The jokes write themselves
Corporate IT managers ought to pick up tricks from spies and place Operations Security (OPSEC) at the heart of their security policies and practices, cyber intelligence outfit Digital Shadows argues.
Operations Security (OPSEC) is a term originating in the military, which refers to the tactics that are used to protect privacy and anonymity.
Throughout history OPSEC has been a key tactic used by commercial and military organisations to protect privacy and anonymity.
Criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised.
Defenders can learn from the tools and techniques that cybercriminals and other adversaries use to conceal their identities, forensic trails, sale of stolen data and other incriminating evidence.
A new white-paper from Digital Shadows, titled The OPSEC Opportunity: Understand Adversary OPSEC To Improve Your Security Program, looks at how commercial organisations can use OPSEC to better protect themselves from hackers and other adversaries by getting a better handle on how cyber criminals use OPSEC to try and keep off the radar of law enforcement authorities.
By thinking like an attacker and understanding OPSEC practices, defenders can make life much more difficult for potential attackers by minimising exposure and data leaks, Digital Shadows argues:
As a defender you can capitalise on weak attacker OPSEC to gain insight into the people, process and technology leveraged by your adversaries. With a strong OPSEC program that is able to evolve with a changing environment you can build a flexible and resilient cyber security program.
Lapses in OPSEC can have significant implications for defenders and attackers alike.
All too often organisations unknowingly expose confidential information that significantly increases risks.
In some cases organisations leak details that are used to fuel social engineering attacks against their staff and, in other cases, sensitive documents are publicly exposed and put their brand at risk.
The research looks at the camouflage that adversaries build into their OPSEC measures such as Tor, VPNs and money laundering with Bitcoin ‘tumbling”.
It also spotlight the slip-ups in the use of these tools and human behaviour that ultimately sabotage hackers’ privacy.
For example, Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation. People failing to keep their personal life and activities as a threat actor separate is a common OPSEC mistake among criminals, according to Digital Shadows.
Other slip-ups can involving failing to use Tor to access sensitive resources, leaving tell-tale IP logs behind in the process – a mistake that undid LulzSec’s Hector Xavier Monsegur (AKA Sabu).
OPSEC practices are applied by journalists and activists as well used as criminals and spies. Learning cyber spycraft can help defenders learn how to better protect their own organisation’s sensitive data, according to Rick Holland, VP of Strategy at Digital Shadows.
“OPSEC awareness should be foundational component of an organisation’s cyber risk programme,” Holland told El Reg. “Enterprises should know what they are trying to protect and prioritise it.
Find out what credentials are getting leaked out there in order to apply controls.”
OPSEC for cyber-defenders flow chart [Source: Digital Shadows white paper]
OPSEC, well executed, denies adversaries information that could be used to do harm to an organisation or individual. “Good OPSEC can also defend against social engineering threats.
For examples, if chief exec is travelling make sure that info is not public,” Holland added.
Holland stressed that even well-run OPSEC programs have their limits when faced against the most skilled or well resourced organisations, such as Western spy agencies.
“If the government wants to get you doesn’t matter what you do they will get in but you can protect against opportunistic criminals or hacktivists,” he concluded. ®
Sponsored: Rise of the machines