Security Experts:

Inside The UK's Active Cyber Defense Program

Active Cyber Defence (ACD) program

UK's National Cyber Security Centre highlights the success of its Active Cyber Defence (ACD) program

The UK’s National Cyber Security Center (NCSC – part of GCHQ) Active Cyber Defense (ACD) program is an ambitious project designed to improve the security posture of an entire nation. It does this primarily through the rapid identification and takedown of malicious websites; the timely delivery of actionable threat intelligence to organizations; and a range of other mechanisms.

ACD primarily serves UK government departments, agencies and ‒ since the outbreak of the Covid-19 pandemic ‒ the NHS. However, a new facet known as ACD Broadening, is actively exploring the expansion of the service to include private sector organizations and even foreign countries and their governments.

ACD does not seek to solve all security problems. It is currently aimed at commodity attackers rather than targeted and APT attackers. This gives the widest benefit in the shortest time. “The aim of the Active Cyber Defense (ACD) program, “says the NCSC’s fourth ACD annual report (PDF), “is to ‘Protect the majority of people in the UK from the majority of the harm caused by the majority of the cyberattacks the majority of the time.’” 

The primary mechanisms supporting ACD (there are more) include: the Takedown Service, Mail Check, Web Check, Protective DNS, Dangling DNS, a Host Based (threat detection) Service; the NCSC Observatory; a Suspicious Email Reporting Service (SERS); ‘Exercise in a Box’ (a protected response testing service); and a Cyber Threat Intelligence Adaptor. Just as many of these mechanisms overlap and feed each other, so do the benefits derived overlap the primary government sector and UK internet users at large.

Learn More at SecurityWeek's Threat Intelligence Summit ]

The value of the ACD action is most immediately seen in the Takedown Service, where NCSC finds malicious sites and informs the host or owner to get them removed from the internet. During 2020, the reach of the service was extended to include areas such as fake celebrity endorsements and fake shops; and the number of campaigns taken down increased to 700,595 with 1,448,214 individual URLs (a fifteen-fold increase on the previous year).

Protecting government departments and services is the primary spur for ACD. It took down 27,611 malicious campaigns attempting to abuse government branding. The top four attack types were phishing (11,286 campaigns involving 59,435 individual URLs), phishing URL mail server (4,913 campaigns); malware attachment mail server (2,890); and advance fee fraud mail server (2,310).

Of course, it’s not just the quantity of malicious campaigns that is relevant – the duration of their availability before takedown is also important. In 2019, GoDaddy was the top web host for UK government-themed phishing attacks with a 15.7% share and a median availability of 29 hours. GoDaddy was supplanted by NameCheap during 2020, whose share jumped from 2.5% to 28.8% and availability increased from 20 hours to 47 hours. NCSC notes that by mid-year, NameCheap’s median takedown times were consistently more than 60 hours. “This undoubtedly made NameCheap an attractive proposition to host phishing and may explain the rise in monthly hosted campaigns that followed for UK government-themed phishing.”

Phishing attacks against the NHS increased during the pandemic year of 2020 – up from 36 campaigns in 2019 to 122 in 2020. The NCSC also looked for fake or unofficial copies of the NHS Test and Trace app, and took down 43 instances of NHS apps being offered for download outside of the official Google and Apple app stores.

Between March 2020 and the end of the year, the NCSC took down 29,959 COVID-19 themed attack groups (comprising 33,313 URLs).

Further evidence of the success of ACD can be seen in the decline of the UK’s percentage share of global phishing – decreasing steadily from more than 5% in 2016 to less than 2% today. The number of campaigns sending malicious attachments pretending to come from government entities also continues to fall, down from 3,473 in 2019 to 2,890 in 2020. This is considered to be vindication of the NCSC’s promotion of DMARC, DKIM and SPF to government departments, and proof of their effectiveness.

