How the UK's National Cyber Security Centre is Tackling Threats

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so we've been around for a year cyber buck cyberface come on do I not even get a little giggle for that I'm gonna talk a bit about so what we said we would do in November last year and then some of the results we've got over the last year so the early results so last year finishing this event last year I said we're going to have a measurable effect cuz most cyber security that you see is based on fear and I'm a mathematician so I like numbers so I think we should be able to measure the impact of what we do and I'm going to go through some data as a cyber security presentation with data this is not something you will see often to try and show you some of the stuff we've done about to three weeks after the WYD conference last year we launched this this is the national cybersecurity strategy I got into trouble when we launched it because I said it wasn't completely crap now I stand by that it is not completely crap most government strategies are right only documents this is actually worth a read if you've not read it because it's totally different to any other government cyber strategy it's it doesn't just say you should all do better and share information and the world will be better because we've just kind of shown that doesn't work so this is more about how we intervene how we change the the incentive model how you change the marketplace so that cyber security is the default for the most people most of the time and I'll show you some of the stuff we're doing to try and do that again last year I talked about a couple of things we were going to do about intervening when we launched the strategy we published this and there's a blog on the NCSE website that talks about this this is a set of active things that we're going to do that we've started and we'll talk about three of them today that we believe will fundamentally change security in the UK for the better I should really say for the better right it's going to be much better but some of the things that are on here are really simple but have a really disproportionately large effect so most cyber attacks start with a dodgy email right yeah who's been told never click a link in an email unless you trust it yeah it's stupid you cannot possibly understand how to trust an email as a normal person so the top of this is about using something called Demark to stop the majority of spoofed emails turning up I'll talk about some of the other stuff we're doing as we've seen the adversary's respond down at the bottom we've got a DNS service for public sector so we've built a DNS actually we haven't because it'd be terrible if we built it nominate built it seriously government engineering go to an expert so we've built a DNS service for all of public sector I'll show some of the early results of that but the idea is if you're in public sector you don't get to go to things we know are bad right and then how do you scale that out well over there on the right hand side you've got ISPs so the idea is we'll give the ISPs we'd the data that we protect government with and they can voluntarily go to all of their residential customers and say hey we'll protect you for free all right so by default I want everybody in the UK to be protected unless they opt out because that's the sort of scaling where you start to have a measurable effect and there's a bunch of other stuff there's a load of blogs up there on the website about all of this I'm gonna take you through a couple of things so email Demark hands up you about Demark anybody couple of people so Demark allows you to take control of your domain and it says my email will only ever come from these IP addresses and it will be signed by these keys and if either of those things don't work either deliver it but tell me stick it in the quarantine spam folder and tell me or don't deliver it and tell me we've built something that starts to process Demark records for public sector and this is our shiny dashboard it's a shiny dashboard view not point one it's not released yet but this one says that in 20 was it three weeks of September we processed spoofed email from 985 government domains right so this is things that somebody else has spoofed 25 26 million emails blah blah blah blah blah not many of them were blocked why is that so we can now go dig into this and say we've set policy that says you know those untrusted emails 47% of those emails are untrusted why they still being delivered so you can go and start to work out what the problem is this is a year's worth of spoof there's just a volume of spoofs of addresses ending in guilt UK and there were some really interesting spikes in there so that big spike in February was a massive spam campaign in the name of government by a hundred and fifty thousand males a day or something a big campaign but a lot of those didn't get delivered so instead of telling people you have to work out whether this is a real government mail or not a lot of those didn't get delivered and so you mitigate the harm and here's an interesting one so nobody should ever send email from at gov dot uk' it's always that department or gov got UK so we set a top level policy that says Oh internet if you ever see an email from at google UK its spoof don't deliver it just send it back to us what this tells you is in the last well nine months we've had two and a half million of those but for some bizarre and the internet said 91% of those were untrusted it understood they were not trusted emails they shouldn't be delivered and yet 80% of them are still delivered that last number twenty point five no idea why right so this it only came out a couple of weeks ago and we're trying to understand what's wrong on the internet that still allows untrusted emails to be delivered but then we're gonna fix it and we fix it for our Demark implementation you fix it everybody's right so the idea is we can start