PDNS: The Sixth Year

14th July 2023

David Carroll
MD Cyber

In cyberspace, 2022 was something of a mixed bag. On the positive side, ransomware payments plummeted in comparison to 2021, and the Russian invasion of Ukraine did not result in a widespread escalation of cyber-attacks against critical national infrastructure, as some had feared. However, on the negative side, 2022 also saw large corporations including Okta, Vodafone, and Samsung falling victim to ransomware attacks, and production at Toyota was temporarily halted by a supply chain attack, affecting one-third of its global output. A national emergency was declared in Costa Rica – a first for a ransomware attack – after its Ministry of Finance was crippled by the Russia-linked Conti group.

Last week the UK National Cyber Security Centre (NCSC) released Active Cyber Defence: The Sixth Year, a report detailing the progress made in 2022 to improve the UK’s national cyber resilience. The Active Cyber Defence (ACD) programme is designed to “protect the majority of people in the UK from the majority of the harm caused by the majority of the cyber-attacks the majority of the time”.

Featured in the report is Protective DNS (PDNS), a service that Nominet has proudly delivered on behalf of the NCSC since 2017. 2022 saw PDNS continue to grow in terms of the number of UK organisations and essential services protected, and the number of threats blocked. It is especially pleasing to see how, as the service has matured, it has become a vital threat intelligence asset, identifying and disseminating new threats previously unseen by Government and industry.

Protecting more people, more of the time

In line with ACD’s mantra, a lot of focus in 2022 centred on protecting more people, more of the time. The scope of PDNS was broadened, with UK Registered Social Housing Providers and Management Organisations eligible for the service for the first time. We onboarded a further 228 organisations to PDNS, taking the tally to over 1,200 organisations protected, and more than 2,000 if we individually account for all organisations in the NHS Health and Social Care Network.

In 2022 we launched PDNS Roaming, a new way to direct DNS to PDNS when a device is not connected to an enterprise network. This has been well received and has greatly expanded the coverage of PDNS, allowing us to protect Windows and Apple devices no matter where they are, with Android becoming available in the near future.

Preventing ransomware attacks at scale

Despite the downturn in 2022, the figures for 2023 appear to suggest that the ransomware threat is returning to epidemic levels. We’re proud to play our part in safeguarding the UK from ransomware attacks. In 2022, PDNS blocked 5 million requests for domains associated with this threat, thwarting attacks against public sector organisations providing essential services to the UK taxpayer.

Getting ahead of the curve

It’s particularly pleasing to see the report acknowledge how far PDNS has evolved since its inception. Nominet has invested heavily in the development of tools and techniques to detect and prevent more bad stuff. Focusing on phishing, often a precursor to higher severity incidents, Nominet analysts have developed techniques to identify potentially fraudulent or phishing domains for blocking by PDNS. The report also details how this research has been developed into a new threat feed, using new threat-detection algorithms to complement the range of commercial and open-source intelligence employed by PDNS. In November and December, this new feed blocked over 20,000 unique domains, not seen by any other feed provider. Nominet’s research is finding new threats, as yet unseen in cyberspace, and these are being deployed via PDNS to prevent harm.

We’ve seen similar successes in Australia, where we also deliver the Australian PDNS. Our threat hunting efforts down under have led to unique threats being surfaced, resulting in blocks for all tiers of the Australian Government, making a significant contribution to the Australian Signals Directorate’s (ASD) Cyber Threat Intelligence Sharing (CTIS) platform.

Global collaboration

The collaboration between Nominet analysts in the UK and Australia has been another major success in 2022. Our analysts share ideas, tools, techniques, and intelligence to improve protection and generate global situational awareness for our PDNS customers. Our aim is to expand upon this in the future, as we continue to develop our threat hunting capabilities in the UK, Australia and elsewhere.

An uncertain future, but a renewed focus

While 2022 showed that the threat facing the UK shows no signs of abating, the Year 6 report offers grounds for optimism: proactive approaches to cybersecurity – action as well as policy – pay dividends for Governments. As we enter the second half of 2023, ransomware attackers appear to be on target for their second-biggest year ever in terms of payments. Only through initiatives like active cyber defence programmes, with greater collaboration between Government and industry, can we collectively move the dial towards a more resilient future.