Second year of the Active Cyber Defence program proves a tentative success

More than 22,000 phishing campaigns were thwarted in the UK last year, as Britain further reduced its global share of IP space used to host online criminal activity.

That’s according to the latest report by the UK’s National Cyber Security Centre (NCSC), which outlines the success of the country’s Active Cyber Defence (ACD) program, now in its second year.

ACD – a framework put forward as part of the UK’s National Cyber Security Strategy – is focused on reducing the UK’s exposure to commodity phishing and malware-based attacks.

It does this through various features, which public sector organizations can implement to add basic security protections to their networks.

Changes could include implementing Mail Check, a service to access emails against the DMARC email authentication standard, and Web Check, a tool designed to identify common vulnerabilities in a website’s design.

The NCSC said that it had seen an increase in this tool’s user base – unique URL scans tripled between 2017 and 2018 – meaning more and more organizations were maintaining up-to-date software via their advisories.

Each service that the NCSC offers through ACD is free, including the removal of any malicious content that is hosted in the UK – there were 192,256 takedowns in 2018, compared to 219,992 from the previous year.

The report, titled ‘Active Cyber Defence – The Second Year’, explains that only 24,320 unique IP addresses were actively investigated in the ACD’s second year.

Of these, 14,124 were URLs impersonating the UK government (HMG) brand – a small decrease from the 18,067 sites of the same nature that were found in 2017.

There were also only 451 hosting providers of such sites, as opposed to the 587 different hosting companies used the previous year.

“While there is a small reduction in the number of overall takedowns, there is a significant reduction in the number of related campaigns and the IP addresses hosting the malicious content,” the report states.

“This suggests that criminals are using less infrastructure and hosting more individual attacks on each instance as part of a campaign.”

An increase in the number of attacks perpetuated per criminal group – a total of 142,203 individual attacks via UK-hosted sites last year – may be due to criminals changing their hosting behavior overall.

This appears to be a global trend, the NCSC said – last year the agency reported the UK’s share of global phishing attacks had reduced by more than half (from 5.3% to 2.4% as of July 2018).

Two-thirds (69%) of UK-hosted phishing sites were taken down in 24 hours, with 39% of malicious websites being taken down even more promptly within a four-hour time period.

“This could suggest that it is becoming harder to host attacks that we are interested in,” the report adds.

“There could be other explanations due to causes hidden from us, but we are unaware of any other systemic work that could obviously cause that sort of effect.”

Free digital certificates from the certificate authority (CA) Let's Encrypt were noted as one of the issuers most often implicated in the NCSC's site takedowns. Typically UK-hosted phishing attacks had no certificates, however.

The NCSC said that by ramping up tougher security controls, it was slowly making Britain an unattractive place to conduct cybercrime – and that, in short, means the ACD program was proving to be effective.

“If we assume that ACD services are intervening in places where a market failure has engendered a particular problem, we’d expect the early stages of a service to find a lot of examples of that problem,” it said.

“For example, when someone initially signs up to Web Check, we’re not expecting them to have a perfect website, we’re expecting to find issues.”

Web-injected malware also often appeared on the radar, with 94% of compromised sites fixed soon after being notified by the NCSC – 1,287 sites in total.

New services that were added as part of the ACD program included the removal of web shells and cryptomining campaigns in UK sites, as well as better protection for Magento-powered e-commerce stores, known to be vulnerable to credit card skimming code.

The NCSC, the public facing arm of GCHQ, releases its ACD report to help guide evidence-based decision making, in order to create further tools that will help make Britain “one of the safest places in the world to be online”.

At this year’s CyberUK conference in Glasgow, Jeremy Fleming, GCHQ director, said that the agency would begin sharing threat intelligence with UK businesses, particularly in the financial sector, to prepare them in the event of a cyber-attack.

This has come with the availability of tools such as Web Check and Mail Check, alongside a service called Protective DNS, designed to hamper the use of DNS for malware distribution.

The NCSC now plans to develop a web-based tool for users to scan their internet facing systems for vulnerabilities, something believed to be useful for spotting any misconfigured routing protocols or file sharing services.

A spokesperson from the NCSC told The Daily Swig that the ACD is on track to deliver all projects against the objectives of the National Cyber Security Programme (NCSP), which ends in 2021.

RELATED gears up for phase two of Active Cyber Defense