to set the UK apart and say if you get an email from a domain in the UK it means something it starts to give people better quality data aren't my jobs about harm reduction it's not about fear so talking about phishing so we've done some stuff with a company called net craft in bath we've done some stuff to go and try and make the UK a safer place so any fishing physically hosted in the UK used to last about a day and now us about an hour that's good you're twenty four twenty six less hours to be hurt by clicking the link web injects in the UK used to be about a month now it's a couple of days and then UK government fishing hosted anywhere in the world you still last about two days and is now about six hours so this is about trying to reduce the harm window for people okay hands with you a statistician anybody one I'm sorry for what you're about to see I apologize now you statistics right so the left is fishing the right is malware takedowns there's a strip chart at the top that says the majority of stuff we see is taken down pretty quickly and the bottom says if you're really really naive and do stupid things that Pareto said in 1890 you should never do it looks a bit like a power law right and the power law says the stuff that lasts long has a disproportionate effect so now we've got some data that says the right-hand side of those strip charts are interesting don't know why yeah but what if they all turn out to be rushing bulletproof hosting can we then go right the only thing that has ever hosted on these things is bad so how about we don't root to them anymore because they don't take stuff down when you ask right and again trying to make it safer for people to go out on the internet it's all getting worse phishing sites are the number of IPs that have been involved in phishing is up 47 percent this year year on here but in the UK the UK share has gone down four five point one two three point three now I don't think one year's worth of data is sufficient to say that's causal that what we are doing is causing that but it's an interesting side statistic so is the UK becoming harder for cyber criminals to operate in yes or no and we'll work that out over the next year if the answer is yes can you take what we're doing and scale it so other countries do the same and make it globally harder that's the sort of thing we want to do if this is one of those what the bloody hell was that slides right so the december's this is so the big chunks of color are malware mail server so these are mail server sending malware out in the name of government or other brands we care about December you kind of get it it's Christmas August and September were weird right somebody said oh it's school holidays well yeah but it was school holidays last year as well and that didn't happen the September one we ended up with something like 150 thousand emails a day coming from 18,000 open relays on the internet mail servers with 570 different flavors of malware attached that's a big campaign thankfully the guy that ran it is an idiot and use 16 command and control service for all of it so he technical and control servers down and you meter get all 500 versions of malware right but that was an interesting response what does it mean not sure yet we need to do some more work on it we've also seen a behavior change in the adversary so we've seen them go from spoofing government domains that exist to spoofing non-existent government domains we've got kind of a way we're thinking about how to fix that so doing these so lookalike domains might say was it tax refunds HMRC dot k dot UK so we are now taking zone transfers from DNS looking for things that look like their government's poof's are monitoring them and what they do normally is they put non malicious content up for a while and then sometime couple months later they launch a fishing campaign and put malicious content up we monitor these things every hour and so as soon as we know something's dodgy got a HMRC login code at UK we certain monitoring every hour sooner there's something dodgy off we send a request the hosts are going hey this is bad please take it down because until then you can't actually take you down HMRC our bastards coat UK by the way it turns out you can't take that we're also starting to do some stuff on social media this is my favorite this is a man advertising driving test past certificates with his real photo and his real phone number [Laughter] artificial intelligence is great human stupidity is better so we're just going looking for these sorts of things and taking it down not because they are particularly pernicious but because they damage people's trust in government brand on the internet and again if we can show the data about this getting harder for people to do we can say to other brands that people care about banks etc you should do something similar because here's the data that shows it's useful I'm not allowed to swear anymore apparently I swear a lot ss7 so this is the international signalling system for telecoms it is awful we've got a piece of work with the UK ISPs to say let's make it better in the UK you shouldn't be able to pull people's SMS messages from outside you shouldn't be able to reroute voice you shouldn't be able to a whole bunch of stuff that you can currently do some of that's in place and HMRC you've been doing an experiment with one of the operators so HMRC send out text messages to people from HMRC it turns out if you are a criminal it's trivial for you to send text messages from HMRC so the from address being HMRC so we've done some experiments over the last few months with HMRC of lad and basically said if a UK mobile has an SMS that says HMRC from as its from address it must have come from HMRC we just try that as a manual thing the complaints from HMRC's customers about SMS fraud have gone down by ninety percent in two months that's awesome so the next thing is how you scale that so how do you come up with a set of