The Second Coming
Previews of new additions to a UK government framework to reduce the exposure of public sector organizations to cyber-attacks were showcased at the recent CyberUK conference in Glasgow.
The UK’s Active Cyber Defence (ACD) program has reduced cyber-attacks targeted at government agencies and services since it was launched in November 2016.
The initiative – developed and led by the UK’s National Cyber Security Centre (NCSC) – is focused on reducing the harm created by frequent attacks such as phishing and malware, rather than attempts to exploit esoteric zero-day vulnerabilities.
Existing components of the framework include a service that reports on the condition of an organization’s website infrastructure, Web Check. The service is designed to help UK public sector websites to quickly find and fix common vulnerabilities. Or “blocking at scale” to defend against malware and phishing.
A second existing service, Mail Check, offers a platform for assessing email security compliance, in large part against the DMARC authentication standard.
Protective DNS, a service designed by the NCSC and offered through Nominet, offers a means to frustrate the abuse of DNS in malware distribution. Already in place is a service that helps vulnerability researchers to report bugs in government websites.
During the Cyber UK conference, the NCSC launched Exercise in a Box, an online package containing cyber exercises that help organizations to formulate an incident response strategy.
The agency also offered a preview of another component set to feature in the phase two of Active Cyber Defence during a session at Cyber UK. The host-based security service will offer much more detailed reporting of security incident through technology initially aimed at government systems.
The service will collect device metadata before sending system event logs onto the NCSC for analysis. Reports back to organizations will include details of patch state of assets in a deployed environment, devices connected to USB ports, network shares, and so forth.
Email alerts of attempted malware attacks by device will also be offered through the service, which has been trailed for since last summer by government department such as the Department for Business, Energy, and Industrial Strategy (BEIS) but has yet to be formally announced.
The service is designed to be “complementary to existing security teams and measures” rather than any kind of alternative or replacement, an NCSC representative told delegates.
Phase two is also expected to see the launch of a suspicious email scanning service to help organizations like Action Fraud, the UK's national fraud and cyber reporting centre, to handle high volume of reports in a more scalable way.
More details are expected to come when the UK government announces an update to its overall Cyber Security Strategy. The current plan runs until 2021, with the delivery of an updated roadmap and more on ACD phase two penciled in for May.
The term ‘active cyber defense’ is used in some circles to refer to ‘hacking back’ against the perceived sources of cyber-attacks. In UK government parlance, however, ACD is purely a defensive strategy that involves taking pro-active action against threats.
Since its launch, ACD is said to have reduced the UK’s share of visible global phishing attacks by more than half – from 5.3% (June 2016) to 2.4% (July 2018). HMRC was amongst the most phished brands globally, appearing as 16th in Netcraft’s list back in 2016. Its rank has dropped to 146th as of April 2019.
Although initially aimed at government systems the NCSC wants to encourage adoption by private sector firms, initially by working with large telecoms, managed service and hosting firms.
In disrupting the “known bad”, the NCSC want to work with the broadest range of partners to “change the risk calculus” for attackers and make the UK amongst the safest countries to operate online, a NCSC representative told CyberUK delegates.
Academics at King’s College London have noted the privacy issues that arise from using technology services developed by the British government outside the public sector – particularly in considering to the ‘Web Check’ tool, which identifies basic vulnerabilities in website design.