UK's NCSC to monitor internet routing to stop DDoS and hijacks

'Simple things done at scale can have a difference,' says NCSC technical director Dr Ian Levy. 'My job is not to beat cybercrime. It's to send it to France.'

The United Kingdom's National Cyber Security Centre (NCSC) continues to push the boundaries of cyberdefence. It's been implementing simple things at scale to great effect. And for an intelligence agency -- it's part of GCHQ -- it's continuing to be remarkably open.

Two years ago, NCSC technical director Dr Ian Levy outlined his plans to secure the entire nation through strong, national enforcement of network protocols. The plan was dubbed "Active Cyber Defence", and in February 2018 the NCSC reported on its first year of operation.

Levy updated some of that information in his keynote address to the newly rebranded Australia Cyber Conference, the annual conference of the Australian Information Security Association (AISA), in Melbourne on Thursday. He also outlined his plans for the next stages of Active Cyber Defence.

Since 2016, the NCSC has built a platform that provides a view of the entire state of internet routing in the UK. By monitoring all of the Border Gateway Protocol (BGP) messages that control routing, the NCSC should be able to spot routing hijacks and other threats before they can cause any damage.

"We've done a test, we've been running this as an alpha for a while, and it seems to work," Levy said.

The NCSC is also collecting statistics on the usage of the domain name system (DNS) across the .gov.uk domain space. Levy had previously described his intention to build a single anycast DNS system for all of the UK public sector, "and I'm going to force everyone to use it". As of August 31 this year, 216 UK government agencies have been fully converted to using that DNS.

"During that month, we served about 6 billion requests off our DNS resolver. We blocked about a million things, for about 21,000 reasons," Levy said.

The DNS stats can also help defend against distributed-denial-of-service (DDoS) attacks.

"You can spot botnets charging to do a DDoS anywhere between a minute and an hour before they start," Levy said.

That information is fed back into the NCSC's threat intelligence messaging system, called the Threat-o-Matic. Then, using its knowledge of the state of BGP, it can predict where the attack traffic will come from, and notify internet service providers so they can take appropriate action.

The result? No DDoS.

"That's got to be awesome if it works," Levy said.

"It might fall flat on it's arse for some reason. Don't know. But we're going to try it, and we're going to publish the results of it."

Last week, the NCSC reached a milestone that Levy described as "awesome": An analyst on a top-secret system pushed a button to release three "indicators" (IP addresses or domain names), push them through a policy and compliance process, and automatically load them into the public sector DNS. It all happened in under two minutes.

"That is a game changer. That's how you start to use top-secret intelligence to protect a country," he said.

One of the NCSC's big successes has been to cut off malicious email campaigns before they can have a major effect. Around 879 gov.uk domains are now protected by DMARC, which prevents people from spoofing those domains for email. Last year, that blocked 80 million spoofed emails.

"That's how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference," Levy said.

"We want people to implement DMARC, because if you make cybercrime harder, they'll go somewhere else," he said.

"My job is not to beat cybercrime. It's to send it to France."

Levy's goal is "to protect the majority of the people in the UK from the majority of the harm caused by the majority of the attacks the majority of the time".

The NCSC's tooling to test and report on email security for a large number of domains has been posted at GitHub under the Apache License 2.0. It's built on Amazon Web Services (AWS).

Understanding how people use technology

The NCSC has commissioned polling firm Ipsos MORI to conduct a "proper qualitative and quantitative" research project to try to understand how people use technology and how they feel about it.

The NCSC will then "pick a thing", "do some interventions" to change it, and then do the survey again to see if people's views have changed, Levy said.

"It's called science," he said.

Tackling consumer IoT security

The last two years have seen a number of proposals for some sort of security rating system for consumer Internet of Things (IoT) products. It would make security a commercial issue. In Australia, a Cyber Kangaroo has been proposed.

Levy is proposing a system similar to food labelling, focusing on just three measures:

  • The product's use-by date, which is when support would run out;
  • Whether it can be securely updated; and
  • Whether the manufacturer has published a security disclosure policy.

"Give people more information to make better decisions," Levy said.

"If we can get some of the big retailers in the UK to only stock things that have a decent use-by date and two greens, that's an awesome thing to do. It sends a message to the market, and makes investment in security a positive thing that investors might actually do.

Tying certification to human diversity

"This industry's pretty poor at being welcoming to women and other people who think differently. We have to fix that," Levy told the conference. Organisations won't have the agility to out-manoeuvre cybercriminals if it's full of middle-aged white men who all think the same.

Levy has a modest proposal.

"One of the things want to do -- and I haven't got the legal OK yet, but if I say it, it's more likely to happen -- I want to tie our certifications to a company having a [published] diversity and inclusion policy," he said.

"I don't care how good your products or service or magic amulet is, it's not getting a gold star from us. That's the sort of thing where I think you can change the global industry. It doesn't take much. It takes a few people trying to do the right thing."

Related Coverage

UK and Australia blame Russian GRU for quartet of cyber attacks

The British government says recent 'indiscriminate and reckless' global cyberattacks are the handiwork of the Russian military intelligence.

UK watchdog has not issued any GDPR data breach-related fines yet

UK official says ICO has been receiving 500 calls a week to the agency's breach reporting line since May 25, the day the new GDPR regulation entered into effect.

Why router-based attacks could be the next big trend in cybersecurity (TechRepublic)

A joint statement issued by DHS, FBI, and NCSC claim that Russian state-sponsored hackers are leveraging vulnerabilities in routers to harvest data.

Cryptomining replaces ransomware as 2018's top cybersecurity threat (TechRepublic)

Malware, in general, accounts for the majority of cybersecurity threats, but now cryptomining reigns supreme.

IT staff systems/data access policy (Tech Pro Research)

IT pros typically have access to company servers, network devices, and data so they can perform their jobs.