“Silence Means Security”
-- WWII Military Phrase
OPSEC in Cyberspace
In our last article, we discussed how disciplines like psychology and behavior-profiling can help us to better understand the adversary at the end of the keyboard. Now we are going to extend similar disciplines to ourselves as intel analysts. Operating in an "under cover" fashion online requires us to remain self-aware and secure in our tradecraft at all times. In other words, we must practice good Operations Security — also known as OPSEC.
What is OPSEC?
In the online world, your information is everywhere. A simple Google search can prove that quite easily. If you work on an intel team and are involved with operations that may disrupt malicious actors, you need to protect yourself before, during, and after your operations are complete. OPSEC enables this protection and in many ways, it is similar to having a team that views your operations from an adversarial perspective. Simply put, OPSEC prepares you for expected counterintelligence against your intelligence (or counterintelligence) operation.
OPSEC is also a necessary practice for all businesses and organizations seeking to protect their stakeholders' information, as well as their own. OPSEC is not just a process for process's sake, it is an information-protection mindset rooted in the assumption that there will always be adversaries trying to collect your sensitive information. This mindset requires practice and habits. After all, we're only human. We're bound to make mistakes every now and then. The OPSEC mindset helps to minimize those mistakes and, over time, enable you to become more cognizant of the seemingly-little things that can have a big impact on safeguarding your information and reducing risk.
OPSEC is countermeasure-driven and poses five major questions:
1) What type of information needs protecting?
2) Who are your adversaries, and what do they want from you?
3) What are your vulnerabilities?
4) Is your information, operation, or people at risk?
5) What protective countermeasures should you take?
The OPSEC Life Cycle
The questions above are aligned to a five-step security process designed to help you identify, assess, and apply OPSEC requirements for your online intelligence missions.
Identifying Critical Information and Activity Indicators
This process identifies information pertaining to your online operations that could cause a mission failure if compromised. Essentially, these are the crown jewels, and they need to be protected. Regardless of whether this information exists in classified or unclassified environments, managing it safely is imperative. Indeed, establishing a Critical Information List (CIL) enables us to manage it safely. The CIL is a living document and should never be considered absolute or complete. Once we identify our CIL, it provides us with an understanding of our current and future capabilities, plans, and even our limitations -- all of which need to be protected.
The following examples demonstrate some areas of critical information that may require protection:
- Development and Planning
- Source Code
- Operational Planning Documents
- Network and Infrastructure
- Asset Management
- Source Recruitment
- Operational Org Information
- Personnel Schedules and Contact Information
- Support Resource Management
- Tradecraft Training and Briefing Information
- Prioritized Intelligence Requirements
- Collection Requirements
- Operational Budget Planning
- Auditing Records
- Resource Alignment
- Critical Skills (or gaps thereof)
- Workflow and Processes
- Incoming Peripheral Intelligence
- Actor Engagements
- Operation Plans
- Specialized Training
- Physical Aspects
- Routes of Travel
- Travel Engagements (Conferences, Dinners, Meetings)
- Media Devices (Laptops, phones, drives)
- Covert Physical Locations
- Tools and techniques
- Online Credentials
- Obfuscation and Anonymity Methods/Tactics
- Online Targeting and Reconnaissance Techniques
A CIL could look as simple as this:
Analyzing Threats and Understanding Your Adversaries
Conducting a threat assessment is crucial for protecting your critical information and indicators. Doing so allows us to subsequently develop appropriate security measures to protect the critical information we have identified. However, threat assessments are useless unless we know what we need to protect. But when planned and executed properly, threat assessments can reveal the following:
● Potential adversaries
● Adversarial capabilities and limitations
● Adversarial intent and motivations
● Opportunities to collect and use critical information and indicators for adversarial gain
If we can identify critical information early, such as in the operational requirements stage, threat assessments can provide meaningful results. Rooted in counterintelligence, threat assessments are performed by analyzing the operation through an adversarial lens. Essentially, one must think like the fox to guard the hen house.
Typically, the adversary will target at least one of four main areas to prevent our operational success:
● Security Procedures
Threat assessments can enable us to determine what potential advesaries want to know about our information as well as the actors, secrets, and the opportunities that they may exploit to get them.
Assessing Vulnerabilities to Minimize Opportunity
Vulnerability Analysis is done to reveal where or what an adversary might exploit as a means of gaining critical information. The online world is one domain and exploitable vulnerabilities are not limited to technical security devices such as VPNs and firewalls. Today, the most commonly exploited attack vectors are elicitation and pretext. These vulnerabilities are inherent to human nature and often hide within our habits, egos, beliefs, trust mechanisms, and active indicators.
Some common vulnerabilities include:
● Lack of Awareness
● Social Media
● Images/Geo Location/IMINT/SIGINT Indicators
● Social Engineering
● Data Aggregation
● Poor Policy Enforcement
● Unsecure Communications
● Predictable Actions and Patterns
The "see something, say something" model is usually a common vulnerability exercise within organizations to discover vulnerabilities, such as phishing emails and attempted suspicious social media requests. Finding vulnerabilities is an ongoing process and requires collective awareness across all parties involved.
