#NSBCS.071 - From the Desk of the CEO | Why the ‘Military Way’ is the right way for Cyber

Cyber Resilience
Written By Shane Bell

Source: NSB Cyber

 

Why the ‘Military Way’ is the right way for Cyber

As we approach Anzac Day for another year (for me, one of the most important days on the calendar), I always pause and reflect. This year from a professional standpoint, my reflection point has been on what my military service best prepared me for in my professional career after service. There is plenty!

For this blog post, I have chosen to drill into (pun intended!) one of the most important aspects, which is - why I think the training we do in the military, some of the best in the world, is a marker for what we need to aspire to in our quest for cyber resilience.

Let me paint you a quick picture.

It is 2003, the whole world has changed post the tragedy of 11 September 2001, and most of the militaries over the world are on heightened alert. Australia, like many countries, has committed service men and women to multiple operational theatres. As part of this, I deployed to the Iraq War of 2003 in a forward deployed amphibious landing ship HMAS KANIMBLA, spending most of that year in mine infested waters off the coast of Iraq executing various mission critical tasks. I was 24 years old.

Now plenty of things happened during that campaign, none of which need to be recounted in a cyber blog post (I will save that for my memoirs!). What I do want to focus on however, is how the Australian Defence Force prepared us for such a deployment; to be able to deploy, execute our mission, and return home safely. Why? Because I think there is a lesson in that that is equally applicable to being cyber ready.

The TL;DR answer is highly effective, well structured and purpose driven training that ‘ramped up’ over a period of time, such that we were at peak (sustainable) levels of readiness at the time of deployment.

For those craving a bit more detail, here are the trademarks of that training that made it so effective:

  • Time - We planned for and allowed ourselves enough time to be able to put the work in when we needed it most. No shortcuts. If you train hard but safe, you more often come home safe.

  • Facilitation - The training started with us training ourselves and when we had exhausted the effectiveness of that, the experts came in and gave us a real work out! There is no substitute for facilitated training, where you can focus on being a participant in the scenario and playing the role as you would on game day. Capability comes from repeat effort.

  • Real - The training was made up of real world scenarios that we would (and for the most part did) encounter, designed and delivered by people with real-world experience, that were played out in real time with our actual team playing their roles. In my view, there is no substitute for hyper realistic training. It is well worth the investment.

  • Scale - The training started small and manageable, and progressively scaled to high impact, high stakes, catastrophic. You need to rehearse for the the worst case even if it is seemingly highly unlikely, because trust me when I say this - you don't want to ‘wing’ that one if it actually happens. The stakes are way too high.

  • Assessment and Debrief - Everything we did was assessed and clearly communicated, and every exercise was debriefed almost immediately after. Measurable and transparent. That is how you learn and implement the lessons you need. Then you gear up and go again.

Now, if you replace the military aspects of the above with cyber preparation, I don't think there is much that needs to change in the approach, right?

Yes, the stakes in cyber are not as high as deploying for war, but the risks are still pretty significant and can sometimes even be existential. So why (in my view) are so many businesses in Australia not training for the hard or at a minimum even for the real?

I am here to tell you that a 2 hour PowerPoint presentation on cyber threats is not training for a cyber incident, no matter how fancy the slides are. It can be a helpful introduction to what a cyber event entails, but it is an entry point only. There is absolutely no substitute for actually subjecting your teams and your business to a facilitated cyber scenario that is representative of what it is actually like in that moment. You don't want to learn that on the fly during an actual incident.

I recognise that budgets are tight, calendars are jammed and no one likes training anyway, so making a decision to back yourself in the event that an incident happens is an easy decision. Do the 2 hour briefing, tick the box and back yourself when something happens. Plenty of people make that decision, I just don't think it is the right decision. If you disagree and are open to a conversation about that, feel free to get in touch and I will buy you a coffee for the chat.

Now if you have made it this far, thanks for taking the time to read this blog post and I hope you take the time to pause this Anzac Day and remember those who have served, particularly those who paid the ultimate sacrifice. Serving your country is a privilege, and something for which we need to thank those that do whenever we get the chance.

