maxkabakov - Fotolia

Cyber security should be data-based, says NCSC

The National Cyber Security Centre has begun several initiatives in its first year and hopes to use data drawn from those to drive better cyber security practices

Cyber security should not be based on fear, but on data and having a measurable effect, according to Ian Levy, technical director of the NCSC.

“We should be able to measure the impact of what we do,” he told the 2017 Wired Security Conference in London.

This practical approach to cyber security is reflected, he said, in the National Cyber Security Strategy, which is different to most other government cyber strategies.

“It doesn’t just say, ‘You should all do better and share information, and the world will be better’, because we’ve seen that doesn’t work,” he said.

“This is more about how we intervene, how we change incentives, and how we change the market place so that cyber security is the default for most people, most of the time.”

To achieve this goal, the NCSC has rolled out several initiatives as part of the part of its Active Cyber Defence (ACD) programme, which is intended to tackle –in a relatively automated way – a significant proportion of the cyber attacks that hit the UK.

“This is a set of active things we are going to do, which we believe will fundamentally change [cyber] security in the UK for the better,” said Levy. “Some of the things are really simple, but have a large and disproportionate effect.”

These include the NCSC’s protected domain name server (DNS) service built by Nominet to block bad stuff from being accessed from goverment systems; the use and support of the domain-based message authentication, reporting and conformance protocol (Dmarc) to block bad emails pretending to be from government; and a phishing and malware countermeasures service to protect the UK, including government brands.

“To scale out the DNS service, the idea is that we will give ISPs [internet service providers] the data we protect government with, and they can voluntarily go to all of their customers and say, ‘We will protect you for free’, so by default, we want everyone in the UK to be protected, unless they opt out,” said Levy.

Email spam campaigns

Dmarc, he said, enables organisations to take control of their domains by specifying which IP addresses emails will come from and what cryptographic keys it will be signed by.

“If either of these conditions is not met, organisations can choose to have the non-conforming emails to be delivered with an alert to the organisation, quarantined with an alert, or blocked with an alert.”

Pointing to some graphs of spoofed public sector emails, Levy said a huge spike in February 2017 indicated a massive spam campaign in the name of government with around 150,000 spoofed emails a day being detected.

“But most of those did not get delivered [due to the use of Dmarc]. So instead of telling people they have to work out whether it is a real government email or not, they are being blocked before they are delivered, effectively mitigating the harm,” he said.  

However, he added, the data shows that some untrusted emails are still being delivered, so the NCSC is trying to work out what is “wrong on the internet” that is allowing that to happen so that it can be fixed for everyone in the UK.

“The idea is that we can start to set the UK apart, so that if you get an email from a domain in the UK it will mean something,” said Levy.

Success of phishing countermeasures

As a result of the phishing countermeasures introduced by the NCSC, he said phishing campaigns physically hosted in the UK – which used to last about a day – are now being taken down within an hour.

Web injection hosted in the UK – which used to last about a month – is now being taken down in a couple of days, while UK government phishing hosted anywhere in the world used to last two days, is now being taken down within six hours.

Similarly, while the number of IP-addressed associated with phishing around the world is up 47% this year, Levy said the UK share of those has gone down from 5.1% to 3.3%.

“One year’s data is not sufficient to say we are causing that, but it is an interesting side statistic, and over the next year [as the NCSC gathers more data] we hope to work out if it is becoming harder for cyber criminals to operate in,” he said. “If the answer is yes, we will look to take what we are doing and scale it by encouraging other countries to do the same.”

The data also shows that cyber criminals are moving from spoofing government domains that exist to sending emails from lookalike domains.

“So we are now taking zone transfers from DNS, looking for things that look like government domains, and monitoring them for malicious content, and as soon as the content is malicious we can sent a takedown request to the hosting service concerned,” said Levy.

Other initiatives include monitoring social media for things such as fake driving certificate services and taking them down because they damage trust in the government brand on the internet.

“If we can show the data [proving] this is getting harder for people to do, we can say to other brands people care about, such as banks, [that they] should do something similar because here is the data that shows it is useful,” said Levy.

Data analytics and visualisations of DNS traffic across government depatments, he said, has proved to be extremely effective, bringing to light in just eight weeks previously unknown Conficker, Qackbot and Ramnit infections as well as internal misconfigurations, where departments are trying to resolve internal addresses externally.

Learning through incidents

Levy ended with incidents, revealing that in the past 11 months, the NCSC has dealt with 584 C3-level incidents, which are “major incidents” that typically involve only single organisations such as a defence contractor.

It has also handled 33 C2-level attacks, which are “significant attacks” that typically require a cross-government response such as WannaCry; but no C1-level or “national” cyber security incidents.

“What we are doing now is looking at some of the root causes so we can tell organisations exactly what is putting them at risk or making them vulnerable to these attacks, and while this can be challenging, we have learned a lot across those 600 incidents,” he said.

The strategy for scaling internationally, said Levy, is to publish the data showing the effect of vulnerable technology implementations and how to do it more securely, and then point at everyone who does not conform to that best practice.

“It is better to avoid regulation and instead use commercial models to objectively differentiate services that are do things correctly and are more secure,” he said.

Asked whether a C1-level event can be avoided indefinitely, Levy said that the UK is likely to face a national cyber incident at some point.

“What we want to do is minimise the chance of that happening, and when it does happen, to minimise the actual harm. So as we start to put out data and actionable, useful and tested advice, you can assess the likelihood of this happening and reduce that over time.”

Read more about the NCSC

Read more on Hackers and cybercrime prevention