Operations Security (OPSEC) has long been a key tactic used by commercial and military organizations to protect their privacy and anonymity. The United States formalized OPSEC in 1988 with President Reagan’s National Operations Security Program. The premise of OPSEC is pretty simple: deny adversaries information that could be used to do harm to an organization or individual. During my last trip to the United Kingdom, I visited the famous World War II code-breaking site Bletchley Park. I took the following photo that sums up wartime OPSEC well.
Defenders and attackers both use OPSEC and when it comes to your adversaries, they use OPSEC to: avoid detection, maintain availability of their attack infrastructure, and to retain access to environments they have compromised. This is done through a combination of people, process and technology. Figure 1 demonstrates how attackers take advantage of technology services like bullet proof hosting to accomplish their goals. Using a 3rd party for infrastructure places another layer between the attacker and defenders.
It is critical to note that OPSEC will fail if people and process aren’t taken into account. There are no technology silver bullets when it comes to OPSEC. Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organizations unknowingly expose confidential information that significantly increases the risks to their organization. Take Figure 2, for example. An individual, whose LinkedIn profile informs us he is a Software Architect, has published his private RSA key on Github. In the wrong hands, this leaked information can be used to fuel a wide range of attacks against an organization and their staff.
Adversaries stand to lose from poor OPSEC as well. Suspected Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name. This may well have helped law enforcement in their pursuit of Ghinkul. Sabu is another classic example of an OPSEC failure.; he made the mistake of logging into an IRC chat server without first using TOR for anonymization.
But, amid this, there are opportunities for organizations. As a defender you can capitalize on weak attacker OPSEC to gain insight into the people, process and technology leveraged by your adversaries.
With a strong OPSEC program that is able to evolve with a changing environment you can build a flexible and resilient cyber security program.