In the previous guide I mapped out Risk Management and techniques used my The Attackers Kill Chain. This is the outline from a Red Team, this can also be a model used as a Blue Team. But it is much more difficult the manage. This introduces us to Operation Security. The phrase "Loose lips sink ships” holds credence here. Or to put simply, do not talk about what you know. Knowing is power and what you know and what your attacker does not will make or break an operation.
What is OPSEC? Operations security (OPSEC) is a process that identifies critical information to determine if Blue Team actions can be observed by Red Team intelligence, determines if information obtained by the Red Team could be useful to them, and then executes selected measures that eliminate or reduce Red Team exploitation of Blue Team critical information. OPSEC is also about protecting meta-data that, when grouped, could be used to form a bigger picture of things.
This is why many now state that if you are not using the same protection and guidelines as the Red Team to protect yourself and your information, then you are doing it wrong. And why we mapped out the Attack Chain.
| All information is critical information |
Any information given is one cog taken out of the machine you have made, if the Red-Team takes enough cogs, they can also work out what your machine is, and the type of machine is needed to protect what you need protecting. This leads to them in turn making a machine to break your defenses. |
| Be alert, Be cautious, Be Aware |
If the defenses you have are of High Risk and High Security, then you have to assume everyone wants it, needs it, or is trying to get it. |
| Compartmentalize |
Keeping everything isolated, one plan should not overlap into another, the more plans you have for every item you wish to protect, the more protected it shall be. |
| Do not talk about any recent successes or accomplishments in regards to your OPSEC |
A good plan used once by you means a good plan can be used against you. People make and follow patterns and those patterns lead to exploitation of your mistakes. Do not allow them the ability to exploit this. |
| If it is work protecting, it is worth stealing |
This may be redundant, but if you have something worth protecting, then it is also worth stealing. Whether personal or not, someone can use it for leverage. Do not allow them to do so. |
| Lie |
Lying is a skill needed by everyone, this is not a harmful behavior when it comes to your personal security. If you need to or if threatened, lie. People, in this case Red-Team, will often take any information of no information, so lie. A lot. |
| The less people know, the better |
In this case, the less people know about your defenses, the objective of your plan, and the thing you are protecting, the better off you will be. Anyone involved or aware of your plan is now a potential security risk. |
And that brings us to Personal Security. If something you have is a target, that means you are also a target. Keep in mind the most common failure in any good plan, is the person or persons that made it. You can be used to leverage information, whether by black mail or by force. You are an asset. And you must be able to defend yourself as if your life depended on it, because one day it may.