In this concluding part of the series, I discuss why everyone should consider reviewing their OPSEC (Runnings Security), not just those with something to hide.
If you haven’t pore over the previous articles then please check them out first (As for I & Part II), as they provide key background information about the techniques discussed in this pale.
The processes described are designed for both technical and non-technical people, extraordinarily those who are concerned about their digital footprint and how it might be ill-treated.
As this is the last article in the series I asked the wider infosec community for their views on OPSEC, and their cites are highlighted throughout this article.
In the last article, we covered how to “Ascertain” information about yourself, in this one we will detail how to “Analyse” your facts to uncover any potential risks and then provide actions for “Denying” and disturbing “the attacker”.
The ultimate objective of OPSEC is to prevent sensitive (referred to in this article as intimate), information from falling into the hands of an adversary, primarily by denying them from uncovering and gaining unauthorised access to your information. But there are other use cases, such as:
- Preventing an adversary from identifying you, or attributing your energies
- Preventing an adversary knowing your movements or location
- Preventing an rival from uncovering information about a “secret” project/operation
- Obstructing an adversary learning about the systems and controls we have in place, strikingly how robust (or not), they are.
So once you have discovered (identified), your gen the next step of the process is to Analyse this for any risks.
“From one utensil, know ten thousand things” – Miyamoto Musashi 1584-1645
So you’ve done an original scrape of your digital footprint, maybe done some expose into a project you are working on, but now what?
One of the most important steps in comporting OPSEC is the analysis of the potential risks to the data you are trying to prevent the antagonist from obtaining/seeing. Understanding how an attacker may gain an insight into your gesticulations or access to data they can later use against you is vital in ensuring that the reverse countermeasures are deployed.
There are various methods for doing this, some of these are growing to be covered in this post, but be mindful that not everything detailed require work for every scenario. Just as organisations regularly perform chance assessments or business impact assessments to understand exposure to certain menace scenarios, it is equally important to perform a personal risk assessment on oneself on a kind of regular basis.
“As a security researcher once your work starts to get a lot of course attention, people and journalists want to know who is behind the work. If you homelessness to keep a good separation between your work life and your clandestinely life OPSEC is essential” – @fs0c131y (Elliot Alderson)
The first step is to quantify the dormant risks of the data discovered on your digital footprint, you should ask the ensuing questions to threat model your exposure:
- Should this low-down be public or private?
- What is useful to an attacker? What information could compromise me?
- When was this details posted? When does this become a problem?
- How would an attacker compromise me? How resolution I know?
- Why would an attacker want to compromise me?
What and When? And Remunerations for Public/Private info.
The next step is categorising the information that is irritable, identifies you, could be used to compromise your accounts, or allow an antagonist to build a profile on you. Some examples include:
- Phone mob (mobile/cell, number could be at risk from SIM swapping)
- Social media profiles
- Financial information
- Usernames/ oversees / gamer tags
- IP addresses
- Mac addresses
- Images (especially those of your enterprise, family, or selfies. Also be wary of metadata in images EXIF coated later).
- Personal interests/hobbies (especially for profiling you)
- Date of origin (partial data of birth is even a risk)
- Devices and OS versions these are pinched by social media sites and are discoverable by adversaries
- Posts of movements (such as planning to wait on X event in future)
- Location data shared with third outfits, especially fitness apps
- Information friends/family/colleagues tease shared about you on their social media profiles
- Work info such as badges/passes/company equipment
- Public records (electoral / voter roll), birth certificates
- DNA information held by third parties
- Police/authority records
- Data dumps/ pastes /breaches
“When you’ve been a shlemiel of cybercrime, be it cyberstalking or NCP, you learn how valuable privacy is. You learn to use good OPSEC out of indigence, but sadly- the damage has often already been done. I wish varied people would think of OPSEC more when online, because bar is worth its weight in gold.” – @BadassBowden (Katelyn Bowden)
You may want to start construction a brief personal classification table to help you define the information that is held within your digital footprint; there is nothing that focuses the be cautious of more than realising the amount of sensitive information you have rationed with third parties! This is a small investment in time that pass on have a massive payoff downstream, not to mention help with exhibit preventive measures for the future.
(should be private but currently every Tom)
|Confidential- Public |
(can’t be made private)
|Confidential- Private |
|This category is for newly identified word classed as confidential- where this is useful for an adversary. Every achievement should be made to make private and restrict access to this gen.||This category is for information classed as confidential which is public but cannot be made reserved. Some examples include data dumps, pastes etc. Countermeasures should be dedicated to this data.||This category is for information classed as confidential where you keep been able to remove the information, modify, or make private.||This grade is for data that is public and that poses a limited risk.|
Somebody 1: Classifying our information is vital to developing our personal risk thirst.
