Throughout history Operations Security (OPSEC) has been a key tactic used by commercial and military organizations to protect privacy and anonymity. When done well, it denies adversaries information they could use to do harm to an organization or individual. But criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised.
Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organizations unknowingly expose confidential information that significantly increases risks. In some cases organizations leak details that are used to fuel social engineering attacks against their staff and, in other cases, sensitive documents are publicly exposed and put their brand at risk. Adversaries stand to lose from poor OPSEC as well. Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation.
As a defender, you can capitalize on weak attacker OPSEC to strengthen your security posture. Cyber situational awareness can provide insights into the people, processes and technology your adversaries use and turn those into an advantage. As in the Dridex example, humans can represent the most challenging element of OPSEC; a careless error can reveal their identity. The processes attackers use to retain privacy and anonymity, such as adopting aliases or conducting reconnaissance and lateral movement staging, can also tip you off to suspicious behavior. Knowledge of the technologies adversaries adopt to conduct operations – secure operating systems such as WHONIX and TAILS, anonymization networks like TOR, email encryption using PGP, and digital currencies like Bitcoin and WebMoney – can also give you an edge. When combined and analyzed, these insights can help you prevent and detect malicious activity as well as accelerate investigations when a breach happens.
Conversely, to prevent adversaries from gaining information about your organization that they can use to their advantage, a tailored, flexible OPSEC program should be the cornerstone of your strategy. The National Operations Security Program Process provides a five-step OPSEC program that defenders can use to mature their OPSEC capabilities. These steps include:
1. Identification of critical information – Start by identifying critical business functions, which will lead you to the “crown jewels.” Be sure to include seemingly innocuous information that could be aggregated with other information to put this critical information at risk.
2. Analysis of threats – Now you can begin to understand the relevant threats to your organization including their motivations and tactics, techniques and procedures (TTPs). The less mature an adversary’s OPSEC, the more details you can glean; you can benefit from this.
3. Analysis of vulnerabilities – Vulnerability scanning solutions are essential in this step. But you must also consider weaknesses in people and process that could ultimately lead to confidential or proprietary information being leaked, or other information that adversaries could use to target key executives.
4. Assessment of risks – With this breadth of the information you can now make smarter decisions about how to apply limited resources to the most significant internal and external threats.
5. Application of appropriate countermeasures – Armed with better insight into risks you can take measures to strengthen controls. For example, specific security awareness training, updating data loss prevention solutions to prevent leakage of high-value data at risk, or changing processes to require multiple authorizations for certain activities.
Because the state of your critical information, the threat landscape and your business models continue to evolve, your OPSEC program should as well. Cyber situational awareness can help you build resilience into your OPSEC program by enabling you to plan for several types of scenarios. For example, if you get an indication that you are going to be targeted, your OPSEC program needs to be able to proactively and reactively respond to adversaries. You need to be able to provide ad-hoc security awareness training to staff expected to be the most likely targets. Your incident response program needs to feed into the program so you can provide specific training and monitoring during an intrusion.
There are also several types of business events that will require you to increase your OPSEC levels, including new product launches, mergers and acquisitions, or expansion into new regions. For each of these events, you will need to expand your monitoring until the business event has been successfully executed. Internal monitoring could be strengthened to include increased logging on individuals and assets. External monitoring might focus on product keywords, project code words, key staff members and adversaries known to target these types of scenarios.
Cyber situational awareness lets you use OPSEC to your advantage. By gaining visibility into your digital footprint and that of your attackers, you can implement tailored OPSEC practices that can deny or delay an adversary’s ability to do your organization harm. With this level of context and awareness you can make decisions and investments that maximize your resources and strengthen your organization’s security posture.