OPSEC Obsessed Making good OPSEC decisions @JakeKamieniak { - - PowerPoint PPT Presentation

OPSEC Obsessed

Making good OPSEC decisions

@JakeKamieniak

{ ‘description’: ‘Cybersecurity Researcher jack of all Trades’, ‘curent_role’: { ‘job’: ‘Red Team’, ‘company’: ‘GE’ } ‘prior_experience’: [ ‘pentester’, ‘OT & ICS Vuln Research’, ‘Vuln Management Manager’, ] }

“OPSEC is a process”

~ the Army ~~specifically ar530-1

In concise terms, the OPSEC process identifies the critical information of military plans, operations, and supporting activities and the indicators that can reveal it, and then develops measures to eliminate, reduce, or conceal those indicators. It also determines when that information may cease to be critical in the lifespan of an organization’s specific operation. Critical information is information that is vital to a mission that if an adversary obtains it, correctly analyzes it, and acts upon it; the compromise

• f this information could prevent or seriously degrade mission success.

More excerpts from ar530-1

Adversary Simulation OPSEC Scale

More OPSEC Less OPSEC

• Notification of assessment
• TTPs selected collaboratively
• Help Blue find you

Pros

• Strategically validate defenses
• Allows for more voices in planning

Cons

• Less realistic assessment of defense
• Miss out-of-scope issues
• No notification of assessment
• TTPs purposefully evade detection
• Make Blue find you

Pros

• Pursue an objective more thoroughly
• More realistic adversary for Blue team

Cons

• Be A Distraction from Real Bad
• Cause unplanned work

Heard any of these before?

• “I won't tell you the TTPs we are using”
• “I won't tell you how I’m bypassing X, at this time”
• “I won't tell you what our current target is”
• “I won’t tell you if that activity was us”

All decisions present a tradeoff. Immediate disclosure may not be the best option

Vulnerabilities

Cost vs Value

Red Team vs Scans Objective of the test

Risk vs Reward

It is a Vulnerability! Ask: criticality of the vuln and asset? Test beyond the vuln

Consequences

Issue gets fixed Hard to test beyond Other occurrences? Detections?

TTPs

Cost vs Value

Value to Detections? R&D is Time is $$$

Risk vs Reward

Bad guys could be using same TTPs RT needs capabilities to assess impact

Consequences

TTP is burned Detection for TTP General Detection? RT R&D time needed

Method and Location of Access

Cost vs Value

R&D is Time is $$$ Exploitation is hard Value of blocking?

Risk vs Reward

Company vulnerable to method Testing C2, Exfil Testing detection & response

Consequences

Access is burned Response behavior may change RT R&D time needed

Proactively evaluate the way OPSEC decisions will impact your strategy.

Prepare our company for the inevitable breach by:

• 1. Realistically simulate an APT to spar with Blue

AND

• 2. Demonstrating what, where, and how the

company is most vulnerable to catastrophic damage.

Note: There are my words, not our team directors, nor a published / official strategy.

It doesn’t matter what color of teaming you are doing…. your strategies should be working in concert

The Army’s model

• a. Identification of critical information.
• b. Analysis of threats.
• c. Analysis of vulnerabilities.
• d. Assessment of risk.
• e. Application of OPSEC measures.

“the compromise of this information could prevent or seriously degrade mission success.”

More Impact through OPSEC

• Consider the ratio of Value to Work
• Disclosures mean more R&D and less Actions on

Objectives

• Red is part of a defensive mission
• Plan Ahead

Reputation and Trust

• Reputation is your most valuable asset
• Transparency and Secrecy need not be enemies
• Trust Blue, but reinforce proper behavior
• Be Trustworthy

Consider people’s feelings. Cultivate a positive reputation. Communicate early and often.

Fun projects you can complete at home!

• 1. Talk with your team about OPSEC
• 2. List and review your OPSEC decisions
• 3. Establish guidelines and discuss with stakeholders
• 4. Build a strong reputation of trustworthiness
• 5. Explain the “no.” Be transparent by ensuring peers

understand why Rules for OPSEC should enable strategy

Exercise 1: Make something like this:

Critical Information Risks Controls TTPs 1. Delay of testing if blocked 2. Distraction from Technique and Tactic level 1. Generally not disclosed to Blue 2. Get mngr approval to share Red Team Report 1. Valuable to Insider Threats 2. Reputational Dmg to customer 1. Only share through proper channels 2. Use encrypted email to discuss details etc etc etc

Exercise 2: Write out guidelines & discuss them.

OPSEC Guidelines Example: 1. Red Team will not share the engagement objective with Blue Team until the engagement is completed. 2. Specific command syntax will generally not be shared to the Blue Team. 3. Red and Blue teams will perform a Hotwash before a Final Report is issued. During this meeting, Blue Team will identify what activity they believed was Red Team. Red Team will share the objective, and the Techniques and Tactics, but not the targets, or specific command syntax. 4. After an engagement is completed, and after the Hotwash, Technical details including targets, and domains used will be shared with Defenders. 5. Please don’t ask red team members “Is this Red Team,” instead, follow an established Attribution process. 6. If either Red Team or Blue Team is unsure about what to share, ask your manager first. Its not rude to say “I think I can/can’t get you that information, but I have to ask”.

Q&A

Credits and Citations

Pictures:

• Iceberg: Image by Kevin O'Leary from Pixabay
• Burglar: Image by Steffen Salow from Pixabay
• Boy Fishing: Image by Lorri Lang from Pixabay
• https://pixabay.com/service/license/

Screenshots and Tweets:

• Urbandictionary OPSEC definition - https://www.urbandictionary.com/define.php?term=opsec
• https://twitter.com/thegrugq/status/697142286228951040
• https://twitter.com/MrBlackCipher/status/1219087323192754182

Documents:

• Ar530-1 https://fas.org/irp/doddir/army/ar530-1.pdf