Yesterday (6th July) saw the release of the latest Active Cyber Defence (ACD) report from the National Cyber Security Centre (NCSC).

The report highlights the work the NCSC and partners have done over the last 12 months in their effort to make the UK the safest place to live and do business online.

Active Cyber Defence aims to address enduring cyber security challenges by sharing knowledge of threats, closing down vulnerabilities, and responding to breaches.

ACD is designed “To protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time”

Dr Ian Levy – Former NCSC Technical Director

What’s In the Report?

The report covers a wide range of areas the NCSC have been working on since the formation of the organisation back in 2016, including:

  • Takedown
  • Suspicious email reporting service
  • Mail Check
  • Vulnerability checking
  • Protective DNS
  • Exercise in a box
  • Early Warning
  • MyNCSC
  • Routing and signalling
  • Host based capability
  • Vulnerability reporting and disclosure
  • Logging made easy
  • Cyber Threat Intelligence Adaptor

Takedown

The Takedown service finds malicious sites and sends notifications to the host or owner to get them removed from the internet before significant harm can be done using them.

Suspicious email reporting service

The Suspicious Email Reporting Service (SERS) enables the public to report suspicious emails and web sites to the NCSC. These reports are sent on to a takedown provider for analysis and, when links to malicious sites are found, the NCSC seeks to remove those sites from the internet to prevent them doing further harm.

Mail Check

Mail Check is the NCSC’s service for assessing email security compliance. It helps domain owners identify, understand, and prevent abuse of their email domains. In particular, Mail Check supports organisations in implementing the following controls:

  • email anti-spoofing controls (SPF, DKIM, and DMARC): these standards help prevent various attacks (for
    example, phishing) that use an organisation’s email domain to trick email recipients.
  • email confidentiality (TLS and MTA-STS): keeping messages encrypted and private as they are sent over
    the internet.

Vulnerability checking

The NCSC has been offering vulnerability checking for some time, but in 2022 we refreshed our offer to provide a new two-tier approach to:

  • deliver improved findings to the existing Web Check user base; and
  • encourage more organisations to try our new, simplified Check Your Cyber Security service

Protective DNS

The NCSC’s Protective DNS (PDNS) service exists to combat that malicious activity for UK public sector users. It prevents the successful resolution of domains associated with malicious activity, while enabling the rest of the
internet to remain accessible. NCSC encourage organisations who are not eligible for PDNS to take advantage of similar services available in the market

Note – See my posts on Pi-hole for a home-brew solution to PDNS

Exercise in a box

Exercise in a Box (EiaB) is a publicly available tool that allows organisations to practice and refine their response to common cyber security incidents in a safe and private environment.

Facilitators are given the tools they need to lead relevant staff within their organisation through a scenario that unfolds through a series of prompts. This is designed to stimulate discussion about an organisation’s policies, processes and procedures, with attendees self-assessing their organisation’s maturity and readiness against a sliding scale. At the end of the exercise, a downloadable ‘End Report’ is created, which includes links to relevant NCSC advice and guidance.

Early Warning

Any UK organisation with a static IP address or domain name can sign up to use Early Warning, which is a free NCSC service designed to automatically inform an organisation of potential cyber attacks on their network, as soon as possible.

The service uses a variety of information feeds from the NCSC, trusted public, commercial and closed sources, as well as several privileged feeds which are not available elsewhere. Early Warning filters millions of events that the NCSC receives every day and, using the IP and domain names provided by our users, correlates those which are relevant to their organisation into daily notifications for their nominated contacts.

Early Warning does not conduct any active scanning of networks itself. However, some of the feeds may use scan-derived data, for example from commercial feeds.
Organisations using the Early Warning service can receive the 3 types of high-level alerts:

  • Incident Notifications: activity that suggests an active compromise of their system. For example, a host on their network has most likely been infected with a strain of malware.
  • Potentially Malicious Activity: indicators that your assets have been associated with malicious or undesirable activity. For example, a client on their network has been detected scanning the internet.
  • Vulnerability and Open Port Alerts: indications of vulnerable services running on your network, or potentially undesired applications are exposed to the internet (such as an exposed Elasticsearch service).

