On 16 July 2019, UK’s National Cyber Security Centre (NCSC) released the second annual report of the Active Cyber Defence (ACD) program. The report seeks to show the effects that the program has on the security of the UK public sector and the wider UK cyber ecosystem.
The Active Cyber Defence Program
NCSC was set up in 2016 to be the single authoritative voice for cybersecurity in the United Kingdom. This was part of the wider National Cyber Security Strategy that sought to make the Government much more interventionist in the protection of the UK as a whole. Part of that interventionist strategy is the Active Cyber Defence (ACD) program. The mission of the ACD Program is to “Protect the majority of people in the United Kingdom from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” The ACD program deals only with commodity attacks. (Targeted attacks by sophisticated threat actors are dealt with by other NCSC programs.) As such, the program’s intention is to raise the cost and risk of commodity cyber attacks against the United Kingdom, therefore reducing the return on investment for the criminals. It is universally understood that cyber crime runs on a return on investment (ROI) model. ACD aims at disrupting this cyber crime ROI, thus demotivating attackers from targeting the United Kingdom. Despite Dr. Ian Levy, NCSC Technical Director, saying that “we haven’t managed to do as much as we hoped,” the program is a fine example of a “government actively doing something, providing real services and generating real data and analysis has to be a first step in demystifying cybersecurity, and beginning to tackle the impacts of cyber attack at scale.” In fact, the program was assessed by King’s College London, which found that ACD has significant potential in helping improve UK national cybersecurity and that it can play a powerful role in shaping the cybersecurity marketplace and furthering the interests of UK internet users and consumers. The report concludes that “ACD offers an interesting case study of how public goods might be developed in partnership between the public and private sectors” and that “Like all forms of security it is unlikely ever to be perfect and we should be wary of attempting to make it so. However, we assess that ACD is a cost-effective and promising addition to UK national cybersecurity and merits further support and attention. If implemented carefully but robustly it should do much to tackle cybercrime and cyber threats to UK networks and help promote national prosperity and wellbeing.”
Main Report Findings
The Cyber Defence report presents some pretty interesting statistics:
- 140,000 phishing attacks blocked and 190,000 fraudulent sites taken down, most of them within 24 hours.
- In August 2018, analysts saved more than 200,000 email accounts from a scam to spoof a UK airport using a non-existent gov.uk address.
- ACD program helped HMRC (Revenue & Customs) reduce fraudsters spoofing the taxman, with incidents down 46 percent. HMRC was the 16th most-phished brand globally in 2016, but by the end of 2018, it was 146th in the world.
- 14,124 UK government-related phishing sites were removed.
An unintended outcome of the Protective DNS tool was the discovery of 168 unique organizations that routinely use Windows XP and that at least 318 unique networks have evidence of routine use of Windows XP. This coincides with the recent statistic that NHS still uses approximately 2,300 Windows XP computers. These numbers, although small in comparison to the total amount of governmental devices, can still diminish the level of cyber resilience. Based on the insight gained by the program’s applications, such as Web Check, Mail Check, Protective DNS, Takedown and others, NCSC is already in the designs of scaling the ACD program. One further expansion is the Exercise in a Box tool, a utility which aims to assist organizations in rehearsing their incident response plan and to understand their preparedness in managing and responding to cyber attacks. In addition, recognizing the importance of logging and auditing to spot attacks and to help investigate incidents, NCSC has already developed an open source logging solution, named Logging Made Easy (LME), which is hosted on the NCSC’s github page. This tool provides a basic but end-to-end Windows logging capability and a set of tools for viewing and analyzing the data gathered.
Evidence Based Vulnerability Management
In my opinion, the most important part of the Cyber Defence report for any security professional to read is Section 1.1 “Numbers and Effects.” Cameron Patterson, Tripwire Managing Consultant (EMEA) commented that this section “should be mandatory reading for anyone running a Vulnerability Management Programme.” Dr. Ian Levy asks, "What should the data look like for a successful ACD service? How can we know we're having the right effect?” These are the foundational questions for a successful vulnerability management program. Always question the credibility of your data, the effectiveness of your processes, while trying to find “something that causes harm and intervening to reduce that harm, either by blocking access or removing the underlying artifact.” I don’t mean to invoke paranoia, but as Dr. Levy points out, “there are lots of horrible, intricate questions that we're starting to tackle, mostly centred around the question: But what do the humps and numbers mean? Are we taking down more attacks because we're getting better at finding them, or are we taking down more attacks because there are more overall? Are we taking down fewer attacks because attackers are getting dissuaded, or is our way of detecting these attacks becoming less effective?” Although self-assessment is the best way towards success and effectiveness, this is not, unfortunately, the case with many businesses. Patterson comments on this:
Even this week I heard about fresh, sometimes only in the planning stages, VM deployments that have goals of performing a vulnerability scan once a month (or quarter!). Given the way that exploits are shared and that this leads to ‘humps’ of activity, it seems crazy that an organization would be willing to only capture their security stance so infrequently.
It is true that effective management and mitigation of vulnerabilities is not an easy thing to do. How do we account for new versions of an existing attack? What happens if the adversary behaviour changes in a way we cannot adapt to? And what drives people to follow wrong processes and abuse the data they have gathered through existing vulnerability assessments? Patterson believes that organizations are doing so because of the “perceived impact of scanning” and the “perceived complexity of handling such a data set as VM results.” These “two concerns still linger” not due to lack of easy-to-use tools but because existing tools, such as SANS Configuration Management Database (CMDB) are “criminally under-utilised in many organisations,” says Patterson. Assessing vulnerabilities can become more trivial. How? Patterson provides a way forward:
Your VM programme should be informed by your CMDB and your CMDB should be informed by the VM programme in return. This makes attributing vulnerability remediation efforts trivial, simplifies reporting, enables accountability and allows detected systems that are not in the CMDB to receive the appropriate level of scrutiny.