The UK’s National Cyber Security Centre (NCSC) is increasingly aggressively targeting malicious online actors, taking a range of proactive measures – including apparent dark web data mining – to proactively identify stolen credit card numbers, for example, which can then be passed on to financial services institutions to shut down.

Details on that project, dubbed “Operation Haulster”, remain closely held, but the NCSC annual report suggests an automated data mining approach.

See also: Introducing the Intelligence Network: BAE Systems’ 1,500-Strong Coalition to Tackle Cyber Fraud

“Criminal groups are using criminal marketplaces in cyberspace to buy and sell personal information and credit card details. Haulster takes stolen credit cards collected by the NCSC and partners, then, working with UK Finance, repatriates them to banks, often before they are ever used for crime.

“Card providers are then able to block cards to protect both financial institutions and the public”, it says, without specifying the nature of that “collection”. (Computer Business Review has requested further details on the operation and will update this story if we receive them from the NCSC).

NCSC Annual Report 

NCSC CEO Ciaran Martin said: “Thanks to the innovation of our technical experts, we have been able to increase the number of threat indicators we share by tenfold to more than 1,000 per month, and the speed we process them from days to seconds.”

One thing clear from this year’s annual round-up of the agency’s activities is that the NCSC is fighting cyber crime on numerous fronts, mitigating 658 serious incidents, many of which involved state actors. Cyber crime remains the primary threat to businesses, however, Martin notes: “The most immediate threats to UK citizens and businesses come from large scale global cyber crime.

“Despite often being low in sophistication, these attacks threaten our social fabric, our way of life and our economic prosperity.”

One example of this can be seen in e-commerce. Cyber criminals have been targeting the open source e-commerce platform Magento by creating malicious JavaScript code in so-called Magecart attacks. These sweep up credit card transactions and send funds back to hacker controlled sites. The NCSC has been sparring with these hackers and so far has shut down 1,102 malicious  skimming code installations. Nearly 20 percent of these attacks were shut down within the first 24 hours of their discovery.

“123456, Liverpool, Qwerty, Password” 

The NCSC annual report highlights that security credentials are still in a woefully predictable place: 280,723 people used Liverpool as their password, with Chelsea in second place with 216,677 own goals.

NCSC Annual Report 2019

Brute-forcing passwords (increasingly easy, owing to the proliferation of open source tools to do so and ability to spin up the firepower of cloud instances to crack even tough passwords) never looked more easy.

A hefty 432,276 people used the name Ashley to secure their systems, while in the realm of fictional characters Superman comes out on top with 333,139 logged uses.

NCSC Launches ‘Cyber Defence Ecosystem’

The NCSC has also launched a heavily automated “Cyber Defence Ecosystem” (CDE) that will change how cyber threat knowledge is shared. This has four key aims:

  1. “Create a structured and automated ecosystem across the UK (and in time globally).
  2. “Share ‘our part of the puzzle’ to better defend the UK, partners and allies.
  3. “Build and enhance threat awareness to enable better detection and defence.
  4. “Rapidly alert enterprise victims of malicious activity.

The NCSC notes in its report that: “The purpose of the CDE is not to simply share information – it is to improve protection in service providers, enterprises and those who defend networks for their communities through driving concrete action based on shared knowledge.

Sharing data appears to at the forefront of the agencies’ agenda as it has also created an automated Indicator of Compromise (IOC) machine. This system uses working knowledge about how hacker’s operate, tools used and techniques deployed to identify when an adversary is attacking.

The automated IOC machine is located in GCHQ’s headquarters in Cheltenham and its creation has removed the need for human analysts to preform manual checks on each indicator. This manual process was so time consuming that the NCSC’s says the information gained was often irrelevant due to the delay. Now what took hours is completed in seconds.

NCSC CEO Ciaran Martin notes that: “Cyber security has moved away from the exclusive prevail of security and intelligence agencies towards one that needs the involvement of all of government, and indeed all of society.”

“The importance of partnerships in cyber security, both at home and abroad, cannot be over emphasised. We are learning that securing the nation’s digital future is not just about protecting networks and devices – it’s about inspiring a safe and trusted product base, and a skilled and diverse workforce who can make the cyber landscape work for the whole of the UK.”

See Also: NCSC ‘Evil Hacky Kludge’ Stops Large Scale Airport Email Scam and Raises Cost to Attack HRMC