Civilian OPSEC in cyberspace

Civilian OPSEC in Cyberspace
Petr Špiřík

About
The course
Methods and techniques for
monitoring, surveillance and
profiling of cyberspace activities
are here to stay.
This workshop goal is to educate
people operating in above-
average risk situations in
cyberspace and to arm them
against malicious actors abusing
these options.
Petr Špiřík
Cyber security, privacy, counter-
surveillance and threat
intelligence. This is what I like.
Network security, incident
response, security architecture
and design. This is what I do.
Education and the power of
knowledge. This is what I trust.
CC-BY-SA • Petr Špiřík

Audience
I want to
• Do independent journalism in Russia
• Buy and sell drugs online
• Perform cutting edge research in China
• Watch porn in UAE
• Live my life without fear – whether I am gay, woman, black or radical
anarchist
Good. Welcome.

Course management
There are eight building blocks, one for each defined subtopic
One block aims at 45/15 minutes of content/chill out time format
At all time, the parking lot is here to capture questions and pain points
Questions, concerns and requests for rewind/fast forward are
welcome.
Participation is not only welcome – it is essential for meeting the
objectives of this course.

Agenda
Problem
0900 Cyberspace basics
1000 Self-profiling
1100 Threat actors
1200 Attack vectors
Solution
1400 Risk Management
1500 Ways of OPSEC
1600 Tools of OPSEC
1700 Summary & Feedback

Cyberspace Basics
“Cyberspace. A consensual hallucination experienced daily by billions of
legitimate operators, in every nation, by children being taught
mathematical concepts... A graphic representation of data abstracted
from the banks of every computer in the human system. Unthinkable
complexity. Lines of light ranged in the nonspace of the mind, clusters
and constellations of data. Like city lights, receding.” (Neuromancer,
1984)
“The environment formed by physical and non-physical components,
characterized by the use of computers and the electro-magnetic
spectrum, to store, modify, and exchange data using computer
networks.” (Tallinn Manual, 2013)

What is OPSEC, anyway?
OPSEC stands for OPerations SECurity
OPSEC usually refers to clandestine, covert or otherwise sensitive
operations and the need to keep them that way.
OPSEC is the way of behaving, acting and operating that provides
increased security and privacy.
OPSEC often aims at reducing your footprint and achieving low profile.

Cyber Terrain (courtesy of Shawn Riley)

Scary model
Network Access
Networks Physics, real world, cables
Internet
Protocols Rules and laws of the Internet
Transport
Computer Hardware, processing of data
Application
Human Human-Computer interface, software

Flow of Operation in Cyberspace
Me
Computer
interface
My
computer
My ISP Another ISP
Yet another
ISP
Datacenter
Target
server
Target
service

Flow explained - 1
Me -> My Computer
Who else has access to my
computer?
How secure is my computer?
My computer uses DNS and other
protocols. What does this mean?
If I do not control my computer,
every other step is compromised.
My Computer -> My ISP
Where do I connect?
Who else has access to the router
I use?
How secure is this router?
How much do I trust my ISP?
Countermeasures against
untrustworthy connection and
ISP exist.

Intermission
Addressing
Everything connected to the
network has address, IP address.
Addressing is hierarchical.
There are rules for address
allocation.
Addresses can be manipulated.
Domain Name Service
IP addresses are not human-
friendly.
Names are better.
DNS is protocol and service
allowing to use google.com
instead of 173.194.122.3
Names can be manipulated.

Flow explained - 2
ISP -> Datacenter
ISPs and datacenters are subject
to laws of the country the reside
in. Does this affect me?
There are usually more ISPs in the
way, forming a chain.
ISPs & datacenters have
employees.
These hops multiply the problem.
Target Server -> Target Service
Who administers the target
server?
How secure is the target service
against other users, attackers,
administrators?
It is very hard to exercise security
at the target end of connection.

Why does it matter?
Models are good.
Models allow us to split complex problem into sum of easier
challenges.
Understanding the environment is critical
• Cyberspace is heterogeneous environment
• There is no end-to end control
• What happens if any of the nodes is compromised
We don’t need to understand technical details for self-defense.

Digital Footprint
Whenever you operate in cyberspace, you leave traces.
Lockard’s exchange principle still applies.
The good thing – you can modify your traces more easily in cyberspace.
The bad thing – it is significantly harder to remove your traces
completely.
The very bad thing – time does not help.
Digital footprint is close to eternal. What you once put in the system
remains there forever.

Heterogeneous environment
Cyberspace is subject to three points of view simultaneously at any
given time.
Physical. Data in cables have physical representation. Monitors emit in
visible spectrum.
Logical. Data are logically structured and encoded. Protocols and
transformation apply.
Legal. Cables, servers, computers and people exist in some jurisdiction,
are subject to this jurisdiction and the jurisdictions can conflict. There is
nothing like no-ones land.

Control and Trust
Control
Limited.
End-to-end control is hard and/or
expensive to achieve.
It is easy to lose control and hard
to regain it.
“I bought my computer and no
one else ever touched it. It is
under my control.”
Trust
Trust is essential to our society –
and to cyberspace as well.
There are different trust models.
Trust is cheap complement to
control.
Trust but verify.
“I trust my ISP not to spy on me.”

Immutable Laws Of Security (by Microsoft)
#1: If a bad guy can persuade you to run his program on your
computer…
#2: If a bad guy can alter the OS on your computer…
#3: If a bad guy has unrestricted physical access to your computer…
#4: If you allow a bad guy to run active content in your website…
… it is not yours anymore.

Self-profiling
There is no silver bullet.
Journalist, drug smuggler, student or scientist have different needs.
This block is activity driven with the outcomes of
• Defined assets you use in your daily routine
• Services and tools that are important to you
• What is important to you
This profile is called the attack surface.

