GCHQ unit claims it has 'objectively' made the UK a less desirable target to cybercrims

'Active defence' strategy review says all is peachy one year on


GCHQ's National Cyber Security Centre claims that its strategy of "actively defending" the UK against high-volume commodity attacks is working.

The Active Cyber Defence (ACD) programme aims to "protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time". The strategy, announced in September 2016, is intended to tackle the high-volume commodity attacks that affect people's everyday lives, rather than highly sophisticated and targeted attacks, which are contested through other tactics.

A year since the strategy's inception, Dr Ian Levy, technical director of the National Cyber Security Centre, declared: "People in the UK are objectively safer in cyberspace because of the ACD programme".

A white paper, Active Cyber Defence – One Year On, published on Monday, reviews the strategy in more depth. Active defence is a poorly defined term sometimes taken to mean "hacking back". Much of what the NCSC is doing might be better described as being proactive about security defences.

The approach has several components including a "takedown service", which involves working with hosting providers to scan for and take down malicious content. The scheme led to the takedown of 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK.

The takedown scheme also entailed working with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to infect people that visited them. "As a consequence, we have reduced the median availability of these compromises from 525 hours to 39 hours," the NCSC reported. "The month-by-month volume of each of these has fallen, suggesting that criminals are using the UK government brand less and hosting fewer of their malicious sites in UK infrastructure."

NCSC staff also helped stop several thousand mail servers being used to impersonate government domains and send malware to people. Although the volume of phishing has actually increased, the share hosted in the UK has been reduced from 5.5 per cent to 2.9 per cent.

Active defence offers protective DNS services to public sector bodies that subscribe to it, blocking access to known dodgy domains, and a service that scans the security of public sector websites (dubbed Web Check).

The NCSC is working on counters to IP address spoofing, DDoS attacks and traffic hijacking as well as "some early (but successful) experiments into tackling SMS spoofing". The agency hopes its efforts so far will encourage other countries to adopt similar measures. Cybersecurity, after all, largely relies on collective defence.

"We do not claim that what is presented here is sufficient or optimal, but it is a set of measures that provide objective benefit in a measurable way," Levy wrote.

The ACD programme is not intended to be perfect and it's not intended to deal with highly targeted attacks undertaken by the most sophisticated actors. It is intended to make the UK an unattractive target to cyber criminals and some nation states by increasing their risk and reducing their return on investment.

It is not intended to imply retaliation ("hack back") by victims or militarisation of the internet – in this case "active" means getting off our backside and doing something, rather than any of the more esoteric definitions. It is intended to automate protection at national scale for a good proportion of the commodity attacks we see, leaving the skilled network defenders across the UK to deal with the more sophisticated attacks that we cannot currently protect against automatically.

Bob Rudis, chief data scientist at Rapid7, the firm behind the Metasploit pen testing tool, praised the strategy's results as "nothing short of incredible".

"The NCSC has proved that with collaboration and appropriate support, it is possible to implement foundational cybersecurity monitoring, configuration, and reporting that fundamentally changes the economics for opportunistic/commodity attackers," Rudis said.

"Each initiative covered in the report shows signs of real, measurable, positive impact, and at the same time, NCSC is providing clear, concise and effective tooling and reporting for defenders and business process owners."

He added that the strategy could be replicated by other countries and even large organisations to "radically change the attacker/defender landscape".

In its white paper, the NCSC called on "UK public sector organisations, UK industry and our international partners to implement these or similar measures so that collectively we make cyber crime less profitable and more risky globally".

In a statement, the Internet Services Providers' Association said it intends to "further promote Active Cyber Defence through our own best practice guidance and by providing a continued platform for discussion" while admitting that "feedback suggests that there is no single set of measures or approach to managing cyber security and specific technical measures may not always be appropriate for each and every ISP's network". ®

Similar topics


Other stories you might like

  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021