advertisement
Countering That DDoS Onslaught On Government
Having had experiences working for GoK’s cybercommand, I have witnessed several instances where hacktivism was used to disrupt government infrastructure. As an operator, we were able to respond with both OCO (Offensive Cyberspace Operations) and DCO (Defensive Cyberspace Operations) to incapacitate the aggressors, and it was easier when dealing with script kiddies rather than APT groups (Advanced Persistent Threat) or FIN (Financial) threat actors. To do this, we never divided actions between DCO and OCO because the two teams brought relative combatant power against adversaries attacking GoK infrastructure.
The only major issue was politics that arrived at our doorstep from other agencies, as they didn’t want the cybercommand’s capabilities to outshine their units. As a result, we used to push that aggression either to the ICTA (Information and Communication Technology Authority) CEO or the PS in charge, and sometimes all the way to the CS office. Even right now, it baffles me why the individuals who wanted the talent we had on station, closed off when they could have built on it for the betterment of the nation and contrivance of Kenyan cyber power.
Denial of Service attacks are operations conducted to disrupt services on a target system or infrastructure. The current attack is not a hack, as Cabinet Secretary Eliud Owalo mentioned. He should have said, ‘It is a disruptive attack,’ which indicates that the person advising him is not a cyber advisor but another political individual who lacks expertise in this field and Googled stuff for paperwork.
advertisement
One has to note that the current attacks are not the work of proficient Computer Network Operations (CNO) operators; they are merely young individuals somewhere clicking tools or running refreshable terminals to send traffic to GoK infrastructure with the objective of flooding web server services. A full state-led operation would have all four effects conducted during a Computer Network Attack (CNA), i.e., disrupt, deny, degrade, and destroy. Thus, cyber is not just an enabler of war but also a strategic option in conflict. However, what we are observing is
the manoeuvre of an adversary who lacks the capability to conduct CNA.
During the 2013 to 2014 attacks by anonymous groups in Kenya, we conducted both Counter Cyber Operations (CCO) and Adversary Pursuit (AP) operations against the groups. Most of the attackers never had the chance to sustain the attack for more than 3 hours due to the War Fight Function (WFF) that cyber command wielded against their aggression. If we could penetrate Chinese adversaries conducting espionage, it wouldn’t have been too difficult for us to handle CNE (Computer Network Exploitation) against hacktivists. Tailored operation against
hacktivism was a walk in the park, even against AFT groups like Forkbombo or SilentCards.
The operations to counter Anonymous and identify the hacktivist teams were coded under Operation SaveHome (OSH), the year 2014-2015. This was one of the first cybercom operations that integrated both Offensive Cyberspace Operations (OCO) and Defensive Cyberspace Operations (DCO) and showcased the need for developing Cyber Defense Operations Center (CDOC), which required interagency collaboration under one roof. Unfortunately, this idea was shot down by other agencies quite swiftly and documents developed hang with their pencils over a balcony.
advertisement
Cybercom was comprised of three teams that worked together at all times. Most of the budget to build capabilities came from our own pockets to maintain our Combat Readiness Cycle (CRC) and Combat Readiness Percentage (CRP) and husband our way up to the best use of the limited resources available. The teams were: RDT (Research and Development Team), OOAT (Online Operations Action Team), and C|CRT (Counter-Cyber Remote and Response Team). This was documented and pushed to hold up the development of the National Cyber
Command Center (NC3) as a Cyber Defense Operations Center (CDOC), which would have been an all-in-one floor operations centre.
When Anonymous targeted GoK, our mandate was to keep the servers online, analyse traffic, and identify which were botnets and which were actually the Motherships. Targeting the motherships in response usually disrupted the attackers and led to their failure in reaching their objectives. It’s important to remember that back in 2013 and 2014, there were fewer free tools that script kiddies would use for cyber actions until GitHub came online.
Now, there are loads of Open Source Tools (OST) that attackers with limited knowledge can use on non-secured
systems. DDOS attacks will also have operators behind the keyboard, just like any other cyber operation (CO). These operators have to log into a botnet server or a stressor box that coordinates other machines in the Area of Operations (AOR) to flood certain services as per the aggressor’s objectives.
advertisement
Going through the logs systematically using Digital Forensics and Incident Response (DFIR), threat analysis and maximising Cyber Threat Intelligence (CTI) development, can reveal whether the attacks are external or internal and identify the actual botnets, the main mothership, or the controller IPs, as well as the stressor servers involved in the task. The initial part of the operation involves countering that traffic to prevent the main botnet from reaching the services while searching for and resolving the mothership or controller systems the attackers are logged on to.
It is crucial to remember that threat actors using DDoS attacks are, in essence, using force. Engaging such aggressors requires superior violence of action. Given that these attackers are often script kiddies, they have made mistakes, particularly during the initial stages of their reconnaissance and discovery of targets to identify the best way to disrupt the Kenyan government’s ICT infrastructure. They may have exposed their controller and mothership servers at some point.
With this information at hand, it is important to start developing Courses of Action (COAs) that can vary from Computer Network Defense (CND), then to Computer Network Exploitation (CNE), in order to support Computer Network Attack (CNA) objectives, depending on the urgency of the situation. Both actions must require the cyber units on the station, conducting this build-up In Support of (ISO) Counter Cyber Operations (CCO), to have been building the cyber arsenal to execute this operation with absolute might and force against the adversary.
One must note that adversary pursuit operations would support the intelligence required to identify, whether the aggressors are Kenyans masquerading as Sudanese or an actual Sudanese threat actor. If this activity is indeed Sudanese, the cyber unit would have to develop another set of COAs to conduct CNO in Sudan by identifying if the group is government-sponsored and heavily contest the hostile presence out of GoK infrastructure.
By using cyber and meatspace, penetrating Sudanese essential ICT facilities like media, power-grid, military, and intelligence infrastructure gradually, and then collecting intelligence data before executing wipers or other destructive effects, the cyber unit can effectively bring Khartoum to a total halt by targeting their Center of Gravity (CoG) if identified during COA development.
As Cyber Operations (CO) initiatives continue, it’s important for the government to also consider a diplomatic approach in response too. This may involve calling in the Sudanese ambassador for discussions or, if necessary, taking actions such as PNGing (Persona Non-Grata) some of their officials out of Nairobi as a measured response. Diplomacy can play a crucial role in addressing cyber-related issues between nations and finding a constructive way forward.
As always, it is essential to remember that modern operations in the physical world depend on assured command, control, and communication across a distributed environment. What Sudan is currently doing does not amount to cyber warfare or even cyber conflict, but rather, it’s a form of hacktivism with a disruptive approach, targeting GoK’s financial systems.
While cyberspace is a crucial battleground that can be used for retaliation, if Nairobi had planned and built its Cyber Network Operations (CNO) proficiency, then there could have been a better-organised effect that could align with what we expect from a state-led cyber unit. This would involve conducting a full-scale Information Operations (IO) campaign against the adversary, particularly if identified as the Sudanese Government, and eventually imposing costs on Khartoum.
Deterrence in the cyber domain relies more on resilience, deterring potential threat actors, and imposing costs rather than relying solely on political means. To harness the power of Nairobi’s offensive cyber capabilities, corruption and political shenanigans must halt, allowing talent to thread the needle and focus on capability development. This way, we can execute successful and impactful cyber operations against our adversaries via both DCO and OCO. As noted, acquiring the right talent is crucial since cyber initiatives should be a top priority within the national security agenda.
This article was written by Gichuki Jonia (Chucks), CEO, Â