GCHQ planning use of DNS filters to curb cyber-attacks

Boss of GCHQ and the new NCSC has revealed plans that the spy agencies are planning to partner with UK ISPs to use DNS filtering to curb cyber-attacks.

GCHQ's Cheltenham-based offices.
GCHQ's Cheltenham-based offices.

Speaking at the Billington Cyber-Security Summit, Ciaran Martin, boss of Government Communication Headquarters (GCHQ) and the new public-facing National Cyber Security Centre (NCSC) has spoken of the spy agency's desire to use DNS filters as a way of curbing cyber-attacks.

In his speech he said that, “We're exploring a flagship project on scaling up DNS filtering: what better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses? Now it's crucial that all of these economy-wide initiatives are private sector led. The government does not own or operate the internet. Consumers must have a choice. Any DNS filtering would have to be opt out based. So addressing privacy concerns and citizen choice is hardwired into our programme.”

GCHQ is reported to routinely use DNS filtering to filter out some parts of the internet which the government asks to be banned. One of the most notable and recent cases was ex-prime minister David Cameron's decision to ban certain types of pornographic content from UK citizen's eyes.

The spy agency is now looking to use this same method to block known bad web addresses which could infect a machine with malware, often disguised as legitimate domains. This is one of the most common ways in which cyber-attacks spread.

This type of cyber-attack is allegedly widely used by states such as China, Iran or Russia in efforts to gain access to government networks, steal information or compromise national infrastructure. They are also a common means for cyber-criminals to target individuals and can be used in phishing attacks, for example.

GCHQ is reportedly looking to partner with UK Internet Service Providers (ISPs) to facilitate this happens, so it doesn't have to go through the longer and more cumbersome route of asking for it to be legislated for.

UK citizens are alleged to be able to opt out of this filtering in order to alleviate any concerns over civil liberties.

Martin added: "These initiatives complement what we've long been doing in cyber-security. In the UK, we have our Secure by Default initiative, developing secure hardware, software and digital services, including the proper role of strong encryption. And we'll continue to work with our private sector partners to find and fix vulnerabilities; so far this year we've been credited publicly with identifying 20 major vulnerabilities, by Apple and other major providers."

Fraser Kyne, regional SE director at Bromium told SCMagazineUK.com, “Initiatives like this are to be applauded - and are a useful step in the right direction. However, as the commentary suggests, these kinds of steps can only help against known and simple malware. Given the polymorphic nature of malware, and the proliferation of targeted attacks, these kinds of steps will only filter out some of the low level noise - without helping much against the really dangerous attacks. More investment is needed in practical ways of protection that don't rely on detection. Virtualisation-based security on endpoints isolates both known and unknown malware; and should be considered as the next layer of defence in any security stack. Without it we're just playing "whack-a-mole" security.”

The announcement comes as the Internet Service Providers' Association (ISPA), a lobby group that represents ISPs like Sky, BT, Virgin Media published a member survey earlier this month which claimed that most ISPs in the UK have been subjected to cyber-attacks on a monthly, weekly, or even daily basis.

The NCSC is expected to open in London next month and is expected to be a convergence of cyber-security forces in the UK with the aim of offering better cyber-defences for the increasingly digital UK economy.

Matt Hancock MP, Minister of State responsible for digital policy at the Department for Culture, Media and Sport, said back in March that, “The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online. It will bring the UK's cyber-expertise together to transform how the UK tackles cyber-security issues.”

Hancock added, “It will be the authoritative voice on information security in the UK and one of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber-security effectively. In setting up the NCSC we will adopt structured consultation with the private sector. Our objectives are to raise awareness of government intent; undertake genuine dialogue that shapes service delivery; demonstrate serious commitment to listen; and develop sustainable engagement channels.”

Stephen Gates, chief research intelligence analyst at NSFOCUS: “Worldwide, the general public who follow the laws of their nations, are all growing ever more weary of cyber-attacks - and the criminals behind them.  In many cases, the public would like to see service providers step up and help protect them from clearly identifiable malicious websites on the internet.  Today, there are over 325 million registered domain names across all top-level domains (TLDs) and likely billions of unique URLs; many which house malware, exploit kits, ransomware, malvertising, and/or are involved in other criminal activities.  Anything that can help protect the public from unknowingly going to these sites (often resulting in infection, compromise, fraud, theft, etc.) is a step in the right direction. However, doing so will result in pundits accusing governments and ISPs of trying to be the internet police.  As a result, it has become every man, woman, and child for themselves - and we wonder why cyber-infection rates are growing exponentially across the globe.”

Piers Wilson, head of product management, Huntsman Security said: “A recent Freedom of Information request found that the number of breaches reported to the ICO in the last 12 months has nearly doubled from the previous year, so something clearly had to be done. The plans announced by Ciaran Martin for a more automated defence network to protect Britain from low-level threats are certainly a step in the right direction. Although these threats in themselves can range in their level of sophistication, they can still cause organisations to be overwhelmed by the sheer volume of threat alerts they trigger. This can lead to more serious or insidious threats going unchecked, which can give more sophisticated hackers a far easier ride.”

Wilson concluded: “Dealing with the volume of low-level threats is still just one part of the puzzle; organisations remain at risk from more targeted attacks and insider threats, which the new ‘Great Firewall of Britain' could do little to solve. As such, organisations themselves still need the capability to triage those threats that do still make it through, so they can identify the most serious and prioritise them accordingly. This can best be achieved by maximising the degree of automation in the threat verification and remediation process, so that ‘known' attacks can be dealt with by security systems, whilst IT teams are freed-up to concentrate on the most severe, unknown threats.”