Last updated at Mon, 12 Feb 2018 16:21:47 GMT

This week the UK National Cyber Security Centre (NCSC) released their first report on the year one results of their "Active Cyber Defence" (ACD) initiative. And, they're amazing.

The ACD program came out of an 2016 effort to re-think, re-imagine and re-tool cybersecurity efforts across the UK. The ACD “aspires to protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time” and the focus of the initial initiatives is on high-volume, opportunistic/commodity attacks vs more sophisticated ones1.

The design and labor behind the ACD — along with the inaugural published results — are nothing short of incredible. The NCSC proved that it is possible — with the proper support — to implement foundational cybersecurity monitoring, configuration and reporting that fundamentally changes the economics for opportunistic/commodity attackers while also providing clear, concise and effective tooling and reporting for defenders and business process owners.

The Big Picture

The initial rollout focused, primarily, on securing the domain and web infrastructure of UK government departments and agencies, but also included substantial work at the UK-wide, internet-level to help secure core routing configurations to reduce the capabilities of a large portion of denial of service (DoS) attacks.

The NCSC ACD report documents the technical details behind and outcomes of:

  • Monitoring for spam/phishing attacks and infrastructure along with their coordinated, infrastructure take down plans
  • Email domain security analysis and technical assistance for secure domain configuration (with a primary focus on DMARC)
  • Development and deployment of a user-friendly (both operationally and reporting) web vulnerability and configuration weakness scan service
  • Operation of a “Public” DNS service with a layer of security intelligence baked-in
  • Coordinating and enabling secure routing/BGP across UK ISPs and IXPs
  • Overall threat intelligence data sharing & collaboration

For each ACD service, the NCSC developed a set of key metrics to track the efficacy of their implementation and each initiative showed signs of real, measurable, positive impact. Defenders now have at-scale, baseline data2 that helps to validate a core set of beliefs that basic elements of cybersecurity — such as how DNS, email, web servers, SSL certificates and routing protocols are configured/tracked — can fundamentally change the behavior of attackers and force them to move to more insecure targets.

The rest of the post covers highlights from each section and notes how you can follow in the NCSC's footsteps to help do the same for your organizations.


Domains, URLS and emails provide a wealth of information for active defense

One NCSC focus was on phishing sites. Reducing the "time to live" of phishing URLs means fewer victims fall prey3. By monitoring feeds and content of spam e-mails, the NCSC reports that 65% of phishing sites are now taken down within 24 hours vs 39% the previous year, and rates of new UK "brand" phishing sites created in 2017 were also reduced.

Furthermore, by doing new-domain "closeness" comparisons to UK "brands" even more bits of malicious infrastructure were identified and put out of commission.

Try this at home: The NCSC used spam/phishing URL feeds and performed domain/URL similarity analysis to identify near-brand sites. They traced active sites to IP addresses and further identified hosts that were communal spam nodes. These nodes were reported providers with takedown requests. You can do the same analysis steps and with with your local law enforcement officials to do the same.

What makes NCSC different: The NCSC also identified malicious infrastructure being hosted in the UK through other means and worked with ISPs to remove them. This isn't something organizations in general can work on, but other governments can (and will hopefully start doing after they read the report).


The NCSC inventoried the UK government domains and setup a system to start using DMARC, Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) records on all primary domains and subdomains across all agencies. Lists go stale, so part of this effort was also to create a means to track and refresh changes throughout the year.

Proper implementation of DMARC/SPF/DKIM can significantly reduce the ability for phishing emails to enter an organization as they define authority and permission rules for email.

The NCSC created a user-friendly service — Mail Check — that automatically assess email domain security posture and helps defenders configure them properly when they get out of whack. They use the reporting features of DMARC to create a data-driven feedback loop for attacker activity.

They are rolling this out slowly and DMARC + DKIM + SPF use has shown marked improvement.