Assessing Risk to Measure Impact
Risk is a measure of the potential inability to achieve overall operational objectives within defined cost, schedule, and technical constraints. It has two components: (1) the likelihood of failing to achieve a particular outcome, and (2) the consequences of failing to achieve that outcome.
Typically, an OPSEC risk assessment will weigh a threat's potential impact on an operation in the event that an identified vulnerability(s) were to be exploited. Such an impact also depends on the likelihood that an adversary will exploit such a vulnerability. Do they possess the intent, opportunity, and capability required to do so? Conducting a risk assessment enables us to understand the potential impact and likelihood of exploitation so that we can then apply appropriate countermeasures. As you can see, the threat analysis and vulnerability analysis processes can help us calculate our operational risks more accurately and efficiently.
Everything has risks, and they are typically not avoided; risks are managed. As such, this risk assessment process should be encompassed by an existing risk management process that includes:
- Planning for risks
- Strategy and methods for managing risk
- Identifying critical information and indicators
- Risk Assessment
- Identification of risk areas
- Analysis of risk areas
- Risk Handling
- Applying countermeasures
- Risk mitigation
- Risk Monitoring
- Threat assessments
- Vulnerability assessments
- Continuous feedback
- Risk Management Documentation
To conduct a risk assessment successfully, we must successfully perform risk identification and risk analysis. Risk identification is the process of examining risk areas in the operation's people, process, resources, and technologies in order to identify and document the associated risk. Risk analysis is the process of examining each identified risk area to determine the effects of the risk, define the risk itself, and and determine how to control or isolate the cause of the risk. This typically involves a risk matrix that includes risk rating and prioritization based on their likelihood of occurrence, severity of impact, and relationship to other risk areas.
Applying Countermeasures to Manage Risks
After we have identified critical information and assessed threats, vulnerabilities, and risks, we can start employing OPSEC countermeasures. Such countermeasures will serve to mitigate an adversary's ability to exploit our operation's people, processes, and technologies to gain critical information. While countermeasures are meant to enhance operational resiliency and reliability, they are also designed to deter, deny, disrupt, and/or influence an adversary's perception and situational awareness. Some countermeasures include misinformation and deceptive interpretations designed to degrade an adversary's collection ability against operational information. All countermeasures should endure cost-benefit-effectiveness analysis and all implementations should consider the following:
- What is the benefit or the effect of the countermeasure on reducing risk to an operations and assets?
- What is the cost of the countermeasure?
- Effective Duration
- Adverse impact
- Will the countermeasure create another exploitable vulnerability indicator?
- Cause and Effect Analysis
For intel analysts who scour the deep and dark web regularly, OPSEC countermeasures are a must! Indeed, these types of analysts' daily activities may include handling malware and exploits, adversary engagements, browsing hostile forums and sites, and communicating over adversary-owned infrastructure. Examples of basic countermeasures would include layered non-attributable supporting infrastructure such as:
3. Virtual Machines
4. File System Encryption
5. Segregated Networks
One simple use case for a countermeasure application pertains to critical information handling, which typically entails compartmentalizing and classifying sensitive information. Safeguarding the information, classifying its level of sensitivity, and determining how it should be handled are all vital components of operations like these. In many cases, information-sharing communities may support your efforts to obtain vital intelligence and/or share sensitive information with trusted members. Implementing a common protocol such as the Traffic Light Protocol (TLP) can help simplify and dictate the appropriate methods of handling unclassified-yet-sensitive information within a group.
TLP uses an intuitive coloring system to designate the extent to which information can be handled and shared safely. For example, if you were to send an email marked TLP:RED, you would capitalize the subject line and, if possible, also include the color marking as well as the word, just as I did above. As a result, the email's recipients would easily recognize the marking, understand that the information within the email is highly-sensitive, and know that it should be shared only among those included on the email. Keep in mind that email is a cleartext protocol by default, so it is wise to add yet another OPSEC countermeasure: encryption. Especially when sending information marked TLP:RED, encrypting emails can effectively bolster the security of sensitive information and communications. US-CERT Explanation of TLP.
 US-CERT Explanation of TLP
Above all else, it is crucial to recognize that OPSEC is vital to the success of all organizations' operations -- whether intelligence-oriented or not. OPSEC is the practice of mindfully understanding your adversary and yourself, and if practiced effectively, will foster habits that can help better protect your and your organization's operations and information.
The Black Hat and DEF CON conferences are perfect examples of when to apply OPSEC. These events facilitate environments where the likelihood that an adversary may gain useful information about an organization's employees is relatively high. After all, these are computer security conferences with 10,000+ attendees -- most of whom specialize in hacking, intelligence, and information security. Stay safe!