OPSEC Obsessed Making good OPSEC decisions
@JakeKamieniak { ‘ description ’: ‘ Cybersecurity Researcher jack of all Trades ’, ‘ curent_role ’: { ‘job’: ‘ Red Team ’, ‘company’: ‘ GE ’ } ‘ prior_experience ’: [ ‘ pentester ’, ‘ OT & ICS Vuln Research ’, ‘ Vuln Management Manager ’, ] }
“OPSEC is a process” ~ the Army ~~specifically ar530-1
In concise terms, the OPSEC process identifies the critical information of military plans, operations, and supporting activities and the indicators that can reveal it, and then develops measures to eliminate, reduce, or conceal those indicators. It also determines when that information may cease to be critical in the lifespan of an organization’s specific operation. Critical information is information that is vital to a mission that if an adversary obtains it, correctly analyzes it, and acts upon it; the compromise of this information could prevent or seriously degrade mission success. More excerpts from ar530-1
Adversary Simulation OPSEC Scale Less OPSEC More OPSEC ● Notification of assessment ● No notification of assessment ● TTPs selected collaboratively ● TTPs purposefully evade detection ● Help Blue find you ● Make Blue find you Pros Pros ● Strategically validate defenses ● Pursue an objective more thoroughly ● Allows for more voices in planning ● More realistic adversary for Blue team Cons Cons ● Less realistic assessment of defense ● Be A Distraction from Real Bad ● Miss out-of-scope issues ● Cause unplanned work
Heard any of these before? ● “I won't tell you the TTPs we are using” ● “I won't tell you how I’m bypassing X, at this time” ● “I won't tell you what our current target is” ● “I won’t tell you if that activity was us” All decisions present a tradeoff. Immediate disclosure may not be the best option
Vulnerabilities Cost vs Value Risk vs Reward Consequences Red Team vs Scans It is a Vulnerability! Issue gets fixed Objective of the test Ask: criticality of the Hard to test beyond vuln and asset? Other occurrences? Test beyond the vuln Detections?
TTPs Cost vs Value Risk vs Reward Consequences Value to Detections? Bad guys could be TTP is burned R&D is Time is $$$ using same TTPs Detection for TTP RT needs capabilities General Detection? to assess impact RT R&D time needed
Method and Location of Access Cost vs Value Risk vs Reward Consequences R&D is Time is $$$ Company vulnerable Access is burned Exploitation is hard to method Response behavior Value of blocking? Testing C2, Exfil may change Testing detection RT R&D time needed & response
Proactively evaluate the way OPSEC decisions will impact your strategy.
Prepare our company for the inevitable breach by: 1. Realistically simulate an APT to spar with Blue AND 2. Demonstrating what, where, and how the company is most vulnerable to catastrophic damage. Note: There are my words, not our team directors, nor a published / official strategy.
It doesn’t matter what color of teaming you are doing…. your strategies should be working in concert
The Army’s model a. Identification of critical information. b. Analysis of threats. c. Analysis of vulnerabilities. d. Assessment of risk. e. Application of OPSEC measures. “the compromise of this information could prevent or seriously degrade mission success.”
More Impact through OPSEC ● Consider the ratio of Value to Work ● Disclosures mean more R&D and less Actions on Objectives ● Red is part of a defensive mission ● Plan Ahead
Reputation and Trust ● Reputation is your most valuable asset ● Transparency and Secrecy need not be enemies ● Trust Blue, but reinforce proper behavior ● Be Trustworthy
Consider people’s feelings. Cultivate a positive reputation. Communicate early and often.
Fun projects you can complete at home! 1. Talk with your team about OPSEC 2. List and review your OPSEC decisions 3. Establish guidelines and discuss with stakeholders 4. Build a strong reputation of trustworthiness 5. Explain the “no.” Be transparent by ensuring peers understand why Rules for OPSEC should enable strategy
Exercise 1: Make something like this: Critical Information Risks Controls TTPs 1. Delay of testing if blocked 1. Generally not disclosed to Blue 2. Distraction from Technique and 2. Get mngr approval to share Tactic level Red Team Report 1. Valuable to Insider Threats 1. Only share through proper 2. Reputational Dmg to customer channels 2. Use encrypted email to discuss details etc etc etc
Exercise 2: Write out guidelines & discuss them. OPSEC Guidelines Example: 1. Red Team will not share the engagement objective with Blue Team until the engagement is completed. 2. Specific command syntax will generally not be shared to the Blue Team. 3. Red and Blue teams will perform a Hotwash before a Final Report is issued. During this meeting, Blue Team will identify what activity they believed was Red Team. Red Team will share the objective, and the Techniques and Tactics, but not the targets, or specific command syntax. 4. After an engagement is completed, and after the Hotwash, Technical details including targets, and domains used will be shared with Defenders. 5. Please don’t ask red team members “Is this Red Team,” instead, follow an established Attribution process. 6. If either Red Team or Blue Team is unsure about what to share, ask your manager first. Its not rude to say “I think I can/can’t get you that information, but I have to ask”.
Q&A
Credits and Citations Pictures: ● Iceberg: Image by Kevin O'Leary from Pixabay Burglar: Image by Steffen Salow from Pixabay ● Boy Fishing: Image by Lorri Lang from Pixabay ● https://pixabay.com/service/license/ ● Screenshots and Tweets: Urbandictionary OPSEC definition - https://www.urbandictionary.com/define.php?term=opsec ● ● https://twitter.com/thegrugq/status/697142286228951040 https://twitter.com/MrBlackCipher/status/1219087323192754182 ● Documents: Ar530-1 https://fas.org/irp/doddir/army/ar530-1.pdf ●
Recommend
More recommend