Try this at home: Inventory your domains (and keep it fresh). Ensure DMARC/DKIM/SPF configurations are in place (this is a 100% free/"no excuses" activity) and monitor them for changes.

Website Security

Along with Mail Check comes "Web Check" — an ACD-run service that does foundational (and easy) regular web site vulnerability and configurations scanning. (Section 4.1 has the full list).

The system scans and reports the issues to UK agency web property owners and provides helpful guidance on remediation. Plus, the service can be initiated by the owners themselves and is designed with a "non-security" end-user in mind. Making all these initiatives accessible and consumable by non-security folks was paramount in the design.

Try this at home: Most Web Check reported issues are resolved in less than 48 hours. Most enterprises are likely very envious of that statistic. If you don't do basic scanning across your services, start now. When you do, consider augmenting current, complex/deep scans with similar "basic/foundational" ones and setup a process where business process owners can self-correct vs be put in front of a tribunal (or arduous blinky red dashboard). Strive to reach a similar 48 hour resolution baseline for these basic scans.

(More) DNS

The NCSC setup a secure DNS service for their Public Sector agencies. This service is similar to commercial offerings like Plan9 which help filter out malicious domains and note requests to malicious domains (or irregular DNS lookup activity) to help reduce the impact of malware and other post-exploit actions.

By providing a free-to-use service that has security baked in, the NCSC helps improve security and safety across all agencies. They also have the added benefit of being a government and can use new domain and target IP intelligence to help remove malicious infrastructure from the internet. Not all agencies (121 now) use the Public Sector DNS but they now have detailed query volume and total/unique block volume as well. Section 5.2.3 has these statistics (and talks about the difficulty in comparing these statistics) but out of a billion weekly DNS requests across all adopted agencies, roughly 300,000 total (5,000 unique) are blocked.

This Public Sector DNS service also helped identify misconfiguration in each adopted agency, thus improving operations as well as security.

Try this at home: If you're not convinced by now that DNS is a treasure trove of data for defenders you will likely never be. However, this is your data and it's free (since it's yours). Invest in a "clean DNS" service (or build one for free or add one that comes as part of your commercial DNS servers) and use the data to the fullest extent possible.

Securing The Intertubes

BGP (the routing protocol of the internet) by default and design is not secure. There is a security layer that ISPs and exchanges can use on top of it to help ensure that routes are exchanged properly and that cleverly configured packets can't be used to perform denial of service (DoS) attacks (it can't stop all of them, though).

The NCSC worked with UK ISPs and exchanges to beef up the security configurations across the UK, making it harder to hijack routes, perform DoS attacks and spoof packets.

Try this at home: If you're big enough to have at-scale BGP configurations (internally or on the internet) brush up on BGP security and start projects to get them implemented. Attend internet exchange events and lobby for more secure configurations to be adopted and consider doing business only with carriers who take this seriously.

Putting It All Back Together

All the previous pieces are parts of a whole. This "whole" has a name at the NCSC: the "Threat-o-Matic". Yes, that is the name of it. The platform has a somewhat kitschy name on purpose. Cybersecurity really isn't a dark art but we defenders often make it come across that way.


This Threat-o-Matic is the central hub for all defenders — and all the UK government "business process owners" are now defenders. They see the events, reports, configurations and have guidance provided in terms that are clear and concise. By demystifying cybersecurity and making the threats, issues and resolutions transparent they empower individuals to take active ownership in defending HMG (Her Majesty's Government).

If you do nothing else, follow this example. Make security accessible. Bring business process owners into the defender fold. Give them data to help them understand what your organization is facing and empower them to become agents of real, positive change.


2 Section 1.3 of the report cautions against drawing 1:1 causation conclusions from this initial data and notes that more data and more eyes on the data is necessary, especially over time.
3 Section 2.1 notes the difficulty of quantifying the reduction in victims due to how difficult it is to get click-through data for real-world phishing events.

Header image Photo by Rene Böhmer on Unsplash