Lest we Forget and until next time, No Steps Backward.

Catch up on our past Signals blog posts here.

What we read this week

  • Hackers Abuse Google's DKIM Verification in OAuth Phishing Attack - Attackers cleverly exploited Google’s DomainKeys Identified Mail (DKIM) verification system in a sophisticated phishing scheme, sending fraudulent emails seemingly from Google's legitimate address (no-reply@google.com). The attack utilised Google's OAuth infrastructure, hosting fake login portals on sites.google.com—mimicking real Google support pages—to collect user credentials. Ethereum Name Service's developer, Nick Johnson, uncovered this "DKIM replay" technique, where attackers created deceptive Google OAuth apps triggering authentic security alerts, bypassing email validation. Users are advised to carefully inspect URLs, as the attack cleverly obscures indicators of fraud by leveraging genuine Google domains and infrastructure, significantly increasing the risk of compromise.

  • InfoStealer Malware Phishing Attacks Surge by 180% in 2025 - InfoStealer malware delivered via phishing attacks surged dramatically—rising 84% weekly in 2024 and already 180% above 2023 levels in early 2025. Threat actors have shifted from traditional attachments to sophisticated PDF-based attacks, embedding malicious URLs within trusted formats. Techniques include URL obfuscation using hexadecimal encoding, JavaScript methods, and encrypted streams, effectively bypassing traditional detection tools. AgentTesla, FormBook, and SnakeKeylogger dominate phishing campaigns, while Lumma leads dark-web marketplaces. IBM warns credential harvesting now drives 28% of security incidents, recommending layered security defences, advanced endpoint monitoring, and stringent identity management to combat evolving credential theft threats.

  • FOG Ransomware Campaign Abuses DOGE Initiative in Phishing Attacks - Recent analysis of nine FOG ransomware samples reveals attackers are exploiting references to the United States (US) Department of Government Efficiency (DOGE) in targeted phishing emails containing malicious LNK files disguised as pay-related PDFs. Upon execution, these files download multi-stage payloads including PowerShell scripts that collect and exfiltrate sensitive system data, and deploy privilege-escalation tools (ktool.exe exploiting vulnerable Intel drivers). The ransomware encrypts files with a “.flocked" extension, embedding politically-themed commentary and dropping ransom notes instructing victims to spread infections. Organisations should proactively monitor indicators of compromise (IoCs), enforce security awareness training, and implement strict network segmentation.

  • North Korean Hackers Abuse Zoom Remote Control to Steal Crypto - North Korean attackers, tracked as ‘Elusive Comet’, are exploiting Zoom’s Remote Control feature in phishing campaigns targeting cryptocurrency traders and venture investors. Threat actors posing as VC firms lure victims via Calendly meeting invites, then request screen-sharing on Zoom calls. By deceptively renaming themselves as "Zoom", attackers trick users into unknowingly granting remote access permissions. Once control is established, hackers deploy infostealers or RAT malware, extracting passwords, browser data, and cryptocurrency keys. Experts urge organisations to disable Zoom's Remote Control by default and closely monitor accessibility permissions, highlighting increasing risks from human-centric operational security failures.

  • Shadow AI Use Rising; Employees Expose Sensitive Data via LLM - A study by Software AG reveals half of all employees are using Shadow AI tools, often without corporate oversight, driven by convenience and workplace efficiency pressures. Harmonic Security analysed over 176,000 AI prompts, highlighting widespread use of personal accounts for ChatGPT and other platforms, frequently involving sensitive data such as financial information (30.8%), legal data, and PII. Alarmingly, 7% of employees are also using Chinese AI models (e.g., DeepSeek, Baidu Chat), risking data exposure to foreign actors. Organisations are advised to shift from passive monitoring to proactive governance, educating employees on secure AI practices rather than enforcing outright bans.

Shane Bell
Next

#NSBCS.070 - Pig Butchering Scams: More Than Just Fake Crypto Investments