What is important about this is that it shows there is an active relationship between the Police and Internet Providers that goes beyond data intercept, anti-terror and anti-crime programmes. According to the release the programme has included sharing data with more than 50 organisations over the last three months. With 30,000 individual threats identified in that time, it shows the scale of the threat that is being detected.
The threat data was used to enable those alerted to take remedial action in order to protect their networks and data. What isn’t known is whether TalkTalk were one of the partners. For operational reasons the NCA isn’t willing to share information about who it works with or the details of how the threats are detected. However, given the size of TalkTalk it is highly likely that it was being provided with information. This raises questions as to whether they acted on the information provided and if they ignored information did that ultimately to them being targeted in the attack last month.
What did NCA alert companies to?
Among the alerts were information around different types of attacks including:
- Distributed Denial of Service (DDoS)
- Command and control systems for botnets.
The first three are fairly typical attacks that should have been picked up routinely by the industry. However, passing on specific information may have included details on where the attacks were originating from allowing providers to take action to limit access to their networks.
The more interesting alert is the last one. There have been a number of successful takedowns of botnets over the last year. In most cases the entire command and control structure was seized enabling law enforcement to understand the details of the attacks and provide information to victims. In this case it may also have been used to allow the providers to give greater access and information as to what other traffic was flowing in and out of the command and control servers making it easier to map the entire criminal enterprise.
Has it been successful?
The NCA believes that the action it has taken has resulted in a 12% average reduction in the specific threats aimed at hosting company servers. The NCA admits that it is hard to place a value on savings to the industry and this is not just because the cost to individual companies are hard to get but also because it is impossible to estimate the costs incurred by victims. Either way, a 12% reduction has to be seen as some measure of success, especially as the number of attacks in continuing to increase.
What will be interesting is to see if the next three months results in a higher number of threats being notified and a greater number of attacks being prevented. At that point, it would be fair to say that the programme is showing real benefits and to look at how it could be extended to individual companies, especially small companies that are often easy targets for cyber criminals.
Paul Hoare, industry partnerships senior manager at the NCA’s National Cyber Crime Unit, said: “Working with industry to jointly combat cyber crime is a priority for the NCA, and sharing timely, customised intelligence with hosting companies can contribute to the protection of the UK internet infrastructure. Many alert recipients have taken timely action against the threats identified, and this is likely to have prevented losses to individuals and businesses further down the line.
“We continue to use all the means at our disposal to make the UK’s people and businesses the most difficult possible targets for cyber criminals.”
It is good to see positive news about relationships in the cyber world between the NCA, the Internet industry and individual companies. The focus of late has been all too negative and moments like this show that there is a real need for everyone to work together irrespective of the actions and laws being planned by politicians.
Going forward, it would be even more useful if the NCA were to provide the threat information through the Structured Threat Information eXchange (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) programmes. Both of these are being brought forward as standards under the OASIS committee and input from the NCA would certainly add to the trusted threat data that is used by industry vendors such as HP, IBM, Symantec and others.