Active defence’ strategy review says all is peachy one year on.
GCHQ’s National Cyber Security Centre claims that its strategy of “actively defending” the UK against high-volume commodity attacks is working.
The Active Cyber Defence (ACD) programme aims to “protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time”. The strategy, announced in September 2016, is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than highly sophisticated and targeted attacks, which are contested through other tactics.
A year since the strategy’s inception, Dr Ian Levy, technical director of the National Cyber Security Centre, declared: “People in the UK are objectively safer in cyberspace because of the ACD programme”.
A white paper, Active Cyber Defence – One Year On, published on Monday, reviews the strategy in more depth. Active defence is a poorly defined term sometimes taken to mean “hacking back”. Much of what the NCSC is doing might be better described as being proactive about security defences.
The approach has several components including a “takedown service”, which involves working with hosting providers to scan for and take down malicious content. The scheme led to the takedown of 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK.
The takedown scheme also entailed working with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to infect people that visited them. “As a consequence, we have reduced the median availability of these compromises from 525 hours to 39 hours,” the NCSC reported. “The month-by-month volume of each of these has fallen, suggesting that criminals are using the UK government brand less and hosting fewer of their malicious sites in UK infrastructure.”
NCSC staff also helped stop several thousand mail servers being used to impersonate government domains and send malware to people. Although the volume of phishing has actually increased, the share hosted in the UK has been reduced from 5.5 per cent to 2.9 per cent.
Active defence offers protective DNS services to public sector bodies that subscribe to it, blocking access to known dodgy domains, and a service that scans the security of public sector websites (dubbed Web Check).
The NCSC is working on counters to IP address spoofing, DDoS attacks and traffic hijacking as well as “some early (but successful) experiments into tackling SMS spoofing”. The agency hopes its efforts so far will encourage other countries to adopt similar measures. Cybersecurity, after all, largely relies on collective defence.
“We do not claim that what is presented here is sufficient or optimal, but it is a set of measures that provide objective benefit in a measurable way,” Levy wrote.
The ACD programme is not intended to be perfect and it’s not intended to deal with highly targeted attacks undertaken by the most sophisticated actors. It is intended to make the UK an unattractive target to cyber criminals and some nation states by increasing their risk and reducing their return on investment.
It is not intended to imply retaliation (“hack back”) by victims or militarisation of the internet – in this case “active” means getting off our backside and doing something, rather than any of the more esoteric definitions. It is intended to automate protection at national scale for a good proportion of the commodity attacks we see, leaving the skilled network defenders across the UK to deal with the more sophisticated attacks that we cannot currently protect against automatically.
Bob Rudis, chief data scientist at Rapid7, the firm behind the Metasploit pen testing tool, praised the strategy’s results as “nothing short of incredible”.
“The NCSC has proved that with collaboration and appropriate support, it is possible to implement foundational cybersecurity monitoring, configuration, and reporting that fundamentally changes the economics for opportunistic/commodity attackers,” Rudis said.
“Each initiative covered in the report shows signs of real, measurable, positive impact, and at the same time, NCSC is providing clear, concise and effective tooling and reporting for defenders and business process owners.”
He added that the strategy could be replicated by other countries and even large organisations to “radically change the attacker/defender landscape”.
In its white paper, the NCSC called on “UK public sector organisations, UK industry and our international partners to implement these or similar measures so that collectively we make cyber crime less profitable and more risky globally”.
In a statement, the Internet Services Providers’ Association said it intends to “further promote Active Cyber Defence through our own best practice guidance and by providing a continued platform for discussion” while admitting that “feedback suggests that there is no single set of measures or approach to managing cyber security and specific technical measures may not always be appropriate for each and every ISP’s network”. ®