Introduction
We covered OPSEC which is a US military framework that can be used in the context of cyber security and red team operations. OPSEC consists of four steps, namely: identifying the critical information that need to be protected, threat analysis, vulnerability analysis, risk assessment and lastly creating countermeasures. This was part of the Red Team Pathway.
As a red team member, your potential adversaries are the blue team and third parties. The blue team is considered an adversary as we are attacking the systems they are hired to monitor and defend. Red vs. blue team exercises are common to help an organization understand what threats exist in a given environment and better prepare their blue team if a real malicious attack occurs. As red teamers, even though we are abiding by the law and authorized to attack systems within a defined scope, it does not change the fact that we are acting against the blue team’s objectives and trying to circumvent their security controls. The blue team wants to protect their systems, while we want to penetrate them.
Denying any potential adversary the ability to gather information about our capabilities and intentions is critical to maintaining OPSEC. OPSEC is a process to identify, control and protect any information related to the planning and execution of our activities. Frameworks such as Lockheed Martin’s Cyber Kill Chain and MITRE ATT&CK help defenders identify the objectives an adversary is trying to accomplish. MITRE ATT&CK is arguably at the forefront of reporting and classifying adversary tactics, techniques, and procedures (TTPs) and offers a publicly accessible knowledge base as publicly available threat intelligence and incident reporting as its primary data source.
The OPSEC process has five steps:
- Identify critical information
- Analyse threats
- Analyse vulnerabilities
- Assess risks
- Apply appropriate countermeasures
If the adversary discovers that you are scanning their network with Nmap (the blue team in our case), they should easily be able to discover the IP address used. For instance, if you use this same IP address to host a phishing site, it won’t be very difficult for the blue team to connect the two events and attribute them to the same actor.
OPSEC is not a solution or a set of rules; OPSEC is a five-step process to deny adversaries from gaining access to any critical information . We will dive into each step and see how we can improve OPSEC as part of our red team operations.
Core Steps of the OpSec Framework
OpSec originated as a military framework and is a systematic process to deny potential adversaries information about capabilities and intentions. From a red team perspective, OpSec helps protect the integrity and success of an operation by hiding activities and tools from the blue team.
Here’s a breakdown of the key steps I covered:
- Identify Critical Information This is information that, if known by the blue team, could compromise the red team’s mission. Examples include:
- Tools and techniques I use (e.g., specific, less common browsers like Lynx).
- Operating systems and hosting providers I use.
- Domain names registered for phishing sites.
- IP addresses of red team infrastructure.
- Client information learned during an engagement (e.g., server IPs, usernames, passwords).
- Indicators of Compromise (IOCs) like hashes, domain names, and OS fingerprints.
- Analyze Threats This involves understanding:
- The Adversary: Primarily the blue team, but also potentially malicious third parties.
- Adversary’s Goals: For the blue team, it’s to detect and block my attack.
- Adversary’s Tactics, Techniques, and Procedures (TTPs): The tools and methods the blue team uses (e.g., SIEM software, firewalls).
- Critical Information the Adversary Might Have Obtained: Assessing what the blue team might already know about my activities.
- Analyze Vulnerabilities This refers to weaknesses in my own procedures that could allow the adversary to obtain critical information and disrupt the operation. Examples:
- Using the same IP address for multiple activities like Nmap scanning, Metasploit exploitation, and hosting phishing pages. This allows the blue team to easily correlate activities and block the IP.
- Red team members publicly sharing information that could link them together (e.g., tagging each other in photos on social media).
- Storing harvested client data (like usernames/passwords) in an unsecured database, making it vulnerable to other attackers.
- Assess Risks This involves evaluating the likelihood of a vulnerability being exploited and the potential impact.
- Risk level depends on factors like the adversary’s detection capabilities (e.g., a well-configured IDS increases risk) and how obvious my activities are.
- For example, using the same IP for multiple attack phases against a target with a properly configured IDS is a high-risk scenario.
- Apply Countermeasures These are actions taken to mitigate risks and protect critical information.
- Preventing adversaries from detecting critical information.
- Providing alternative interpretations (e.g., using honeypots or deception).
- A key countermeasure for the shared IP vulnerability is to use different IP addresses for different stages or types of attack activities.
Practical Examples and Scenarios
Throughout the video, I went through several questions where I had to identify if a given statement represented critical information, a threat, a vulnerability, a risk, or a countermeasure. These examples highlighted how seemingly innocuous actions or pieces of information can be critical in an OpSec context. For instance:
- Using a common browser like Firefox isn’t critical, but using a niche text-based browser like Lynx could be.
- Posting a photo of a cat is not an OpSec vulnerability, but posting a team photo tagging members is.
- The video emphasized that context is crucial. For example, the risk of using a single IP is higher if the target has sophisticated detection systems.
My aim throughout the video was to help viewers understand how to protect their operations and increase the chances of a successful engagement by applying each step of the OpSec framework.
TryHackMe Room Answers
Click on View Site and follow through till you get the flag.
(Please note that some browser extensions, such as NoScript, might prevent the site from loading correctly.)
One of the red team members posts a photo of his cat every day. Would this be considered an OPSEC vulnerability? (Y/N)
Your red team went for dinner, took a photo, and tagged every team member on a popular social media platform. Would you consider this an OPSEC vulnerability? (Y/N)
Your red team posts on its website a list of clients you regularly conduct red team exercises with. Would you consider this an OPSEC vulnerability? (Y/N)
One of your red team members posted a photo of her morning coffee. Would you consider this an OPSEC vulnerability? (Y/N)