The UK’s National Cyber Security Centre (NCSC), the shop window of signals intelligence organisation GCHQ, has developed and is piloting its own “host-based” intrusion detection software to understand threats that target the government’s IT systems.
The NCSC cybersecurity tool has already been deployed on 14,500 government devices, the organisation said, and will be widely rolled out. It “complements” existing commercial security products, the centre said in its Annual Review 2018 report.
“The number of devices enrolled will increase significantly in the coming months. By using the data this generates, we were able to issue our first Threat Surface reports, help early adopters understand the attacks they face, and detect targeted cyber attacks against government systems,” the NCSC added.
NCSC Cybersecurity Tool Developed In-House
The software is a fresh string to the bow of the NCSC’s Active Cyber Defence (ACD) suite of tools. A spokesman confirmed to Computer Business Review that the tool was developed in-house rather than in collaboration with a vendor.
They declined to rule out future commercialisation.
Our reporter has sought further technical details on the tool’s capabilities, which were not provided.
Rodolfo Rosini, a venture capitalist and former cybersecurity entrepreneur told Computer Business Review: “Host-based intrusion detection systems are simple to build, they take a lifetime to tune, they are highly contextual, and there is no single obvious market leader yet.”
He added: “I don’t really know any customer that implemented and configured them at scale – usually they are not worth the pain of going through the false positives.
“This [kind of] software has total control of the PC. They probably went to various vendors asking for the source code to check for backdoors and none of the large US ones complied so they made their own. That seems plausible, although it’s pure speculation…”
See also: FTSE 100 Vulnerability Warning: Over 70% Have Single DNS Provider
“We pilot our ACD tools with the public sector first and, where relevant, demonstrate the benefits to other sectors. This year, we are working with a range of companies and
departments to understand how we can help different sectors”, the centre said.
The NCSC’s current ACD tools [pdf] include a “takedown” service that removes phishing sites pretending to have government associations; Public Sector DNS, which provides protective DNS services to public sector subscribers, and integration platform “Threat-o-Matic”, a hub that links these tools and several more.
NCSC was formed in 2016. It replaced four other institutions including CESG (the information security arm of GCHQ), the Computer Emergency Response Team UK and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure.
“This year, we are working with a range of companies and departments to understand how we can help different sectors,” the report reads. “We are also encouraging a range of technology providers to offer similar services to their customers so that together we can ensure than cyber crime doesn’t pay.”
“The cyber threat is always evolving so we need to continue to build a pipeline of ACD services that can deal with them.”
The ACD was created in 2016 as a “guinea pig” for cybersecurity measures deemed to be required at a national scale, as well as using automation to reduce weakness in cyber defences. ACD has so far removed 138,398 phishing sites hosted in the UK.
NCSC Cybersecurity Warning: “Little Doubt” of a Category 1 Cyber Attack in the UK
NCSC has dealt with more than 1,000 cybersecurity incidents since its inception, with the majority of those believed to be from nation states “in some way hostile to the UK”, it noted in the annual review.
There is now “little doubt” that the UK will be tested by a Category 1 cyber-attack in the next few years – the most severe attack classification and one that the UK has so far avoided and one that would cause “sustained disruption” of essential services.
To put that into perspective, last year’s WannaCry ransomware attack that cost the NHS almost £100 million was only a Category 2.
CEO of the NCSC Ciaran Martin said: “Although there have been several very significant incidents thus far, the UK has avoided a Category 1 – most of our foremost international partners have not.
“But even if this continues, we must be alert to the constant threat from countries who will attack critically important national networks to steal information from strategic or commercial reasons, and give themselves a starting point – ‘propositioning’ for a significant attack in the future.”
From the period covered from September 1, 2017 to August 31, 2018, NCSC had 1.9 million visitors to its site, handled 557 incidents, removed 138,398 unique phishing sites, and produced 214 threat assessments.