In OPSEC the red team trusts
Learn what is operations security (OPSEC) in the context of red team assessments.
In layman’s terms, operations security means to perform actions (operations) in a manner that the opponent is unable to detect them or, if detected, unable to generate any meaningful insights (security).
A more formal definition of OPSEC can be found at NIST, Red Team Guide or Wikipedia. However, I like the one mentioned in TryHackMe’s Red Team OPSEC room (it’s concise and easy to understand),
OPSEC is a process to identify, control and protect any information related to the planning and execution of our activities.
The concept of OPSEC isn’t restricted to military ops or red team engagements though. In general, anyone who doesn’t want to get caught or noticed by their opponent implements some or the other form of OPSEC measures. For example, a thief may wear a face mask, a hat, gloves, avoid CCTV cameras etc. to avoid leaving a trail of evidence or being caught by the police. On the flip side, the police may have setup an elaborate ruse to trap the thief, so they would implement OPSEC measures to not give away their presence.
Coming a little closer to home, blue team also relies on OPSEC measures to not let a real adversary or a red team operator know that their actions are being monitored. Failing which, the real adversary or the red team operator may change their tactics to avoid monitoring tools.
A typical OPSEC process consists of five steps (see NIST definition):
Identification of critical information - What information is critical to ensure secrecy of operations? For example, Indicators of Compromise (IoCs) generated by tools.
Analysis of threats - Who is the potential adversary or opponent that can benefit from this information? For example, IoCs generated by attack tools are certainly of interest to the blue team.
Analysis of vulnerabilities - What characteristic or the attribute of that information makes it vulnerable? For example, using an attack tool with default configuration will generate IoCs that are well known and can be easily detected.
Assessment of risks - What can happen if the adversary gets this information? For example, the blue team can block the attack tool identified basis their knowledge of it’s IoCs.
Application of appropriate countermeasures - What can be done to fix the vulnerability and eliminate or mitigate this risk? For example, use a custom attack tool or customize the configuration of the attack tool to avoid generating known IoCs.
Red Team Notes
- Operations security involves executing actions in a way that either prevents detection by adversaries or ensures detected actions yield no valuable intelligence.
- OPSEC measures are implemented by both, red team and blue team, to avoid giving away their presence to the other.
- As per NIST, OPSEC is a five step process.
- Red team professionals may have the choice to emulate poor OPSEC, if the engagements demands it.
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
One thing I’d like to address here is that, in the context of red team engagements, OPSEC plays an important role during all phases of execution and not just while bypassing the endpoint detection software. Few examples of areas where OPSEC is critical, include,
C2 infrastructure setup
Phishing campaign setup
Customizing attack tools
Crafting payloads
Data exfiltration
If you want to learn more about OPSEC, below is the recording of the webcast, OPSEC Fundamentals for Remote Red Teams by Michael Allen, in which he shares valuable insights about OPSEC considerations during initial access phase.
Also, check out the Red Team OPSEC room by TryHackMe. The content is free to access and doesn’t require any login or sign-up.