Reg comments5

Corporates can learn from criminals and spies. No, no, we're talking about OPSEC

The jokes write themselves

Q in James Bond

Corporate IT managers ought to pick up tricks from spies and place Operations Security (OPSEC) at the heart of their security policies and practices, cyber intelligence outfit Digital Shadows argues.

Operations Security (OPSEC) is a term originating in the military, which refers to the tactics that are used to protect privacy and anonymity.

OPSEC for cyber-defenders flow chart Source: Digital Shadows white paper

Throughout history OPSEC has been a key tactic used by commercial and military organisations to protect privacy and anonymity. Criminals also use OPSEC as a means to an end – avoiding detection, maintaining availability of their attack infrastructure, and retaining access to environments they have compromised.

Defenders can learn from the tools and techniques that cybercriminals and other adversaries use to conceal their identities, forensic trails, sale of stolen data and other incriminating evidence.

A new white-paper from Digital Shadows, titled The OPSEC Opportunity: Understand Adversary OPSEC To Improve Your Security Program, looks at how commercial organisations can use OPSEC to better protect themselves from hackers and other adversaries by getting a better handle on how cyber criminals use OPSEC to try and keep off the radar of law enforcement authorities.

By thinking like an attacker and understanding OPSEC practices, defenders can make life much more difficult for potential attackers by minimising exposure and data leaks, Digital Shadows argues:

As a defender you can capitalise on weak attacker OPSEC to gain insight into the people, process and technology leveraged by your adversaries. With a strong OPSEC program that is able to evolve with a changing environment you can build a flexible and resilient cyber security program.

Lapses in OPSEC can have significant implications for defenders and attackers alike. All too often organisations unknowingly expose confidential information that significantly increases risks. In some cases organisations leak details that are used to fuel social engineering attacks against their staff, and in other cases, sensitive documents are publicly exposed and put their brand at risk.

The research looks at the camouflage that adversaries build into their OPSEC measures such as Tor, VPNs and money laundering with Bitcoin “tumbling”. It also spotlights the slip-ups in the use of these tools and human behaviour that ultimately sabotages hackers’ privacy. For example, Dridex botnet operator Andrey Ghinkul associated his nickname – “Smilex” – with his real name, providing law enforcement a valuable clue in their investigation. People failing to keep their personal life and activities as a threat actor separate is a common OPSEC mistake among criminals, according to Digital Shadows.

Other slip-ups can involve failing to use Tor to access sensitive resources, leaving tell-tale IP logs behind in the process – a mistake that undid LulzSec’s Hector Xavier Monsegur (AKA Sabu).

OPSEC practices are applied by journalists and activists as well as used by criminals and spies. Learning cyber spycraft can help defenders learn how to better protect their own organisation’s sensitive data, according to Rick Holland, VP of Strategy at Digital Shadows.

“OPSEC awareness should be a foundational component of an organisation’s cyber risk programme,” Holland told El Reg. “Enterprises should know what they are trying to protect and prioritise it. Find out what credentials are getting leaked out there in order to apply controls.”

OPSEC, well executed, denies adversaries information that could be used to do harm to an organisation or individual. “Good OPSEC can also defend against social engineering threats. For example, if chief exec is travelling make sure that info is not public,” Holland added.

Holland stressed that even well-run OPSEC programs have their limits when faced against the most skilled or well-resourced organisations, such as Western spy agencies.

“If the government wants to get you it doesn’t matter what you do they will get in, but you can protect against opportunistic criminals or hacktivists,” he concluded. ®


Biting the hand that feeds IT © 1998–2017