OPSEC (Operational Security) is a term derived from the U.S. military and is an analytical process used to deny an adversary information that could compromise the secrecy and/or the operational security of a mission. The very process of performing OPSEC or protecting your six from an adversary not only plays a very important role in both offensive and defensive security strategies but also in everyday life as well.
Examples of OPSEC that pertain to this article include protecting the real identity of someone who has chosen to create an pseudonym that black hat and white hat hackers most commonly will undertake online. The process of ensuring that critical information, such as IP addresses, language used, writing styles, email accounts, personal traits etc. cannot be used to unmask their real identity is a constant process.
There are many reasons why having a healthy obsession with OPSEC is important. One of the biggest is protecting yourself from cyber-criminals, hackers, and governments from obtaining data that can be used to disclose sensitive information about you, with doxxing the most common attack used to expose weaknesses in OPSEC which will be covered in more detail later in this post.
So why is OPSEC important and why should you care?
There’s a saying “if you have nothing to hide, you have nothing to fear”. The reality is that everyone has something they want to hide from the general public. The key is identifying what form this information is in, how well protected it is, and if compromised what the personal/professional impact would be.
Attackers are constantly profiling targets looking for potential weaknesses in OPSEC and from personal experience, it can take less than four hours of online recon using manual and automated Open Source Intelligence (OSINT) techniques to gather enough information on a target to learn:
- Where a target lives
- SSN/NI number
- DOB and full name
- Email Accounts and Passwords in dumps (Currently over 10 Billion)!
- Mother’s Maiden Name
- Online Digital Footprint including favorite sites
- Employment and financial information
- Mobile/Work telephone numbers
- Social Media information/posts
Armed with the above information, a motivated attacker could do some serious damage if, for example, you reused passwords, the same email as a login for multiple web apps, or a email/username that can identify something about you. These basic mistakes are reported almost on a monthly basis in the media, including numerous examples of where criminal operations have been dismantled through leaving breadcrumbs of information that link a real person to their pseudonym(s)
Interesting case studies include the recent takedown of the Alphabay admin Alexandre Cazes aka Admin02. The admin of one of the largest darknet marketplaces was recently arrested by a joint operation led by by Interpol, FBI, NCA and other law enforcement agencies to take down marketplaces.
LEA agents were able to piece together information on their target from small OPSEC mistakes. For example, early welcome emails from the site admin email@example.com included information about Cazes including his year of birth and information that could be used to identify his national identity. He also cashed using a bitcoin account tied to his name, and his bank account is amongst the OPSEC sins he performed and ultimately what led to his arrest.
The reality is that an attacker exploiting weaknesses in OPSEC is akin to a death by a thousand cuts. It’s not one “breadcrumb” of information that causes the damage; it’s the accumulated data over time that delivers the killer blow for the attacker. Being constantly aware of information you are sharing with individuals, third parties, online entities, and employers, not to mention the extent this exposes you, is vitally important if you want to stay safe in today’s constant information battle.
Reducing exposure through performing OPSEC
The pretext of this article might seem a little extreme for the average person who has nothing to hide. However, whether you work in IT, DevOps, infosec, or leadership, protecting your own as well as your companies critical assets is vitally important. Here are the top 3 things you can do right now to dramatically improve you OPSEC:
- Think before you share
As highlighted earlier, it’s the aggregation of information that can be gathered on a target that poses the greater threat. A common example is developer profiles on sites like Github. They are a goldmine of information for attackers, and they usually provide an idea of development styles and any bugs that could be replicated in corporate environments – not to mention lovely profile pictures!
Before you post comments or share content on support forums, social media etc. think: does this give an attacker any information they could use to build a profile (or further build) on you or your company?
- Create compartments
Building upon the message of “don’t use the same password across accounts”, you want to make it difficult for an attacker to learn everything about you. Just as people reuse passwords (or variations of), the same can be said for usernames and email addresses.
Limit the exposure of the information about you, make email addresses almost random, and assign each a specific use. For example, one for finance or sensitive information, one for social media, one for general use.
Further, enhance the protection by using a password manager to generate strong passphrases for each, ensuring every account/online service has a unique password. Finally for extra protection, it is highly recommended that you enable 2FA for everything (https://twofactorauth.org).
- Perform personal risk assessments
Just as organisations regularly perform risk assessments or business impact assessments to understand exposure to certain threat scenarios, it is just as important to perform a personal risk assessment on oneself on a fairly regular basis.
However, rather than looking at external threat vectors, this risk assessment should focus on the most important information you want to prevent being stolen, compromised, exposed etc. Questions to ask yourself include:
- What is this information?
- What form is this information in?
- Do I know exactly where it all is?
- If not, how quickly can I find it all?
- Is it stored with a third party?
- Can I accept the risk if they get breached?
- Is my data encrypted? Is it secure?
- Who knows about my sensitive data?
- Who has access?
- Who has accessed it
- What is the impact if the data is publicly disclosed/stolen? Can I accept the risk?
By performing the aforementioned three steps, you can greatly improve your operational security by protecting the information most critical to you and vastly risking not only personal exposure but being a weak link in the wider company operational security chain.
About the Author: From a background of threat intelligence, social engineering, and incident response, Stuart Pecks is the Director of Cyber Security Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and directors throughout the UK and Europe. Passionate about educating organizations on the latest attacker trends facing business today and how to combat them, Stuart’s key areas of expertise include: the dark web, social engineering, malware and ransomware analysis & trends, threat hunting, OSINT, HUMINT and attacker recon techniques.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.