NCSC hails successful proprietary anti-phishing technique

The fight against phishers is looking hopeful, but GCHQ's security arm certainly isn't without its faults

The UK's National Cyber Security Centre (NCSC) released its second annual Cyber Defence Report today, detailing the biggest wins of the year for the organisation and also the challenges it expects to face in the year ahead.

One of the major technical innovations pioneered by the NCSC involves the verification of email authenticity to combat phishing attacks. It's no secret that gov.uk domains are spoofed on the regular, typically around tax return season, and email providers are finding it tougher to differentiate between a real and fake address.

Advertisement - Article continues below

The NCSC started developing a new technology called 'synthetic DMARC' in 2018 and has been consistently building on it throughout the year. It recognises that spoofed email addresses that haven't been marked as malicious before, such as taxrefunds@gov.uk attempting to spoof taxrefunds@taxrefunds.gov.uk, won't be picked up by email filters as there is no previous record of them.

It works by synthesising DMARC (domain-based message authentication, reporting and conformance) and related DNS records for non-existent subdomains. It builds on the authentication systems of the past, SPF (sender policy framework) and DKIM (domain keys identified mail) and the newer method known as DMARC which combines the two.

The NCSC can now assign SPF and DMARC records for all domains that attempt to spoof gov.uk domains, even if they are previously unknown to the NCSC so email providers know that they're spoofed before the NCSC can even get to them first, blocking them from user inboxes.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

So far, it's effectively combating spoof email campaigns but is described in the report as an "evil hacky kludge", conceding that more must be done to "express policy ownership in domain hierarchies". 

One example of the method being used to good effect is the takedown of a spoof email scam campaign that appeared to come from a gov.uk domain purporting to belong to an organisation in the aviation sector. In four months, 429,908 emails were blocked by the NCSC but 15% of which came on the same day and was attributed a single email spoofing campaign.

"The emails appeared to come from a gov.uk domain purporting to belong to an organisation in the aviation sector," read the report published by Dr Ian Levy, technical director at the NCSC and Maddy S, data campaigns and mission analytics at the NCSC. "No such gov.uk domain is registered - and the entity involved wouldn't qualify for a subdomain under gov.uk - so we knew the emails were suspicious."

Advertisement - Article continues below

"Once this was detected, we looked across our services to see where this domain had been detected," the report added. "The takedown service identified the domain in use in emails purporting advance fee fraud in its spam feed. The email host of the account was notified that it was being used in fraudulent activity, and it was taken down."

The second example involved the merging of two British fire services in 2016, one of which abandoned its domain to create a new one to reflect the new, combined service. In the space of three months, 150,000 emails were blocked from the abandoned domain, which the NCSC conceded could be a result of fraudulent activity or a misconfiguration.

The challenge in implementing the synthetic DMARC in a more widespread fashion is that email providers process synthetic DMARC records differently and work must be done to make the method of defence more standardised and uniform accross email providers and businesses.

Clunky cooperation with security researchers

One of the major overhauls the NCSC performed this year was the way in which it worked with security researchers who were reporting vulnerabilities to the organisation. The report stated that the NCSC worked consistently with researchers in identifying and mitigating vulnerabilities, but the process wasn't an enjoyable one for the researchers, the report states.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"There wasn't a single, simple way to talk to departments about potential vulnerabilities," the report read. "Some departments didn't respond appropriately when they were contacted and we even had reports of a couple of really daft things like threatening security researchers with legal action for trying to disclose."

In response to this alarming discovery, the NCSC decided to implement a vulnerability disclosure platform to make it as easy as possible for researchers to reach the right people with ease.

HackerOne was chosen as the platform of choice, while Manchester-based NCC Group were drafted in to triage the disclosure reports that came through the system.

"The service went live properly on 15th November 2018," the report read. "In the last two weeks of November, we had 11 submissions and 10 were resolved. In December, we had 27 submissions and 19 were resolved.

"A full year of vulnerability data will be interesting, though. More on this next year," it added.

Winning the fight against phishing

The NCSC also reported more efficient takedowns of phishing sites that attempt to impersonate government-related entities.

Advertisement - Article continues below

There was a significantly better takedown rate of sites this year compared to 2018's Cyber Defence Report. 18,067 phishing sites were taken down according to this year's report compared to 14,124 in 2018.

Despite the increase in sites taken offline, the figures still illustrate the great scale at which attackers operate these phishing sites.

"This is a massively encouraging progress report we have received from the NCSC, and the UK is extremely wise to have invested in such a diligent dedicated cybersecurity centre in order to combat cybercrime," said Corin Imai, senior security advisor at DomainTools. "Phishing is one of the most common and sadly one of the most effective methods of extracting funds by nefarious means from the general public, so the NCSC being able to stop 140,000 separate phishing attacks is a step in the right direction."

"However, there is only so much that one organisation can do on its own - even a government funded one," she added. "With an estimated 1.5 million new phishing sites created every month, cybersecurity teams at governments all over the world need to be working as hard as the NCSC."

Featured Resources

Successful digital transformations are future ready - now

Research findings identify key ingredients to complete your transformation journey

Download now

Cyber security for accountants

3 ways to protect yourself and your clients online

Download now

The future of database administrators in the era of the autonomous database

Autonomous databases are here. So who needs database administrators anymore?

Download now

The IT expert’s guide to AI and content management

Your guide to the biggest opportunities for IT teams when it comes to AI and content management

Download now
Advertisement
Advertisement

Recommended

Visit/security/cyber-security/355267/zoom-hires-ex-facebook-cso-to-boost-platform-security
cyber security

Zoom hires ex-Facebook CSO Alex Stamos to boost platform security

8 Apr 2020
Visit/security/vulnerability/355236/hp-support-assistant-flaws-leave-windows-devices-open-to-attack
vulnerability

HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
Visit/security/cyber-security/355234/safari-bug-let-hackers-access-cameras-on-iphones-and-macs
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
Visit/software/video-conferencing/355229/zoom-we-moved-too-fast
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020

Most Popular

Visit/mobile/mobile-phones/355239/microsofts-patent-design-reveals-a-mobile-device-with-a-third-screen
Mobile Phones

Microsoft patents a mobile device with a third screen

6 Apr 2020
Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/server-storage/servers/355254/a-critical-flaw-in-350000-microsoft-exchange-remains-unpatched
servers

A critical flaw in 350,000 Microsoft Exchange remains unpatched

7 Apr 2020