 Security Club meeting in London.

The real question, said Levy, is about whether it is OK for the infrastructure in the UK to allow users to unknowingly access sites that are known to do them harm.

“I think the answer to that should be ‘no’. This isn’t about the nanny state or censorship. A DNS filtering service with an easy opt out for users is a pretty useless censorship tool to be honest – the people you’re trying to censor would just opt out and be able to access whatever they want,” he said.

“The way we generate our list of threats will only be concerned with whether the site hosts malware, infrastructure, phishing or other cyber security threats. It won’t care about content as seen by users.”

As part of the government-testing approach, the NCSC and the government digital service (GDS) have partnered with Nominet to build a recursive DNS service for public sector. “That’s going to have a response policy zone [RPZ] on it that stops users of the service accessing things we know to be harmful,” said Levy.

“Once we’ve proven the benefit, we’ll be talking to internet service providers [ISPs] about doing something similar for their residential customers by default. If they want our RPZ feed, they can have it. If they want to use other data, that’s fine too. And yes, we’ve thought about malware authors using their own DNS server as a response.

“Our intent is that, by default, the UK public is protected from things that would do them harm without their knowledge with an easy opt out if individuals want to. That should have a big impact on the scale and effectiveness of a lot of the attacks we see against the UK,” he said.

NCSC hopes to improve government

As far as central and local government is concerned, the NCSC plans to help them improve rather than berating them for not doing enough.

One of the first initiatives in this regard is a “web check” vulnerability scanning service for all public sector organisations, currently in alpha testing with 25 local authorities.

“It’ll give the owners of public-facing sites and services a friendly report about any vulnerabilities or misconfigurations in their service and what to do about it,” said Levy.

Because passwords are sub-optimal as an authentication mechanism, and there is not much incentive for industry to take the commercial risk in trying out new stuff, the NCSC hopes to stimulate research and development in novel identity and authentication techniques.

“We’ll use government services to trial some techniques, once we’ve done the work to ensure the security,” said Levy.

Automative countering of cyber crime

The NCSC is also going to provide more help for owners and operators of critical national infrastructure. “We’re thinking about how we provide good engineering and security risk information to CNI operators to help them make better risk management decisions,” said Levy.

“Probably more importantly, we’ll end up with evidence of systemic and specific issues which we can then go tackle with the product suppliers. This is probably a piece of work that will go well beyond this spending period and we’re not 100% sure what it looks like yet, so there’ll be more as we better define the response,” he said.

In conclusion, Levy said the NCSC intends to be a trustworthy and transparent organisation. “We need to build that trust and so I intend us to publish as much as possible about what we’re doing and the results. I want to bring some science to cyber security. That needs data, evidence and, most importantly, peer review,” he said.

“It’s time to stop talking about what the winged ninja cyber monkeys can do and start countering in an automated way the stuff we see at massive scale that causes real damage to citizens and businesses.

“That will include some things that some people class as APTs. However, the intent is to be in a place where the skilled network defender community are free to tackle the really nasty stuff. That’s what the UK’s active defence programme is about,” he said.

Read more on Hackers and cybercrime prevention