Five Takeaways From the NCSC’s Annual Review

the nCSC annual review

On Tuesday the UK’s National Cyber Security Centre (NCSC) released its Annual Review, a wrap of the fantastic work the agency has done in protecting the UK from threats throughout an incredibly trying year. 

Thanks to the NCSC’s role on the front lines of national cyber defense, this report also provides a unique insight into emerging cybersecurity trends. These are our top five highlights from the report that security professionals in the UK and beyond should take note of:

1. the year the private sector took state threats seriously

It will come as no surprise that Russia’s illegal invasion of Ukraine is front-and-center of the NCSC’s report, as the most significant development in the international cyber threat landscape. 

Not only has the NCSC been at the forefront in protecting the UK from threats emerging from Russia, but it has also supported the Ukrainians’ staunch cyber defense in the face of Russian hostility. The UK Government announced on Tuesday that an initial £6.35 million package was delivered to Ukraine at the outset of the war to help combat Russian threats.

The NCSC report also notes that the war in Ukraine has escalated cybersecurity to a board-level issue in UK businesses as well. As NCSC CEO Lindy Cameron put it in her speech announcing the Annual Review, this “was the year that the private sector took state threats seriously”. 

This is a welcome development, as state-backed threats don’t start and end with Russia. The Annual Review highlights that China – which already has the largest cyber force in the world – is continuing to develop and evolve its technical capabilities, making it likely that it will be “the single biggest factor affecting the UK’s cybersecurity in years to come.”

2. ransomware rages on

Ransomware continues to be one of the most significant cyber threats facing UK businesses. The NCSC flags the increased use of ready-made Ransomware-as-a-service (RaaS) infrastructure, which helps less-skilled affiliate groups to launch their own attacks without having to build the ransomware themselves.

According to the report, the NCSC has co-ordinated the national response to 18 ransomware attacks in the UK in the last year. This includes the attack against the healthcare service NHS 111, and the CNI attack on South Staffordshire Water. The NCSC warns that the true number of ransomware attacks is far higher than reported, as organizations often won’t report when they are compromised.

3. Increase in mfa fatigue attacks

While the Annual Review does outline sophisticated attacks being utilized by cybercriminals, it also makes a note of changes in the use of “less sophisticated attacks”. In particular, the use of MFA fatigue where – as the NCSC puts it – cybercriminals send a “deluge of MFA acceptance prompts on a user’s phone until the user clicks ‘Allow’ to stop the flood of requests”.

As we noted in our recent blog on MFA bypass techniques, stolen credentials remain the most common vector for breaching an organization and an overreliance on MFA can put businesses at risk. Indeed, the wide availability of credentials means that this technique is used in both small and large-scale attacks, with the NCSC noting that, as a consequence “activity by sophisticated actors can appear very similar to activity by unsophisticated ones.” 

This demonstrates the importance of security teams identifying credentials that have been leaked on clear, deep, and dark web sites, so they are not wholly reliant on MFA from blocking the threat.

4. dark web marketplaces are an emerging threat

Security professionals should pay special attention to the “future threat challenges” section of the report, which highlights the “growing grey market for cyber tools” such as “off-the-shelf cyber surveillance products”, “hackers for hire,” and “as-a-service” models.

As the report alludes to, the increased accessibility of these tools lowers the barriers of entry for cybercriminals, and puts capabilities that we would usually associate with nation-backed groups into the hands of less sophisticated criminal actors to use against the wider population. 

This activity has to be combatted at the source – in the deep and dark web where these vulnerability and exploit marketplaces are hosted. Demand for these tools is always going to be high so we have to disrupt supply, and make life difficult for the cybercriminal operators trying to sell these malicious products.