Active Cyber Defence – Case Studies for Defending Public Institutions

29th July 2019


Simon Whitburn
Senior Vice President Cyber Security Services

One of the most interesting elements of the Active Cyber Defence – The Second Year report from a Nominet perspective are the three case studies. Each example showcases real-life cyber defence where a number of indicators set in motion a series of events to protect our public institutions – such as a school – from cyber attack.

Not only do the case studies show the very real threat facing public institutions but they also demonstrate the type of remedial action needed to counteract an attack.

Let’s take a look in a little closer detail. Here are the scenarios:

  • Remediating a worm at a local authority
    When Ramnit – a worm affecting Windows systems – was suspected, an investigation showed that PDNS was blocking malicious domain name lookups from infected machines that were not protected by an endpoint security solution.
  • USB infection
    Malware originating from an infected USB stick was found through indicators from the PDNS service.
  • Multiple internet connections
    A constant desire to ‘always be connected’ means that security teams are constantly tackling new devices gaining access to the network. In some cases, these are connected specifically because employees want to bypass policy controls; e.g. they are prevented from downloading a specific piece of software. One of these connections was found to have been harnessed by an attacker who was detected by the PDNS service as they pivoted through the target network.

The full report can explain exactly what tools and techniques were used to collaboratively counteract these and other threats but, from our perspective, let’s look at the role of DNS-based security.

The PDNS service is constantly monitoring traffic for requests to resolve malicious domains that are flagged from threat intelligence feeds. This raw data is analysed in real time by both the NCSC and our team at Nominet, drawing attention to any incidents and risk areas.

In the first two incidents the PDNS service recognised a threat that had penetrated beyond the existing security precautions, while in the third, the PDNS service recognised indicators of a threat on the network which was traced back to an unsanctioned connection to the internet.

It wasn’t just these instances that PDNS played a role either – it is estimated that PDNS is protecting an estimated 1.4 million employees in the public sector from visiting malicious sites. Check out my previous blog to see how many queries were handled and blocked, including WannaCry, BadRabbit and evidence of attempts to spread the Conficker worm.

Domain Name System (DNS) provides invaluable insight into potential threats on the network. As proven here, the fact that DNS is ubiquitous gives it a unique perspective on network connected devices. Even when other technologies fail, even when processes fall down and employees are – knowingly or unknowingly – putting the corporate network at risk, DNS-based security can save the day.