Terms like “cyber-arms-race” and “cyber-war”—along with the establishment of a Cyber Command at the Pentagon—indicate just how much the virtual world has come to resemble the battle for physical security. For nation-states and enterprises alike, fighting the good fight now means defending against unseen, virtual assailants that can strike from afar, taking guerilla warfare to a whole new level.
According to Rick Holland, vice president of strategy at Digital Shadows and a former Forrester Research analyst, another classic military aspect has been ported to the cyber-realm: Operations security, or OpSec.
It could stand for "operational secrecy;" the premise is simply to deny adversaries information that could be used to do harm to an organization or individual. OpSec has long been a key tactic used by commercial and military organizations to protect their privacy and anonymity. The United States in fact formalized it in 1988 with President Reagan’s National Operations Security Program.
“Defenders and attackers both use OpSec. When it comes to your adversaries, they use OpSec to avoid detection, maintain availability of their attack infrastructure and to retain access to environments they have compromised,” Holland said. “This is done through a combination of people, process and technology.”
For instance, attackers can take advantage of technology services like bullet-proof hosting to accomplish their goals. Outsourcing the infrastructure they use adds another layer of obscurity to the mix, but also lowers the cost for the attacks.
“We’re much more alike than sometimes people think,” said Holland. “We’re adopting SaaS and they’re doing ransomware as a service. Understanding the adversary’s model a little better and how they operate can help us be prepared for attack.”
OpSec often breaks down, exposing useful information that will be pounced upon by the other side. The rash of CEO wire fraud—whaling—is somewhat motivated by breakdowns stemming from standard company practices. This includes making executive travel public—either via out-of-office messages, automatic geo-tagging on social media, emails and notices of their speaking gigs or otherwise.
Once a bad guy knows the CEO is out of town, he or she can craft a whaling message that’s more difficult to verify authenticity on because the exec isn’t just down the hallway.
“This is an easy OpSec practice,” Holland noted. “Take an audit of what the C-suite digital footprint looks like—and shut it down. If you’re geo-tagging on Twitter, you could be enabling someone’s social engineering campaign.”
The criminals make mistakes too—and they can be very costly. In the case of LulzSec founder Sabu, he made the mistake of logging into an IRC chat server without first using TOR for anonymization, allowing the Feds to nab him. He later turned informant, much to the chagrin of his colleagues, who found their OpSec completely blown.
In some cases, a lack of OpSec is deliberate, in order to advance a brand. Hacktivists like Anonymous fit this profile, for instance.
“The most ironic thing for me is that people are talking about their exploits and how they did it in public or where it can be uncovered by macros,” Holland said in an interview. “But usually, the bad guys have to be disciplined and regimented. The adversaries want to maximize their return on investment and if you see OpSec as the cost of goods sold, they want to optimize that just a little better than the defenders do. One mistake for the adversary and it can cause big problems.”
The flip side to making mistakes is leveraging OpSec to stay ahead in the battle. “With a strong OpSec program that is able to evolve with a changing environment you can build a flexible and resilient cybersecurity program,” Holland said. “Know what you’re trying to protect, whether that’s the data, what generates revenue, known adversaries and the threat landscape. You need to be able to spin up OpSec measures depending on where the threats are.”
There are five steps to doing just that, outlined by Digital Shadows in a white paper released this week: Identification of critical information; analysis of threats; analysis of vulnerabilities; assessment of risks; and application of appropriate countermeasures.
It’s a nascent space—and “not something we’re very good at,” Holland allowed. But, these steps can be built into business processes.
Take, for instance, business-driven event scenarios like new product launches, mergers and acquisitions, or expansion into new regions. For each of these events, companies will need to expand their monitoring, including increased logging on individuals and assets. External monitoring should focus on product keywords, project code words, key staff members and adversaries known to target these types of scenarios.
By gaining visibility into the digital footprint and that of would-be attackers, companies gain a level of context and awareness to make decisions and investments that maximize resources and strengthen the organization’s security posture.
“We have an unfortunate history of operating with our heads in the sand, making critical decisions with incomplete information,” Holland said. “The threat landscape is challenging enough; we don’t need to make decisions in an uninformed manner, enabling attackers to be more successful.”
Photo © Joseph Sohm/Shutterstock.com