Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Gaining OPSEC Resilience with Cyber Situational Awareness

Throughout history Operations Security (OPSEC) has been a key tactic used by commercial and military organizations to protect privacy and anonymity. When done well, it denies adversaries information they could use to do harm to an organization or individual. But criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised. 

Throughout history Operations Security (OPSEC) has been a key tactic used by commercial and military organizations to protect privacy and anonymity. When done well, it denies adversaries information they could use to do harm to an organization or individual. But criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised. 

Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organizations unknowingly expose confidential information that significantly increases risks. In some cases organizations leak details that are used to fuel social engineering attacks against their staff and, in other cases, sensitive documents are publicly exposed and put their brand at risk. Adversaries stand to lose from poor OPSEC as well. Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation. 

As a defender, you can capitalize on weak attacker OPSEC to strengthen your security posture. Cyber situational awareness can provide insights into the people, processes and technology your adversaries use and turn those into an advantage. As in the Dridex example, humans can represent the most challenging element of OPSEC; a careless error can reveal their identity. The processes attackers use to retain privacy and anonymity, such as adopting aliases or conducting reconnaissance and lateral movement staging, can also tip you off to suspicious behavior. Knowledge of the technologies adversaries adopt to conduct operations – secure operating systems such as WHONIX and TAILS, anonymization networks like TOR, email encryption using PGP, and digital currencies like Bitcoin and WebMoney – can also give you an edge. When combined and analyzed, these insights can help you prevent and detect malicious activity as well as accelerate investigations when a breach happens.

Conversely, to prevent adversaries from gaining information about your organization that they can use to their advantage, a tailored, flexible OPSEC program should be the cornerstone of your strategy. The National Operations Security Program Process provides a five-step OPSEC program that defenders can use to mature their OPSEC capabilities. These steps include:

1. Identification of critical information – Start by identifying critical business functions, which will lead you to the “crown jewels.” Be sure to include seemingly innocuous information that could be aggregated with other information to put this critical information at risk.

2. Analysis of threats – Now you can begin to understand the relevant threats to your organization including their motivations and tactics, techniques and procedures (TTPs). The less mature an adversary’s OPSEC, the more details you can glean; you can benefit from this.

3. Analysis of vulnerabilities – Vulnerability scanning solutions are essential in this step. But you must also consider weaknesses in people and process that could ultimately lead to confidential or proprietary information being leaked, or other information that adversaries could use to target key executives.

4. Assessment of risks – With this breadth of the information you can now make smarter decisions about how to apply limited resources to the most significant internal and external threats.

5. Application of appropriate countermeasures – Armed with better insight into risks you can take measures to strengthen controls. For example, specific security awareness training, updating data loss prevention solutions to prevent leakage of high-value data at risk, or changing processes to require multiple authorizations for certain activities.

Because the state of your critical information, the threat landscape and your business models continue to evolve, your OPSEC program should as well. Cyber situational awareness can help you build resilience into your OPSEC program by enabling you to plan for several types of scenarios. For example, if you get an indication that you are going to be targeted, your OPSEC program needs to be able to proactively and reactively respond to adversaries. You need to be able to provide ad-hoc security awareness training to staff expected to be the most likely targets. Your incident response program needs to feed into the program so you can provide specific training and monitoring during an intrusion. 

There are also several types of business events that will require you to increase your OPSEC levels, including new product launches, mergers and acquisitions, or expansion into new regions. For each of these events, you will need to expand your monitoring until the business event has been successfully executed. Internal monitoring could be strengthened to include increased logging on individuals and assets. External monitoring might focus on product keywords, project code words, key staff members and adversaries known to target these types of scenarios. 

Cyber situational awareness lets you use OPSEC to your advantage. By gaining visibility into your digital footprint and that of your attackers, you can implement tailored OPSEC practices that can deny or delay an adversary’s ability to do your organization harm. With this level of context and awareness you can make decisions and investments that maximize your resources and strengthen your organization’s security posture. 

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.