Last month, the Chancellor of the Exchequer George Osborne outlined a number of initiatives (opens in new tab) ahead of his spending review to make Britain the best protected country in cyber space.
The details of the speech are worth a read (opens in new tab). A key element contained in the announcement was a stronger Active Defence Programme.
Active Defence: the concept, mission and impact
Very few countries currently have an active defence strategy in place. Such strategies, at a national level, are both bold and innovative in terms of goals and approach.
If we look at other active defence systems the most well developed comparison is likely the USA’s National Cyber Protection System (opens in new tab) (NCPS), however, this is compromised in part by a prevention capability. The prevention work stream for the USA is implemented through the EINSTEIN 3 Accelerated (E3A) capability but works at an organisational level rather than at a national level.
In his statement, the Chancellor said the United Kingdom government will be: “Exploring whether Internet Service Providers (ISPs) can work together, with government help, to divert more malware attacks and block bad addresses used against British Internet users."
He specifically said: “ISPs already divert their customers from known bad addresses, to prevent them from being infected with malware. We will explore whether they can work together – with our help – to provide this protection on a national level.
“We cannot create a hermetic seal around the country – indeed it wouldn’t be in our interests to have one – but with the right systems and tools our private ISPs could kick out a high proportion of the malware in the UK Internet, and block the addresses which we know are doing nothing but scamming, tricking and attacking British users. Let us try to get to the point where all the ISPs will, as a matter of routine, divert known bad addresses.”
The fact the UK government has indicated it would be done in conjunction with ISPs means that there is an opportunity to disrupt the command and control (C2) channels, watering holes and similar associated attack infrastructure for all organisations and consumers based in the UK by default and not just those who invest heavily in cyber defences.
The ability to do this at a national infrastructure level means that for commercial threat intelligence providers, such as NCC Group, there is the potential to contribute and have a much greater impact. With the announcement there is obviously room for private and public sector collaboration in what to do in cleaning any compromises that are actively blocked.
Active Defence: the technical implementation
The actual implementation of any active defence will obviously be a complex one, and if adopted, will rely on a range of technologies and approaches. As the Chancellor alludes to the Internet Watch Foundation and ISPs already collaborate today with the technical implementations (opens in new tab) using a variety of measures including:
- DNS response modification
- IP address blocking
- Deep packet inspection (DPI) for URI blocking
There are obvious technological difficulties in areas such as shared hosting, compromised legitimate websites and the peer-to-peer technologies used by some malware families which will need to be considered carefully. We are realists about the limitations of technology today so we should not expect 100 per cent coverage. A successful Active Defence Programme will be most effective when combined with other mechanisms such as takedowns using established CERT mechanisms.
Other challenges include the sensitive nature of the information used to conduct Active Defence which is likely to originate from investigations conducted by government agencies and private companies. Increased sharing in this area between Government the private sector is a positive step which is welcomed by NCC Group and will benefit UK industry in the long run.
Even when faced with limitations and challenges any deployment along the lines suggested will raise the bar significantly and cause our adversaries to have to invest a lot more, adapt their approaches and thus disrupt and likely diminish their capabilities. The obvious small print is whatever is put in place to address the techniques, tactics and procedures of our adversaries will need to be adaptable and easily upgradable to ensure continued long term viability and return on any investment.
It is clear with this announcement that there is a real opportunity to take a more proactive role in defending those who can’t, or otherwise don’t, for the betterment of individuals and industry.
Ollie Whitehouse, technical director at NCC Group (opens in new tab)