A data-driven analysis of UK cyber defence

Our research addresses the question: What are the conditions of the UK's cyber threat landscape? In addressing this we focus on detectable, known and therefore potentially preventable cyber threats, specifically those that are identifiable by the types of malicious scanning activities they exhibit. We have chosen this approach for two reasons. First, as is evidenced herein, the vast majority of cyber threats affecting the lives and business endeavours of UK citizens are identifiable, preventable threats. Thus the potential exists to better improve UK cyber defence by improving how citizens are supported in preventing, detecting and responding to cyber threats. Achieving this requires an evidence base to inform policy makers. Second, it is potentially useful to build a quantifiable evidence base of the known threat space - that is to say detectable, identifiable and therefore potentially preventable cyber threats - to ascertain if this information may also be useful when attempting to detect the emergence of more novel cyber threats. This research presents an analysis of malicious internet scanning activity collected within the UK between 1st December 2020 and the 30th November 2021. The data was gathered via a custom automated system which collected and processed data from Greynoise, enriched this via Shodan, cross referencing it with data from the Office of National Statistics and proprietorial data on UK place names and geolocation.