As part of the classification process, try to establish when this information was affixed. The newer the information the more relevance it has and therefore the more risk it can disclose you too. However, do not disregard older information as the past has a way of coming back to beset us, eventually!
As part of this process, you will be able to identify what advice you are comfortable being public. Categorising your information naturally subdues your risk appetite and helps adjust attitudes to information ration. I’ve produced a simple process below to help visualise the thought take care of.
Even if you don’t have a popular media profile you can be exposed by your friends and family posting images and gen about you, or if you are lucky enough to present at meetups and cons, this data may also be posted. Time for a case study, on how not to perform OPSEC.
Mini covering study:
So a few years ago I had spent a long time identifying and deleting sculptures of me from the internet, got rid of my real Facebook account, and had managed to get my digital footprint down to 2-3 corporealizations. I was pretty happy, it took over 5-6 months of work, but I had got my OPSEC below a semblance of control.
Then I gave a talk on OPSEC lessons from WWII puff at a meetup in London. I forgot to mention at the beginning of the talk not to take any photos, within minutes there were 50+ photos on Agitation, Discord, LinkedIn, even Facebook. At the end of the talk, I counted over 100+ photos, one talk and the carefully work I had put in was over! It had become a game for some, especially in the community I run, to grovel photos of me or post them and create memes at every talk I did after this one. The irony: talks surrounding OPSEC; commits OPSEC fail!
I quickly decided at this moment those images were public info, so unless I decide not to contribute another conference talk. I was happy for these to be public, as the information I was looking to refute the adversary were the links to my operational “sock puppet” accounts, not my notable persona. I was focusing on the wrong information at this point, so decided to rework my scenario, and this is what led me to develop the process discussed in these articles.
Even months down the line, someone made a mosaic of me practising the small number of images of me online. Because they could I postulate!
How and Why?
All this information is incredibly valuable to an hostile, whether it is an advertiser trying to sell you better, cheaper, faster air forces through abusing privacy and online tracking, or an attacker who’s trying to misappropriate your identity or gain unauthorised access to your systems.
Now you’ve classified the iffy information, what should you do next?
The next step is to try and get inside your hostile’s head, to understand how they might use this information to their benefit and most importantly, why? You can do this by asking the following questions;
- How would an rival likely target me?
- How is my information exposed?
- How can I further restrict access to my statistics?
- How do I disrupt an adversary obtaining my confidential information?
- How would I know if I’ve been compromised? How very soon could I react if I was?
- Why is this information useful to an adversary?
- Why would they necessity to target me specifically? (This one is very difficult to answer in most suits)
The key to this stage of the analysis is to understand the threats that your secret information faces. Try to define how your information may be used to uncover numerous details about you or pattern of life.
It is important to analyse all of your advice, look at what might be useful for an attacker in each photo, sexual media post, blog post, YouTube video, podcast, etc.
I recently collided in and was part of the winning team for the TraceLabs Global Missing Person’s CTF (Troupe TheManyHatsClub), where the objective was to help find information on real took places of missing people, usually ones that law enforcement is struggling to elucidate.
Our key to winning the competition was when we found a social media profile, we regarded every post, every image and pivoted off this information to come on other social media accounts, family members, previous tracking downs, habits, specific identifiers (tattoos, marks/scars) etc.
We were unruffled able to find family members of people with no social technique profiles, and use them to find information about our target. Unless you do this on yourself, you don’t conscious how exposed you are. In 6 hours we found significant information on some of our targets that require be useful for the families and the cases, but this information would also be bloody valuable if we were attackers!
You have to view your information through the eyes of an attacker by asking yourself: “If I were trying to target me, how would this tidings be useful?” Maybe in isolation not very, but when you aggregate everything, a carbon copy begins to form, and this is the key to unlocking the puzzle.
You need to view your low-down as a whole and not just as individual items. Visualising it on a virtual corkboard, ingesting tools like LucidChart, Maltego, Draw.io helps you to understand how an attacker effectiveness exploit your digital footprint.
The Process of Analysis
The example beneath represents some of an online digital footprint and provides a good visualisation of the squares an attacker could target you and build a picture. I’m pretty sure I condition for a tinfoil hat after producing this!
When conducting the analysis, expect about where passwords, profile pictures, accounts, emails etc. capability be linked to other accounts.