Web Check is a service that currently supports around 1,000 customer organizations. The service checks for general security concerns at specified URLs. Exceptions can be made if a new vulnerability is considered critical; so, a check for the Tomcat AJP port vulnerability (CVE-2020-1938) was introduced in 2020. More generally, however, Web Check looks for effective implementation of HTTPS and TLS protocols, supported by use of X.509 public key certificates; and checks for the version and patch level of web server and CMS software being used. The largest single increase in Web Check advisories issued in 2020 was for RDP exposures, up from 1,002 in 2019 to 2,392 in 2020.

One of the big success stories for ACD in 2020 was the continued evolution of its Protective DNS (PDNS) Service operated by Nominet. PDNS blocks subscribers’ DNS traffic from accessing any known malicious website. Challenged by the pandemic-related new work-from-home paradigm, the NCSC developed a PDNS Digital Roaming app. Put simply, this app routes all a mobile device’s traffic through the PDNS service, ensuring PDNS security to any device operating anywhere – extending PDNS protection to the remote workforce.

Needless to say, the PDNS service can provide valuable information on potentially compromised systems calling home to malicious sites. “A key milestone for PDNS,” comments David Carroll, managing director of Nominet Cyber Security, “was the response to SolarWinds. Proving to be a treasure trove for cyber analysts, the PDNS dataset was able to help NCSC identify the scope of vulnerability across the public sector to inform its incident response.”

PDNS handled more than 237 billion DNS requests in 2020. Nearly 105 million of these were blocked, attributable to nearly 160,000 domains associated with organized crime groups, often delivering ransomware. “PDNS,” says the NCSC, “is a quick and convenient way to identify public bodies using vulnerable technologies or affected by malware. PDNS provides a record of historic activity for incident response and research. It allows the NCSC to monitor the remediation of incidents and vulnerabilities over time. It also provides a general picture of UK government cyber maturity by revealing the technologies in use in the public sector.”

Capacity currently limits the availability of the service primarily to government bodies. but there are hopes and plans to extend it further. “With the intention of ACD to be copied across other industries and foreign governments,” says Nominet’s Carroll, “we’re committed to delivering PDNS as it evolves to protect the digital world of the future.”

ACD’s Host Based Capability is a software agent deployed on government official IT devices, including laptops, desktops and servers. It collects and analyzes technical metadata to detect malicious activity.

The NCSC Observatory focuses on gathering vast amounts of data that can be analyzed to provide further insights for NCSC research. It analyzes publicly accessible data, and data drawn from other aspects of ACD’s work – notably data drawn from the PDNS service. Its real value, says the NCSC, “is realized by quietly supporting the NCSC’s other functions and services.”

The Exercise in a Box service is a tool that allows organizations to practice and refine their response to the most common and pressing cyber security incidents in a safe and private environment. This service has been well-received both nationally and internationally, with many nations showing an interest. NCSC has already worked with Singapore to provide a version that will run on Singaporean infrastructure. This is expected to be operational in the first half of 2021.

ACD’s Cyber Threat Intelligence Adaptor (CTI) is a threat intelligence feed delivered by the NCSC. It integrates with a variety of SIEMs to detect known IOCs within the customer’s log data. A pilot version of this service was released in December 2020. It improves general security by pushing NCSC threat knowledge to a wider audience, while simultaneously giving NCSC an improved awareness of rising threats.

The NCSC’s ACD focuses on scale and commodity attacks. It does not expect to stop every attack. “Rather,” says the agency, “we seek to make life harder for attackers, and to raise their costs to a level that is difficult to sustain. Additionally, the data we generate (and the experience the teams gain through running these services) gives government a better understanding of the cyber threats currently facing the UK, including the best approaches to combat them.”

Related: UK's NCSC Publishes Guide to Implementing a Vulnerability Disclosure Process

Related: UK's NCSC Suggests Automatic Blocking of Common Passwords

Related: Inside GCHQ's Proposed Backdoor into End-to-End Encryption

Related: Hacking Back: Active Defenses Redux?

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.