NCSC Celebrates Success of Proprietary Anti-Phishing Technique
The UK’s National Cyber Security Center (NCSC) today released its second annual cyber defense report, detailing the organization’s biggest victories of the year as well as the challenges it expects to face. face over the next year.
One of the main technical innovations launched by the NCSC concerns the verification of the authenticity of emails to fight against phishing attacks. It’s no secret that gov.uk domains are spoofed on a regular basis, usually around tax filing season, and email providers are finding it increasingly difficult to tell the difference between a real address and a fake address.
The NCSC began to develop a new technology called “Synthetic DMARC” in 2018 and steadily developed it throughout the year. It recognizes that spoofed email addresses that have not been marked as malicious before, such as [email protected] attempt to usurp [email protected], will not be detected by mail filters because there is no previous record of them.
It works by synthesizing DMARC (Domain-Based Message Authentication, Reporting, and Compliance) and associated DNS records for non-existent subdomains. It builds on the authentication systems of the past, SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) and the new method known as DMARC which combines the two.
NCSC can now assign SPF and DMARC records for all domains that attempt to spoof gov.uk domains, even though they were previously unknown to the NCSC, so email providers know they are being tampered with even before the NCSC can access them first, blocking them from users’ inboxes.
So far, he effectively combats fraudulent email campaigns, but is described in the report as a “nasty hacky kludge”, conceding that more needs to be done to “express ownership of policies in domain hierarchies. “.
An example of the method put to good use is the removal of a fraudulent campaign of scam emails that appeared to come from a gov.uk domain claiming to belong to an aviation industry organization. In four months, 429,908 emails were blocked by the NCSC but 15% of them arrived the same day and were assigned a single email spoofing campaign.
“The emails appeared to come from a gov.uk domain claiming to belong to an organization in the aviation sector ‘, read the report published by Dr Ian Levy, Technical Director at NCSC and Maddy S, Data Campaigns and Mission Analysis at NCSC. “None gov.uk domain is registered – and the entity involved would not be eligible for a subdomain under gov.uk – so we knew the emails were suspicious. “
“Once this was detected, we scanned our services to see where this domain had been detected,” the report adds. The withdrawal service identified the domain used in the suspected fraudulent advance charge emails in its spam stream. The account’s email host was notified that it was being used in connection with a fraudulent activity, and it has been removed. “
The second example involved the merger of two UK fire departments in 2016, one of which abandoned its domain to create a new one to reflect the new combined service. Within three months, 150,000 emails were blocked from the abandoned domain, which the NCSC said could be the result of fraudulent activity or misconfiguration.
The challenge with the more widespread implementation of synthetic DMARC is that email providers treat synthetic DMARC records differently and that work needs to be done to make the defense method more standardized and uniform between email providers and businesses.
Awkward cooperation with security researchers
One of the major revisions the NCSC made this year was the way it worked with security researchers who reported vulnerabilities to the organization. The report says the NCSC worked consistently with researchers to identify and mitigate vulnerabilities, but the process has not been pleasant for researchers, the report says.
“There was no one-size-fits-all way to talk to departments about potential vulnerabilities,” the report read. “Some departments did not respond appropriately when contacted and we even got reports of some really stupid things like threatening security researchers with legal action for trying to disclose.”
In response to this alarming discovery, the NCSC decided to implement a vulnerability disclosure platform to make it easier for researchers to reach the right people.
HackerOne was chosen as the platform of choice, while Manchester-based NCC Group was recruited to sort out the disclosure reports transmitted through the system.
“The service went live correctly on November 15, 2018,” the report said. “In the last two weeks of November, we had 11 submissions and 10 were resolved. In December, we had 27 submissions and 19 were resolved.
“A full year of vulnerability data will be interesting, however. More on that next year,” he added.
Winning the fight against phishing
The NCSC has also reported more effective removals of phishing sites that attempt to impersonate government-related entities.
The site removal rate was significantly higher this year compared to the 2018 Cyber Defense Report. 18,067 phishing sites were removed according to this year’s report, up from 14,124 in 2018.
Despite the increase in sites being taken offline, the numbers still illustrate the scale at which attackers exploit these phishing sites.
“This is an extremely encouraging progress report that we have received from the NCSC, and the UK is extremely wise to have invested in such a diligent dedicated cybersecurity center to tackle cybercrime,” said said Corin Imai, Senior Security Advisor at DomainTools. “Phishing is one of the most common and unfortunately one of the most effective methods of extracting funds from the general public through nefarious means, so the NCSC being able to stop 140,000 separate phishing attacks is a step in the right direction. . “
“However, there is not much that an organization can do on its own – even a government funded organization,” she added. “With around 1.5 million new phishing sites created every month, cybersecurity teams in governments around the world have to work as hard as the NCSC. “
Defeat Ransomware with Unified Security from WatchGuard
How SMBs Can Defend Against Ransomware Attacks
The IT expert’s guide to AI and content management
How artificial intelligence and machine learning could be essential for your business
The path to CX excellence
Four Steps to Thriving in the Experience Economy
Become an experience-based business
Your model for a solid digital foundation