NCSC synthesising of DMARC is ‘evil hacky kludge,’ but it works…
The National Cyber Security Centre (NCSC) has stopped large scale airport email attack campaigns and increased the cost to attack agencies such as the HMRC in the last year.
This according to the agency’s annual report which highlights the UK government’s efforts to protect its citizens from cyber criminals at home and abroad.
Over a period of four months the NCSC blocked just over 429,000 malicious emails, 15 percent of those emails occurred on the same day august 8. That spike in activity was tied to one particular email spoofing campaign that used a gov.uk domain which claimed to be connected to the aviation sector.
The NCSC state that: “The takedown service identified the domain in use in emails purporting advance fee fraud in its spam feed. The email host of the account was notified that it was being used in fraudulent activity, and it was taken down. This shows how useful the sharing of data between services can be.”
Part of the NCSC approach to reducing cybercrime over the last two years has been to work with government brands that are inviting targets for threat actors to orchestrate phishing attacks against.
One such brand is HM Revenue & Customs (HMRC), which experienced 16,064 attacks from over 2,400 cyber groups between 2017 and 2018. Working with the NCSC that agency has moved from the 16th most phished brand to the 146th most phished brand globally.
The NCSC’s report notes that with regards to HMRC: “The data shows that it isn’t as attractive any more. It’s pretty likely that this is a causal result of the work done by HMRC, of which the Takedown Service is one part. As a proof of principle, it seems that we can affect the return on investment for criminals and demotivate them from attacking things we care about.”
“If government can do it, we can’t see any reason why businesses whose brands are trusted by the UK public can’t do it.”
NCSC Active Cyber Defence
One of the main initiatives under taken by the NCSC is its Active Cyber Defence (ACD) programme which aims to protect UK citizens and organisations against commodity attacks.
The goal of the ACD is not to stop all attacks, but rather to make them more costly for attackers. Organisations use NCSC ACD tools to help process and analyse DMARC email reports, run diagnostic web checks that help locate and fix vulnerabilities and Protective Domain Name Systems to stop malicious use of DNS systems.
NCSC note that while the ACD is great at removing the most common types of cyber threats, ‘It does not aim to fix everything wrong with cyber security.” Its main goal is to raise the cost for threat actors for each and every attempted attack.
Hackers have always used legitimate looking domains and emails to fool people into opening malicious content. The NCSC has been working on ‘synthetic DMARC’ which is the synthesising of DMARC (“Domain-based Message Authentication, Reporting & Conformance) and related DNS records for non-existent subdomains.
They confirmed last year that they can synthesise the appropriate SPF and DMARC records in DNS for non-existent domains and it has reports in Mail Check that show attackers are using those domain in attack campaigns.
However, they say that while that particular initiative is showing great signs of deterrent it ‘remains an evil hacky kludge,’ and what is really required is a better way to express policy ownership in domain hierarchies.
The NCSC state that: “It is obvious that the proactive work undertaken through the Takedown Service continues to have a harm reduction effect at scale. We have shown a consistent reduction in the value to criminals of hosting malicious content in the UK, and that actively protecting specific government-related brands can reduce the harm caused through their abuse.”
“Improving the cyber security of the UK is far from a solo effort. ACD is but one function of the NCSC. The NCSC is but one organisation trying to reduce the harm from cyberattack in the UK, alongside other government departments, charities, companies and individuals.