Introduction
We covered OPSEC which is a US military framework that can be used in the context of cyber security and red team operations. OPSEC consists of four steps, namely: identifying the critical information that need to be protected, threat analysis, vulnerability analysis, risk assessment and lastly creating countermeasures. This was part of the Red Team Pathway.
As a red team member, your potential adversaries are the blue team and third parties. The blue team is considered an adversary as we are attacking the systems they are hired to monitor and defend. Red vs. blue team exercises are common to help an organization understand what threats exist in a given environment and better prepare their blue team if a real malicious attack occurs. As red teamers, even though we are abiding by the law and authorized to attack systems within a defined scope, it does not change the fact that we are acting against the blue team’s objectives and trying to circumvent their security controls. The blue team wants to protect their systems, while we want to penetrate them.
Denying any potential adversary the ability to gather information about our capabilities and intentions is critical to maintaining OPSEC. OPSEC is a process to identify, control and protect any information related to the planning and execution of our activities. Frameworks such as Lockheed Martin’s Cyber Kill Chain and MITRE ATT&CK help defenders identify the objectives an adversary is trying to accomplish. MITRE ATT&CK is arguably at the forefront of reporting and classifying adversary tactics, techniques, and procedures (TTPs) and offers a publicly accessible knowledge base as publicly available threat intelligence and incident reporting as its primary data source.
The OPSEC process has five steps:
- Identify critical information
- Analyse threats
- Analyse vulnerabilities
- Assess risks
- Apply appropriate countermeasures
If the adversary discovers that you are scanning their network with Nmap (the blue team in our case), they should easily be able to discover the IP address used. For instance, if you use this same IP address to host a phishing site, it won’t be very difficult for the blue team to connect the two events and attribute them to the same actor.
OPSEC is not a solution or a set of rules; OPSEC is a five-step process to deny adversaries from gaining access to any critical information . We will dive into each step and see how we can improve OPSEC as part of our red team operations.
Challenge Answers
Click on View Site and follow through till you get the flag.
(Please note that some browser extensions, such as NoScript, might prevent the site from loading correctly.)
One of the red team members posts a photo of his cat every day. Would this be considered an OPSEC vulnerability? (Y/N)
Your red team went for dinner, took a photo, and tagged every team member on a popular social media platform. Would you consider this an OPSEC vulnerability? (Y/N)
Your red team posts on its website a list of clients you regularly conduct red team exercises with. Would you consider this an OPSEC vulnerability? (Y/N)
One of your red team members posted a photo of her morning coffee. Would you consider this an OPSEC vulnerability? (Y/N)
