Tooth Brushes and GoBags, when we go Counter Cyber

The Culture

When analysts join our ranks, the culture we had when most of us worked for different Governments between EU and EAfrica, was GoBags and all-nighters. These are usually essential when you are dealing with high level advanced actors. When most of us were in public service and running CNO, the mission always came first whilst in Private sector, its much different and adapting is essential because, what a client requires in such an engagement is a solution that will ensure continuation of his/her business.

Engaging The Adversaries

But, adversaries don’t require that due to the fact they are on a mission, they don’t ask for your ISO Cert or when you did your Pentest last, they have an objective which they need to service. So if the analysts coming to respond are not prepared to counter, the actors will be in a position to plant tools anywhere they wish to, at any time they necessitate thus making it hard to counter them. In the end, you find that even after a few machines are cleaned, the actor is able to run lateral movements through the environment detonating their tools at will. Hard work and in battle formation is imperative during counter cyber. Every adversary we encounter at OnNet has an operational timeline, and if you want to be ahead of them, you have to work twice as hard to access their breakout time, how they got foothold and their initial access into a subnet/environment. Advanced actors want to have a few active implants down into the environment while meeting mission objectives. The most dangerous are those that set up passive implants that call home after months, and these actors usually put the work between beachhead to foothold and then to expansion in months, close to an year of CNE operations.

Such stealth and methodical penetration is usually extremely hard to detect and if the tools are custom, the harder it becomes for a normal analyst to pick up such a threat. This is where in OnNet we come through for you, and during such counter cyber operations, there will always be offense.

Cyber Threat Intelligence

Having prior Threat Intelligence does help a lot on stopping the actor, in government, Intelligence is the first line of defense during a conflict or even at peace time. Approaching the environment that way, gives you leeway to set up on the high grounds and watch the battlefield. Getting ready requires camping at clients and collecting data, usually a lot of it and running it through analytics. This helps your operators on the high grounds and down range to understand the intent of the adversaries. You cannot assume or even result to think that they are irrational, due to their actions in the network because as a analyst you didn’t make sense of their intent and capabilities before the fire fight starts. This can result to failure during response and counter cyber ops. Thus, when on the battleground, soldiers do not go home until the dust settles and everything is cleared out .

Fifth Domain Of War

Cyber being the fifth domain of war, at OnNet we fight until the end.

When the fight starts, an infiltrate teams objective, is to zero on the target and take it out to the exclusion of all else. But remember these teams don’t identify everything besides their target through the scope of their rifles sights. A leader has to come through for them surrounded by his/her Threat Intel team and as much as he/she wants to fire, he/she needs to keep their weapon at full port arms, and listen to the intelligence dripping in while scanning the entire battlefield to see and apprehend it all, for action.

The new Age of Information Operations

Cyber has reached a new era of Information Operations, you cannot defend an institution without countering the actors as if you are in a battleground. Waiting for containment to be initiated after the actor has accomplished their mission should not be the case. Prevention should be executed real fast by stopping the adversaries before they succeed in their objectives.


Leave a Reply

Your email address will not be published. Required fields are marked *