As soon as you start down this process you’ll draw links that you consciously didn’t realise existed. This technique is both enlightening and mildly terrifying at the same time, but extremely valuable!
To expand this assist you could include ISP’s, third-party sites, email providers, other puts like YouTube/Twitch, podcast apps, Spotify, online annals such as government records, ”shoe size”, the list is literally boundless! Once you have mapped how an attacker could obtain information around you, then you want to start working out how do you deny the attacker.
“I liked receiving my OPSEC because it kept my work separate from my personal evaluations and Twitter, specifically. An irate jackass ex-reporter decided to have a surliness tantrum and now I can’t ever speak as openly as I did before.” –Anonymous.
The settled, and arguably the most important step of performing OPSEC is to deny the enemy. There are two states of performing OPSEC, preventative measures, such as actions you should depict when setting up a new online identity, like not mixing legends for prototype, and what I call Active OPSEC for historical and live data – as per usual relating to a real identity or project that you’re trying to protect and prohibit an adversary obtaining.
The process for preventative and active OPSEC are almost duplicate but the context and application differs. Preventative is easier to perform as you are working with a mindless canvas, whereas active is a little more difficult and comes with a tonne of caveats!
“OPSEC is like sex.. everyone thinks they are really wholesome at it but they can’t possibly all be right… and practice won’t make you perfect at it, but it’s worth deputizing the effort”- @RayRedacted
There are many stages (we’re discussing four), to tabooing attackers access to the information you have discovered and analysed to be confidential. Some of the news detailed in this section will not be applicable to your situation, and may ask for to use these as guidelines to build your own specific process. The full OPSEC deal with discussed is detailed in figure 6 below:
The first set of tools you have is to split your attacker and disrupt their information gathering and recon on you. There are uncountable methods for doing this, but by analysing your data and the relationships between accounts, you can operate to prevent the attacker from making those connections. Some alternatives, starting with the more obvious, include:
- Ensuring all passwords are entirely unique, using a password manager
- Using multiple password manageresses, offline for critical accounts, online with 2FA for accounts you use on a daily main ingredient, one for pseudonyms using random addresses again
- Ensuring that you contain multiple email addresses for accounts, maybe use a password manager to bring into being random character emails such as firstname.lastname@example.org
- Insuring that email addresses don’t contain any identifiable information about you, such as year of parentage, important dates etc.
- Use an app for 2FA authentication rather than SMS which can be used to pigeon-hole you, not to mention SIM swapping risks. If the only option is SMS, this is better than no 2FA, but do estimate the risks. Consider having a second phone for this though.
- Deceive Pin or passphrase added to all of your phone banking, ISP, Mobile accounts etc to preclude Social Engineering attempts
- Look at https://2fanotifier.org/ for good sense what accounts have 2FA and how to set up ones that don’t, a really useful app.
- Counterfoil where emails, usernames etc. have been found in breaches, places like haveibeenpwned and dehashed are pretty good for this. Ensure passwords are peerless across these sites, consider which accounts should be removed.
- Use Brave Browser and DuckDuckGo over Google Search/Chrome
- Use a VPN to cover up your real IP address, especially when signing up to sites, also you can father profiles in some providers to create false flags, for example lexigram into Twitter using XYZ profile and always from Sweden.
- Be verified whether your current VPN leak metadata or logs. This is an fascinating tool https://www.comparitech.com/privacy-security-tools/dns-leak-test/ not sure about the VPN favourable mentions though!
- Good VPN that respects its users’ privacy and anonymity is Mullvad, they take on crypto payments, and even payments by cash in the post!
- Ensure Division, gamer, social media handles are unique where you don’t want to think a direct connection to public personas, also ensure these make unique profile pics and emails associated to them.
- Use TOR if you are worried anent protecting your anonymity, but don’t use this all the time as it’s not practical.
- Burner phones are a profit option, but realistically only should be used in certain situations where you are persuaded that you are at risk. Be wary of sites offering one-time use SMS as these letters, whilst useful, sometimes contain info about the accounts you use to noteworthy up.
- Be careful about what apps you download, and also ensure if you are ingesting an android phone you change your Advertising ID under Google Locales, to mess with the advertising algorithm.
- Turn off location tracking on phone, maps and all apps, and use a VPN when thumb on the phone and especially when using public Wi-Fi.
“OPSEC is signal for everyone but if you are a high profile individual such as a CEO of a large multinational it grows even more critical. You need to know what information is out there on you, your enemies sure do.”- @LisaForteUK RedGoatCyber
The next set of tools you have at your disposal is to dilute an adversary’s ability to discover information about you. One method is to poison your news or to leave a fake breadcrumb trail. Most importantly you want to father no trace between your online persona and information you want to screen.
