The UK National Cyber Security Centre (NCSC) recently published the third annual report on its Active Cyber Defence (ACD) programme, launched in late 2016. The goal of ACD is to develop products, services, and capabilities intended to “protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time”. As of 2021 ACD was broken down into ten workstreams, the majority of which focus on improving cybersecurity across UK national, regional, and local government.
For the private sector, one of the more interesting aspects of ACD is the “NCSC Takedown Service”, a system implemented to try and make malicious imitation of UK Government more challenging by continuously searching the internet for malicious imitations of UK Government brands and taking them down as they are found. The service, which is outsourced to a private company, also allows businesses and members of the public to report malicious content to be taken down.
Statistics published in the ACD annual report show some notable successes for the Takedown Service, particularly a long-term reduction in the average length of time malicious imitations of UK Government brands are online before being taken down, with a median availability time of 15 hours and 60% of imitations having been removed within 24 hours. NCSC figures also show a reduction in how frequently some UK Government brands are imitated, particularly HM Revenue and Customs, though the extent to which the Takedown Service has caused this is unclear.
While the Takedown Service only covers UK Government brand imitation, it shows the value that can be derived from aggressively seeking out and taking down malicious imitations. Pushing down the average availability period for a malicious site helps to reduce the window of opportunity for its operators to cause harm to a brand and its customers. This can provide benefits to organisations across all sectors, not just governments and heavily imitated organisations such as retail financial institutions.
We use takedown requests to disrupt criminality and frustrate attackers in fraud investigations and cyber incidents. Some service providers, such as domain registrars and internet service providers will take quick action to suspend or remove malicious sites or domains. We frequently take this kind of action against impersonation domains used to send emails, “clone” investment firm websites impersonating legitimate financial institutions, or attacker-controlled infrastructure used in a cyber-attack. Used alongside traditional investigative techniques and civil legal action, this can be an effective tool in a strategy to deter attackers.
Businesses can proactively search for new domain registrations which are intended to imitate their businesses and monitor them for changes. The key to an effective takedown capability is automation. Manually searching for imitations and submitting takedown requests is unlikely to be efficient enough to make the exercise sufficiently timely and cost-effective. It is also critical to move quickly – the longer a malicious site is up, the greater its impact will be. This means that for many organisations the most effective approach will be to outsource this work to dedicated providers, as the NCSC has done with its Takedown Service.