One year of Active Cyber Defence

February 6, 2018

Anniversaries are a good moment to reflect. The first anniversary of our involvement with the National Cyber Security Centre (NCSC) and their Active Cyber Defence programme was marked earlier this month with a blog from Ian Levy and a detailed report into what has been an encouraging year for national cyber defence.

As Levy points out, “this is only a start and there’s lots more to do”, but achievements are noticeable and the report finds that “people in the UK are objectively safer in cyberspace” because of the programme. That’s positive news. Even more exciting is that Nominet has been a part of that journey.

We are currently operating as a small part of the larger NCSC machine that works constantly to keep the nation safe from an increasing risk of cyber attack against our national infrastructure and systems. For over two decades we have been guardians of the .UK domain, with experience in domain name system (DNS) data analytic tools to keep our country’s namespace secure.  NCSC recognised that our expertise with DNS could be applied to secure their systems and monitor activity on their DNS to help them better understand the landscape. That is exactly what we have done – and continue to do.

We run the Public Sector DNS service, providing protective DNS services to the public sector bodies. We have built a highly accessible DNS infrastructure to serve around 1,000 organisations on the Public Service Network (PSN). Our infrastructure works to block access to known bad domains, using lists derived from commercial, open source and NCSC feeds.

We also perform analytics on the resolution data to identify other security issues that we report back to NCSC and organisations using the service. It’s crucial to not only block the bad guys but also allow system operators to remediate and understand the nature of the landscape to work more effectively on security for the system. It’s not just about finding a quick fix when things go wrong but active cyber defence, proactively keeping the NCSC systems as secure as possible.

If you like the stats, the new report is bursting with them in the interest of transparency in the sector. We have collected some of the details of our own work from the past year for NCSC’s Public Sector Network:

  • At its peak in December, our public sector DNS service was responding to 1.23 billion requests each week.
  • During that peak week, 273,329 requests were blocked, of which 5,768 were unique.
  • In the last two months of 2017 alone, the service blocked over 2.5 million malicious resolution requests driven by direct blocks from our feeds.
  • Over three terabytes of DNS data was analysed for security threats.
  • We blocked 134,825 unique DNS queries, benefiting almost all organisations on the PSN.
  • On average, 1 in 6 organisations joining the service had a security issue identified that required further remediation.
  • We found traffic linked to malware in nine organisations. The malware families involved were Wannacry, BadRabbit, Ramnit and Confi Traffic for these was handled appropriately.

It is satisfying to reflect on the successes from our work so far for NCSC. We can acknowledge and recognise that we are having an impact on the security of the PSN even after just one year of involvement.

Moving forwards, we are exploring how we can use data from our DNS analytics on the .UK domain to help NCSC identify risks or vulnerabilities in the system as a whole. Information is power, especially when the country faces a rise in cyber attacks and a more threatening digital landscape. We are proud to support NCSC’s great work and will look forward to another year of hard graft to help keep the country’s national infrastructure safe.