tpo A's these from addresses that cannot be spoofed in the UK and then you can have a big public messaging campaign that says if you get all from HMRC it's golden you know from anywhere else delete it those are the sorts of things where you starting to give people actionable advice so you change the technology so that people can use it properly this is DNS so this is just the volume of DNS queries over a week for to our public sector DNS system end of July right the volumes are important what's interesting okay so it's obvious where the work week is right big spiky things but these are interesting these little beeps regular heartbeats what are they is it malware beaconing out what is it turns out that security system security software updating signature files but visualizing DNS like this lets you do things that you can't do any other way just looking at that and going those little white Peaks are weird right you can see that immediately and the analytics that we run over this do some really cool stuff this is a tool nama net built called cheering I'm showing you two quite anodyne screenshots there are some awesome analytics behind this the problem is if I show you I show you which departments have been poned that's not on really but in the first eight weeks of this thing running we had 50 departments on it we've got four configure infections yeah 2007 we got full conflict - quack bought one ramen it right that nobody knew about but we support in DNS we've had some interesting internal misconfigurations where departments are trying to resolve internal addresses externally that's bad so I was just another cool data screen and we got this so one of the analytics on the backend is Markov analysis right they don't look like proper addresses to me they look like domain generation algorithms from malware and we found when we find configure it's by matching it to the DGA nobody knows what the hell this is this is a completely unknown set of things that look like a domain generation algorithm so it's either weird misconfigurations weird data being generated some other way or unknown malware and we're digging into that's try and find out what it is that's in the first eight weeks that's kind of cool right I'm gonna finish on incidents because that's what everybody really wants to know about so that's the number of C 1 C 2 s and C 3 so a category 3 is only look another defense contract has been done in a terabyte date has been nicked category 2 is something that requires a proper response yeah I was actually intervening and a category 1 would be a national event so one occur I was a category 2 that's in 11 months that's a lot right the thing that's work that we're working through this is what's the root cause analysis that you do across these what are the things that actually caused these attacks and can you extract those out and generalize the Meseta people if you do this this is likely to be the impacts this is the compromise you will have we're starting to try and do that it's really difficult but we've learned a lot over those 600 incidents I'm going to pick two out though just to finish so these two are really interesting one was compromised Obul compromise of many service providers right so these are the people who manage your IT for you and one was a an attack against internet edge roots as in telcos so taking over your internet edge that goes out to the your route that goes out to the Internet in the telco they're interesting for two reasons the first one is this is a single attack that gets you hundreds of customers so you attack one network one thing that gets you hundreds of those customers so it's kind of a meta attack and that's interesting it's an interesting change in changing MO the really interesting thing for me is part of the response to both of these is changing global business models right so it's not just fixing the attack it's how you change the global business models of many service providers off telcos so that you can better protect people you really care about not quite sure how we're going to do that but at least we've got some data to try that's me done [Applause] [Music]
Info
Channel: WIRED UK
Views: 9,030
Rating: 4.909091 out of 5
Keywords: wired video, wired magazine, wired uk, wired, pop culture, science, politics, conde nast, health, technology, new technology, National Cyber Security Centre, wired security, uk, hacking, internet, security
Id: E9vR9i9Ds_g
Channel Id: undefined
Length: 16min 17sec (977 seconds)
Published: Tue Sep 18 2018
Related Videos
Facets and realities of cyber security threats | Alexandru Catalin Cosoi | TEDxBucharest
TEDx Talks
62K
Aphantasia: The People Without a Mind's Eye | 'Out of Mind' | Wired UK
WIRED UK
897K
Cybersecurity Innovation Starts Here
Palo Alto Networks
12K
Disrupting defense: How tech can, and should, support national security
Web Summit
6K
Communication Professor Reacts to Bill Gates Interview on PBS
Communication Coach Alex Lyon
2.2M
DeepMind’s Demis Hassabis on its breakthrough scientific discoveries | WIRED Live
WIRED UK
24K
Sandworm A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
New America
5.5K
Sustainability in architecture and design with Bjarke Ingels | WIRED Live
WIRED UK
6.6K
How You Can Fight Hackers | Cybsecurity Expert Mikko Hyppönen
IVY
33K
Ten Years On: The Financial Crisis and the State of Modern Capitalism
Intelligence Squared
51K
Rethinking infidelity ... a talk for anyone who has ever loved | Esther Perel
TED
10M
How to Get into Cybersecurity with no Experience
Stereotype Breakers - previously Coding Blonde
47K
Why Dutch Bikes are Better (and why you should want one)
Not Just Bikes
2.3M
The Simplest Math Problem No One Can Solve - Collatz Conjecture
Veritasium
15M
Mikko Hypponen on Changing Cyber Threats at Le FIC 2017 -- The International Cybersecurity Forum
F-Secure
9.6K
What Really Happened At Edenville and Sanford Dams?
Practical Engineering
1.3M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.