NCSC hails successful proprietary anti-phishing technique

Screenshot of the NCSC website homepage in a browser
(Image credit: Shutterstock)

The UK's National Cyber Security Centre (NCSC) released its second annual Cyber Defence Report today, detailing the biggest wins of the year for the organisation and also the challenges it expects to face in the year ahead.

One of the major technical innovations pioneered by the NCSC involves the verification of email authenticity to combat phishing attacks. It's no secret that domains are spoofed on the regular, typically around tax return season, and email providers are finding it tougher to differentiate between a real and fake address.

The NCSC started developing a new technology called 'synthetic DMARC' in 2018 and has been consistently building on it throughout the year. It recognises that spoofed email addresses that haven't been marked as malicious before, such as attempting to spoof, won't be picked up by email filters as there is no previous record of them.

It works by synthesising DMARC (domain-based message authentication, reporting and conformance) and related DNS records for non-existent subdomains. It builds on the authentication systems of the past, SPF (sender policy framework) and DKIM (domain keys identified mail) and the newer method known as DMARC which combines the two.

The NCSC can now assign SPF and DMARC records for all domains that attempt to spoof domains, even if they are previously unknown to the NCSC so email providers know that they're spoofed before the NCSC can even get to them first, blocking them from user inboxes.

So far, it's effectively combating spoof email campaigns but is described in the report as an "evil hacky kludge", conceding that more must be done to "express policy ownership in domain hierarchies".

One example of the method being used to good effect is the takedown of a spoof email scam campaign that appeared to come from a domain purporting to belong to an organisation in the aviation sector. In four months, 429,908 emails were blocked by the NCSC but 15% of which came on the same day and was attributed a single email spoofing campaign.

"The emails appeared to come from a domain purporting to belong to an organisation in the aviation sector," read the report published by Dr Ian Levy, technical director at the NCSC and Maddy S, data campaigns and mission analytics at the NCSC. "No such domain is registered - and the entity involved wouldn't qualify for a subdomain under - so we knew the emails were suspicious."

"Once this was detected, we looked across our services to see where this domain had been detected," the report added. "The takedown service identified the domain in use in emails purporting advance fee fraud in its spam feed. The email host of the account was notified that it was being used in fraudulent activity, and it was taken down."

The second example involved the merging of two British fire services in 2016, one of which abandoned its domain to create a new one to reflect the new, combined service. In the space of three months, 150,000 emails were blocked from the abandoned domain, which the NCSC conceded could be a result of fraudulent activity or a misconfiguration.

The challenge in implementing the synthetic DMARC in a more widespread fashion is that email providers process synthetic DMARC records differently and work must be done to make the method of defence more standardised and uniform accross email providers and businesses.

Clunky cooperation with security researchers

One of the major overhauls the NCSC performed this year was the way in which it worked with security researchers who were reporting vulnerabilities to the organisation. The report stated that the NCSC worked consistently with researchers in identifying and mitigating vulnerabilities, but the process wasn't an enjoyable one for the researchers, the report states.

"There wasn't a single, simple way to talk to departments about potential vulnerabilities," the report read. "Some departments didn't respond appropriately when they were contacted and we even had reports of a couple of really daft things like threatening security researchers with legal action for trying to disclose."

In response to this alarming discovery, the NCSC decided to implement a vulnerability disclosure platform to make it as easy as possible for researchers to reach the right people with ease.

HackerOne was chosen as the platform of choice, while Manchester-based NCC Group were drafted in to triage the disclosure reports that came through the system.

"The service went live properly on 15th November 2018," the report read. "In the last two weeks of November, we had 11 submissions and 10 were resolved. In December, we had 27 submissions and 19 were resolved.

"A full year of vulnerability data will be interesting, though. More on this next year," it added.

Winning the fight against phishing

The NCSC also reported more efficient takedowns of phishing sites that attempt to impersonate government-related entities.

There was a significantly better takedown rate of sites this year compared to 2018's Cyber Defence Report. 18,067 phishing sites were taken down according to this year's report compared to 14,124 in 2018.

Despite the increase in sites taken offline, the figures still illustrate the great scale at which attackers operate these phishing sites.

"This is a massively encouraging progress report we have received from the NCSC, and the UK is extremely wise to have invested in such a diligent dedicated cybersecurity centre in order to combat cybercrime," said Corin Imai, senior security advisor at DomainTools. "Phishing is one of the most common and sadly one of the most effective methods of extracting funds by nefarious means from the general public, so the NCSC being able to stop 140,000 separate phishing attacks is a step in the right direction."

"However, there is only so much that one organisation can do on its own - even a government funded one," she added. "With an estimated 1.5 million new phishing sites created every month, cybersecurity teams at governments all over the world need to be working as hard as the NCSC."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.