diff --git a/opsecmistakes/index.md b/opsecmistakes/index.md index e405b88..eba7b50 100644 --- a/opsecmistakes/index.md +++ b/opsecmistakes/index.md @@ -131,5 +131,122 @@ Let's talk about [Operation Delego](https://en.wikipedia.org/wiki/Operation_Dele ##### The neutralization operation After infiltrating the group, Leo managed to trick several users into directly sharing media and personal information other unsanctioned channels, without encryption. +##### Final Tally +- 72 charges (out of 600+ active members) +- 57 arrests + + +OPSEC works, even for the scum of the earth: 9.5% neutralization rate after being infiltrated by a joint effort between 12 countries is pretty impressive. + #### What bad OPSEC looks like -Lulzsec + +Now let's have a look at Lulzsec. We have pretty much every OPSEC mistake rolled into one burrito of disappointment. We will use the analysis framework we've worked with so far + +LulzSec (Lulz Security) was a high-profile hacker group active in 2011, known for brazen cyberattacks on corporations, governments, and media. + + +One of their members (Sabu) was identified, turned and then used to compromise the rest of the goup. + + +##### Detection +That one's easy: between the defacement and bragging all over the web about their hacks, the operations were **meant** to be visibile + +##### Identification +- Sabu was identified after logging into IRC from his home IP instead of through Tor: it only happened once but it was enough +- Members reused online aliases across multiple platforms. For example, some had past activity linked to now-doxxed identities. +- Email addresses used for domains or accounts were linked to real-life identities. +- Boasting about hacks and providing technical details exposed them. +- There was minimal effort to isolate real identities from online personas or separate operations between different members. +- Many used the same machines for both personal and hacking activities. +- The group let in new members quickly, including undercover agents or individuals who later cooperated with law enforcement. +- They issued press releases and taunted their targets on Twitter, which increased media attention and pressure on authorities to catch them. +- This also gave law enforcement leads to correlate timing between attacks and online activity. +- Use of non-anonymized IRC clients, known VPN services, and unencrypted communication channels made traffic analysis easier. + +##### Neutralization + +By mid-2012, most core members were arrested and charged. + + +# Threat Modeling: choosing the right tool for the job + +We now have a simple framework (detection, identification, neutralization), that's actually called an attack cycle model. This will help us think our OPSEC prosedures in a way that is methodical and grounded in rationality. + + +As we have seen, depending on the situation you might need higher or lower security measures. Usually, when you crank up the security, communication slows down and becomes harder. When you want easier and faster communication, you often have to lower your security requirements. + + +## What is a threat model + +In order to decide which OPSEC practices to adopt you have to know what you are defending against. Gun running, protest organization against private corporations and civil disobedience are activities that can bring the wrong kind of attention but they all have wildly different threat models. + + +A threat model is a description of your adversaries with: + +- their goals +- capabilities +- targets + + +The more powerful and well-funded the adversary, the more dangerous it is (States being at the top of the food chain). + +### Quick Example +Alice wants to organize a protest against Evil Corp evil practicies of experimenting broccoli based diets on kittens. Evil Corp has been known to intimidate would-be protesters by hiring private detectives and thugs. + +#### Evil Corp threat model +- goals + - preventing disruption of their operations by protestors + - preventing PR fallout from their evil experimentation becoming public knowledge +- capabilities + - technologically low, as they use tried and true methods of physically tailing people and throwing bricks through their windows +- targets + - protest organizers and their assets + +## Risk Analysis + +The next step is to run a risk analysis: you want to list all your assets that are in play in your clandestine Ops, define how critical they are on three axes: +- Confidentiality +- Integrity +- Availability + + +### Example +Alice determine's that her group of protestors has the following asset + +- Member list and contact info + - Confidentiality requirement: **High** + - Integrity requirement: **High** (we don't want someone infiltrating the mailing list) + - Availability requirement: **Medium** (even if the list is destroyed, core members have copies and can reconstruct it together) + +Given her threat model, she determines the following plausible attack scenarii: + +- Getting tailed after a protest and having her laptop stolen from her home with the list on it: **High likelihood, fits the MO and threat model** +- Someone grabbing her laptop from her while she's planning her next big anti-corporate protest while sipping from a triple latte double macchiano at starbucks **Medium likelihood** +- someone hacking the mailing list server to read all the protest prep exchanges **Low likelihood** + +## OPSEC Standards and procedures + +Armed with her risk analysis, Alice's now knows which assets are most likely to be targeted. Thanks to the threat modeling exercise she has several attack scenarii. Based on their likelihood, her OPSEC efforts will be prioritize the following way: + +- Anti-surveillance and Counter-surveillance techniques to identify whether members are getting tailed after meetings or protests +- Encryption on her laptop, automatic shutdown if someone grabs it +- Hardening of the email server + + +## Know when to stop +Why isn't she preparing for a large scale hacking campaign against her identities, followed with a 0 day barrage of all her servers and a complete compromise of her household appliances down to the lowliest airtag? + + +**Because it does not fit the threat model, and it would be easier and more cost effective to break into her house and grab her stuff, especially if her machine is unencrypted** + + +# Now what? + +A threat model is a living thing, like any GRC (Governance, Risk and Compliance) document. Your adversaries will change in capabilities, motivations, methods as time passes. Your organization will change too, adopting new tools, foresaking old ones. In order to stay safe, you need to keep your threat model and risk analysis up to date, so you security level is always where it needs to be. + + +- To be effective you need to be able to communicate with the highest bandwidth possible with the rest of your organization. Perfect OPSEC is useless if it makes you unable to function. +- To be resilient you must have enough security to thwart your adversary and a defense in depth mindset to ensure that even in case of a successful attack your whole operation isn't toast. + + +Threat modeling and risk analysis are skills that are highly sought for by companies themselves in order to protect their assets, cybersecurity professionals spend years cultivating them. This was a primer, I invite you to read more on the subject or get in touch if you need coaching or help doing this for your own operations.