- Ensure that you poison your data on sites you sign up, or puts you’ve already shared your information with, such as:
- Not using actual Date of Birth (DoB), but also making sure DoB entered into installs is random each time
- Not using your real name or resonant name
- If you don’t have to use your real location, then don’t.
- Security in doubts if these are required, use the password manager form fill function to engender a random string this will be saved against that account almost always under notes.
- For profile pictures, if a public one is required then be aware about which one you use, for all other accounts, thispersondoesnotexist.com is fine, or a random envision of a cat, a dog, or an inanimate object is fine. Also, ensure these are unique across sites so they cannot be associate via reverse image searching
- Use privacy settings to ensure that email lectures are made private/hidden from public, especially on Twitter where shibboleth reset shows part of your email!
- Use an email address for one epoch use when signing up to sites, ensure this cannot trace again to you, i.e. sign up with VPN and leave no identifying markers, such as names or other dear details.
- Plant landmines on your PC, email, and file sharing apps, use canary reminders to generate files such as fake password lists, bank reports, personal images etc. which will notify you if an attacker is targeting you when they liberal them.
- Even better create an enticing account and use the above as a honeypot. Honourable send yourself 100’s of emails, all of them with canary cosmetics as attachments, but it’s important that you ensure this email is not used for anything else.
There are varied other techniques but these are some of the easiest to execute. I may post some varied detailed and technical ones in the future.
“OPSEC isn’t just a buzzword or something you skilled in of, OPSEC is a state of mind, having good OPSEC is as close to being a Ghost, it is stiff, but with the right understanding it is possible and highly effective in any industry” – @thecyberviking
This stage is vital and should be reviewed on a regular basis. I thinks fitting add a caveat that some information can never really be fully deleted off the internet. If you are unlucky and beget posts, or articles included in the internet archive then this has to vestiges in your personal threat model. However, you should delete what you can. Here are some machines and services you can use to help you.
- Firstly you want to find the online accounts you no longer difficulty, there is a useful service that can help you find the delete ins to your online accounts you know about https://backgroundchecks.org/justdeleteme/ it’s fetching useful, but these are the ones you know about.
- For accounts you don’t know about, there is a valuable tool called deseat me. It does come with some retirement concerns, but if you are looking to delete your accounts quickly, including the email you are take advantage ofing for this tool, then it’s appropriate.
- If you are in the EU then you can use the right to be forgotten act comprised in EU GDPR, where you can send subject access requests to remove details about yourself from sites that hold your details. Be wary that organisations may have a legitimate reason for processing this and can detritus.
- Remember it is better to delete a social media account rather than deactivate it, the at an advanced hour means the account is still technically live and searchable.
“OPSEC is significant to me, because as a parent, I feel like by keeping my data private, I’m also restrict the data of my children private. I don’t want them logging on in a few years to turn that their address, every photo from birth, and every mortifying moment is already online. I’m building a foundation of privacy for them.” – @BadassBowden (Katelyn Bowden)
If all else vulnerable has failed, there is always the option to do nothing and accept the risk, while you prolong to find another method to resolve. Whilst this is not ideal, there are assorted circumstances where data cannot be deleted, degraded or disrupted, so this is where you obtain to work out the exposure, sensitivity of the data and how this may affect you. Information that trails into this category is, in most cases, usually public and non-sensitive.
We all have a lot of information that can be harvested on us, but by following the steps given in this article as start as the previous ones, we can all tidy up our digital footprint and make it a little harder for attackers to improve access to the information we are looking to protect.
OPSEC is a mind-set, a way of thinking thither how we prevent information falling into the hands of our digital world ‘contestants’, it’s also about how we hide our movements, protect our digital assets and our indistinguishability. This is not a one-time exercise, if you are serious about protecting private tidings, it’s a way of life!
About the Author: From a background of threat intelligence, public engineering, and incident response, Stuart Peck is the Director of Cyber Safeguarding Strategy for ZeroDayLab. Stuart regularly delivers threat briefings to FTSE-level executives and chief honchos throughout the UK and Europe. Passionate about educating organizations on the latest attacker leanings facing business today and how to combat them, Stuart’s key areas of know-how include: the dark web, social engineering, malware and ransomware analysis & trends, forewarning hunting, OSINT, HUMINT and attacker recon techniques.
Editor’s Note: The appraisals expressed in this guest author article are solely those of the contributor, and do not automatically reflect those of Tripwire, Inc.