The National Cyber Security Centre (NCSC) is planning a series of new initiatives as part of the Active Cyber Defence programme.
It has outlined them in its newly published third annual review, which also points to government having received the most support from the NCSC’s incident management team over the past year.
The Active Cyber Defence programme is aimed at reducing the number of cyber attacks through the centre’s work with central and local government and business.
The review says there are a number of projects in the pipeline, including the development of an automated system to act on information from the public to take down malicious websites, and an NCSC Internet Weather Centre, which will draw on multiple data sources to enable a full understanding of the UK’s digital landscape.
Two web based tools are being developed under the programme. One is an Infrastructure Check service to help the public sector and critical national infrastructure providers scan their internet connected infrastructure for vulnerabilities. The other is Breach Check, which is being designed to help government and private sector organisations check whether employee email addresses have been compromised in a data breach.
DNS initiative
In addition, the NCSC is exploring additional ways to use data created as part of the protective DNS service for the public sector to help users better protect the technologies on their networks.
The organisation is also planning to share indicators of compromise highlighted by its DNS service to DNS providers to use on their own services. This is aimed at increasing the number of users who can benefit from DNS filtering.
A string of successes is claimed for Active Cyber Defence. These include the achievements of the Takedown Service, which finds malicious sites and sends notifications to the host to get them removed, and has led to 98% of 177,335 phishing URLs discovered to be malicious being taken down, 62% inside the first hour.
Beyond the programme, the document also reveals the use of Indicator of Compromise (IoC) Machine in sharing information on threats.
An ‘indicator of compromise’ can mean anything from understanding how an adversary works to specific information relating to attackers such as malware signatures and IP addresses. When the NCSC spots an attack it aims to share the intelligence as quickly as possible.
Near instantaneous
The IoC Machine, which sits in GCHQ’s headquarters in Cheltenham, performs near instantaneous checks on whether information on cyber threats can be widely shared.
While the final decision is in the hands of an analyst, this has made it possible to greatly speed up a process that was previously highly labour-intensive, leading to the declassification of material from the NCSC’s computers.
Another section points to incident management as one of the three main functions of its operating model along with threat operations and assessments.
It says that in the year to the end of August its team responded to 658 incidents and provided support to almost 900 victim organisations. While it does not provide the precise numbers, it points to government as the sector most affected by the attacks, followed by academia, information technology, managed service providers, and transport and health together in fifth place.
The number brings the total to almost 1,800 in the three years since the NCSC’s launch.
NCSC adds that the IM team works closely with law enforcement and the intelligence community, wider government and the private sector.
Minister for the Cabinet Office Oliver Dowden said: “We've made great progress on making the UK safer since launching our world leading £1.9 billion cyber security strategy in 2015. Establishing the NCSC was a key part of this and has played a central role in tackling online threats posed by criminals, hacktivists and hostile nation states.”
Image from iStock, Matej Moderjc
