Full Report
The year three report covers 2019 and aims to highlight the achievements and efforts made by the Active Cyber Defence programe.
Analysis Summary
# Incident Report: NCSC Active Cyber Defence (ACD) Year Three Overview
## Executive Summary
This report summarizes the 2019 operational period of the UK National Cyber Security Centre’s (NCSC) Active Cyber Defence (ACD) program. The initiative focused on high-volume, low-sophistication cyber attacks affecting the UK, successfully removing hundreds of thousands of malicious campaigns and improving the security posture of the public sector. The program demonstrated significant impact in reducing the lifespan of phishing sites and increasing the adoption of secure email standards.
## Incident Details
- **Discovery Date:** Ongoing monitoring throughout 2019
- **Incident Date:** January 1, 2019 – December 31, 2019
- **Affected Organization:** Multiple (UK Public Sector, National Health Service, and UK Brand Owners)
- **Sector:** Government, Healthcare, and Private Sector
- **Geography:** United Kingdom (Global impact regarding UK-hosted infrastructure)
## Timeline of Events
### Initial Access
- **Date/Time:** Continuous throughout 2019.
- **Vector:** Phishing, brand impersonation, and exploitation of misconfigured servers.
- **Details:** Attackers primarily used "commodity" techniques, including SMS phishing (smishing) and email spoofing, to impersonate government agencies like HMRC.
### Lateral Movement
- **Details:** While the report focuses on external defense, it notes that attackers sought to leverage compromised credentials from phishing to gain access to internal government systems and taxpayer accounts.
### Data Exfiltration/Impact
- **Details:** The primary impact involved the credential theft of citizens, financial fraud through tax rebate scams, and the hijacking of UK infrastructure to host malware or phishing content.
### Detection & Response
- **Detection:** Automated scanning via "Web Check" and "Takedown Service," along with "Mail Check" for email security monitoring.
- **Response Actions:** NCSC performed widespread takedowns of malicious URLs and coordinated with ISPs to block malicious traffic at the recursive DNS level (Public Sector DNS).
## Attack Methodology
- **Initial Access:** Phishing (Email/SMS) and Brand Impersonation.
- **Persistence:** Hosting malicious content on compromised legitimate UK web servers.
- **Privilege Escalation:** Not explicitly detailed, though credential harvesting was the primary goal.
- **Defense Evasion:** Use of fast-flux DNS and rapidly changing URLs to bypass static filters.
- **Credential Access:** Phishing pages designed to mimic official gov.uk portals.
- **Discovery:** Scanning for vulnerable web versions (detected by NCSC Web Check).
- **Lateral Movement:** Attempted use of stolen credentials against public sector services.
- **Collection:** Harvesting of PII (Personally Identifiable Information) and financial data.
- **Exfiltration:** Exfiltration of harvested credentials to attacker-controlled servers.
- **Impact:** Financial loss to citizens and reputational damage to UK government brands.
## Impact Assessment
- **Financial:** Prevented significant losses by removing over 150,000 "tax rebate" phishing URLs.
- **Data Breach:** Millions of citizens targeted; volume of successfully compromised accounts reduced by proactive takedowns.
- **Operational:** Reduced the average "live" time of UK-themed phishing sites from many days to under 24 hours.
- **Reputational:** Protected the integrity of the .gov.uk domain and the NHS brand.
## Indicators of Compromise
- **Network Indicators:** Malicious domains and IPs identified and processed by the Takedown Service (e.g., hxxp[://]service-tax-refund[.]gov[.]uk-refund[.]com).
- **File Indicators:** Mobile malware samples (primarily Android) blocked by PDNS.
- **Behavioral Indicators:** Surge in DMARC "reject" events indicating spoofing attempts; high volumes of automated vulnerability scanning against government IPs.
## Response Actions
- **Containment:** PDNS (Protective DNS) blocked 69 million queries to known malicious domains.
- **Eradication:** 177,335 phishing campaigns and 147,462 individual "government-branded" attacks were taken down.
- **Recovery:** Implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent future spoofing.
## Lessons Learned
- **Key Takeaways:** Automation is essential for tackling commodity attacks at scale. Transparency in reporting builds trust with the public and private partners.
- **Improvements:** The need for better "Smishing" detection was identified, leading to the development of the 7726 reporting system.
## Recommendations
- **Authentication:** Enforce DMARC with a "p=reject" policy across all organizational domains.
- **Vulnerability Management:** Use automated tools (like Web Check) to identify out-of-date software and system misconfigurations.
- **Infrastructure Security:** Utilize protective DNS services to prevent internal devices from communicating with known malicious command-and-control servers.