In November 2016, the UK government launched the new  Cyber Security Strategy, of which a major plank was the creation of The National Cyber Security Centre (NCSC) as part of GCHQ and giving it a mandate to pursue the radical action required to better protect the UK's interests in cyberspace.

A key strand in this new approach is the NCSC's Active Cyber Defence (ACD) programme, which aspires to protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time. It is intended to tackle the high-volume commodity attacks that affect people's everyday lives, rather than the highly sophisticated and targeted attacks which are dealt with in other ways.

What Does the ACD Programme Do?

It consists of a number of interventions  that perform a particular security service for public sector organisations.

1.      Takedown Service

This service works by requesting that hosting providers remove malicious content that is pretending to be related to UK government and also certain types of malicious content hosted in the UK. In 2017, the following results were achieved:-

·         18,067 unique phishing sites were removed across 2,929 attack groups that pretended to be a UK government brand, wherever in the world they were hosted.

·         This reduced the median availability of a UK government- related phishing site from 42 hours to 10 hours.

·         121,479 unique phishing sites were removed across 20,763 attack groups physically hosted in the UK, regardless of who it was pretending to be.

·         NCSC  worked with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to compromise the people that visited them. As a consequence, the median availability of these compromises has been reduced from 525 hours to 39 hours.

·         the month-by-month volume of each of these has fallen, suggesting that criminals are using the UK government brand less and hosting fewer of their malicious sites in UK infrastructure.

·         NCSC notified email providers about 3,243 Advance Fee Fraud attacks, pretending to be related to UK government.

·         NCSC have stopped several thousand mail servers being used to impersonate government domains and sending malware to people, in the expectation that the government link makes them more realistic.

 ·         The volume of global phishing has gone up significantly (nearly 50%) over the last 18 months, but the share hosted in the UK has reduced from 5.5% to 2.9%.

 2.      DMARC

DMARC helps email domain owners to control how their email is processed, making it harder for criminals to spoof messages to appear as though they come from a trusted address. Organisations that deploy DMARC properly can ensure that their addresses are not successfully used by criminals as part of their campaigns. NCSC are helping the public sector lead in deploying DMARC, including the prioritisation of 5,322 government domains for adoption in the first instance.

At the end of 2017, there are  555 (about 10%) government domains reporting to the Mail Check service.

The number of messages spoofed from an address (for example, This email address is being protected from spambots. You need JavaScript enabled to view it.) has fallen consistently over 2017, suggesting that criminals are moving away from using them as fewer and fewer of them are delivered to end users.

Across the 555 public sector email domains reporting to Mail Check, we are seeing an average of 44.1 million messages a month which fail verification. Of those, an average of 4.5 million are not delivered to the end users. The peak in June saw 30.3 million spoofed messages not delivered to end users.

3.      Web Check

Web Check performs some simple tests on public sector websites to find security issues.

It provides clear and friendly reporting to the service owners, along with advice on how to fix the problems.

During 2017 Web Check performed 1,033,250 individual scans running 7,181,464 individual tests.


In that period, it found 2,178 issues relating to certificate management, 1 relating to HTTP implementation, 184 relating to out of date content management systems, 1,629 relating to TLS implementation, 76 relating to out of date server software and 40 other issues.

4.      Public Sector DNS

The Public Sector DNS service provides protective DNS services to public sector bodies that subscribe to it. It blocks access to known bad domains, where the block lists are derived from a combination of commercial, open source and NCSC threat feeds. It also performs analytics on the resolution data to find other security issues. The intent of the service is not just to block bad things, but to notify system owners so they can perform remediation.

At its peak in December 2017, the public sector DNS services was responding to 1.23 billion requests a week.

 During that peak week, 273,329 requests were blocked.

5.      Signalling and Routing

Work is ongoing to make both source and destination address spoofing in IP space much harder and the consequent impact this could have on using UK infrastructure as part of a DDoS attack and traffic hijacking.


In summary, there is clear evidence that NCSC is doing what it was setup for and is making a big dent in the world of scams, phishing, data breaches and more.

 Well done the NCSC in it’s first year. for further information

Do Share this post on social media –click on the icons at the bottom of the article.




Articles on Guidance