MyNCSC

The objective of the MyNCSC platform is to bring a number of the NCSC services together into a single, coherent experience, tailored to each user (and the organisation they are helping to defend). The intent is for MyNCSC to replace the ACD Hub as the single point of access to ACD services.

Routing and Signalling

Fixing the underlying infrastructure protocols on which the internet is based has been a key strand of the NCSC’s ACD work since inception. Traditionally, the NCSC has focused on two specific protocols: the Border Gateway Protocol and the Signalling System No.7. (SS7)

The NCSC have also established the SMS SenderID Protective Registry, to help organisations protect their brand from use in SMS phishing attacks.

Host Based Capability

Host Based Capability (HBC) is a software agent deployed on government OFFICIAL IT devices to enhance the security posture of our partners in government departments. It collects and analyses technical metadata to detect
malicious activity of the highest threat level, helping departments with their security via three service tenants:

  • detect: detecting malicious activity for departments to undertake remediation as required
  • threat surface: providing security baseline reporting, informing departments of their cyber hygiene
  • forewarn: notifying departments of detected exposure to the most serious of new vulnerabilities

In 2023, HBC will adopt a threat hunting posture within the operational work of the NCSC

Vulnerability Reporting and Disclosure

The NCSC Vulnerability Management Team works to mature the UK’s approach to vulnerability management, disclosure and remediation. The NCSC has three public projects:

  1. Vulnerability Reporting Service: if someone finds a vulnerability in a UK government online service and is unable to report it directly to the system owner, they can report it to the NCSC.
  2. Vulnerability Disclosure for Government Scheme: helps improve the UK government’s ability to adopt best practice disclosure processes by creating a Vulnerability Disclosure Programme that includes triaging the vulnerabilities, for any department that signs up.
  3. Vulnerability Disclosure Toolkit: a free online resource that organisations can download and use to implement the essential steps to establish a vulnerability disclosure process.

Logging Made Easy

Logging is the foundation on which security monitoring and situational awareness are built. It is essential to be able to refer to logs in the event of a cyber security incident, in order to determine what has happened and to make the necessary changes to prevent it from happening again.

Logging Made Easy (LME) is an open source project that provides a practical way to set up basic end-to-end Windows monitoring of your IT estate.

From 31st March 2023, the NCSC ceased its support of LME. The US Cybersecurity and Infrastructure Security Agency (CISA) have now taken on LME and relevant comms will be issued as their project progresses

Cyber Threat Intelligence Adaptor

The Cyber Threat Intelligence Adaptor (CTI Adaptor) is a software program that enables authorised organisations to receive a high-quality, contextually-rich, cyber threat intelligence feed from the NCSC.

The CTI Adaptor integrates with a variety of SIEMs, using user log data to detect known indicators of compromise (IOCs) contained within the feed, sharing the information with both the system owner and the NCSC when an IOC is present in a user’s logs.

The CTI Adaptor has been retired with effect from 31 January 2023. On considering the project outcomes against ongoing development of commercial products, we decided to cease this work to focus resources on other NCSC-specific capabilities.

Related Articles

365 days of blogs / July

(08/04/23) Blog 98 – Happy Easter!

Mark
365 days of blogs / July

(30-03-23) Blog 89 – Protecting your online activity – Pt9

Mark
365 days of blogs / July

(04-02-23) Blog 35 – Watch your back Google – There’s a new kid in town called The New Bing!

Mark
365 days of blogs / July

(14/11/23) Blog 318 – DP World: Australia back online, but attack not over

Mark
365 days of blogs / July

(09-02-23) Blog 40 – The bard of Mountain View

Mark