CIA triad
All recognized assets, whether logical or physical are subject to CIA
triad of Confidentiality, Availability and Integrity.
These aspects represent what is important to you.
“I do not want anyone else being able to read or modify my emails.
Losing them is not a big deal to me.” I value Confidentiality and
Integrity, while I do not care about Availability.
“My website is public. It must be up all time and its content must be
exactly like I want it.” Availability and Integrity is important, but
Confidentiality does not even apply.

Assets
This one is easy.
Write down all your cyberspace related devices and what do you use
them for
• Smartphone (phone calls, navigation, internet access)
• Laptop (school work, online games, Facebook, movies, photos)
• Lab computer (research projects, foreign universities data access)
• Credit card (paying online, ATM withdrawals)

Services
Still easy.
What services do you use and how important are these for you. Write
them down.
• Email (how many of these)
• Facebook (or other social media)
• Google documents (fun, work, school)
• Dropbox (or other file sharing platform)
• Website

Crown Jewels
Time to think.
What is important to you? What matters the most? What part of your
life could suffer a lot? Use the CIA triad classification.
• Lose all my data stored in cloud
• Lose my emails
• Have my emails stolen
• Get shamed publicly
• Lose money

“Stuff”
There are necessarily data that you did not include in Assets, Services
or Crown jewels sections.
This is ok.
These are the data you have, but do not care that much about.
It is good and important to be aware of them, but right now – let’s put
them aside.

Asset Management
Assets, services and crown jewels can be also seen as
• Physical assets
• Logical assets
• Priority assets
Writing them down in structured manner serves many purposes
• Visibility (you can manage only what you know about)
• Attack surface deconstruction (this might allow for some easy wins)
• Prioritization for defense (Crown jewels vs. “stuff”)

Threat actors
“You Don’t Have a Malware Problem. You Have an Adversary Problem.”
(CrowdStrike)
Does it matter who is after you?
Are you suspicious of government? Ours or THEIRS?
Scared by neo-Nazis? Classroom bullies?
Afraid of criminals?
Yes, it does matter. Different threat actors have different motivation
and different capabilities. Your defense should differ as well.

Government
Profile
Law enforcement, government
bodies, intelligence agencies,
military.
Professionals working 8-17, with
unlimited budget and options not
available to anyone else.
Significant difference goes
whether they are domestic or
foreign.
Motivation
Defined by political agenda and
legal system. Highly predictable.
Capability
Usually top tier.
Objectives
Surveillance, law enforcement
objectives, intelligence and
counterintelligence.

hacktivists
Profile
“For cause” groups. Far right, far
left, extremists, political
organizations.
White-media.info, Anonymous –
just to name a few.
Motivation
The critical aspect of each
hacktivist group.
Capability
Wildly varied.
Objectives
Usually attention whores, thriving
for media coverage and publicity.

Criminals
Profile
Traditional organized crime as well
as freelancing dog soldiers
(Hidden Lynx) are already strongly
established.
Driven by money, you can find all
sorts of talents – from retarded
drive-by shooters to skilled
operatives.
Motivation
Money. Financial profit. Very
predictable with parallels to
standard crime and business.
Capability
Adequate to their selected career.
There is room for everyone.
Objectives
Data theft, ransom, outsourcing.

Lonewolfs (aka Jerks)
Profile
Someone you pissed of at work.
Someone you broke up with.
Someone randomly evil.
Motivation
Unpredictable.
Capability
Varied, usually low.
Objectives
Acts of damage and destruction,
not predictable.

Now what?
Activity. More writing.
Who are you afraid the most?
What crown jewels of yours are they after?
Why do you think you are their target?
Who do you fear the least?

Attack Vectors
Threat actors have their tools of trade ready.
They target the Confidentiality, Integrity and Availability of your assets.
We will cover different points of view and classification of the attacks,
allowing us to understand the attack vector.

Legal
Most often domain of Government threat actors.
Confidentiality is the main target.
Can be long-term (mass surveillance) or short term (investigation).
You can become victim as collateral damage (police raid at datacenter)
or as direct target.
It is critical to understand legal framework applicable – at least to the
extent of your rights and risks.

Legal - Examples
Surveillance
Some form of surveillance is
already at place (CCTV), other
might be deployed upon request
at your ISP.
The entities implementing
surveillance act with the power of
administrator.
Law Enforcement Hit
Your laptop might be confiscated
for investigation.
Your server might be taken into
custody.
It might be targeted against you or
you might be just drive-by victim.

Social Engineering
By far the most prevalent type of attack – or at least frequent
complementing factor. Mostly used by criminal threat actors.
People are prone to trust others, believe in fairy tales and get abused
for it.
It is no surprise – skilled social engineer is con artist doing it for living.
His victim is most likely experiencing it for the first time.
Social engineering attack might resemble boxing match between
Rocky Balboa and Justin Bieber.

Social - Examples
Phishing
It looks like legitimate email.
It looks like your e-banking site.
It offers money or tries to help
you.
It might as well be just an illusion
set up by an attacker.
Identity Theft
Friend request on Facebook.
You know the name, you
recognize the photo, you shared
the class two years ago.
It might as well be persona crafted
from publicly available sources.
Like other social networks.

Physical
Did someone have access to your computer? It is not your computer
anymore.
Are you operating in environment, that is controlled by someone else?
How much do you trust them?
Targeted attacks against you are rare as they scale poorly.
Prepared traps against anyone coming in are common as they scale
decently.
Physical attacks are used by all actors, based on opportunity.

Logical - Examples
Man-in-the-Middle
When the attacker is able to gain
control of a point in the flow of
information and manipulate it, we
speak about MitM attack.
Redirecting traffic, intercepting
data or terminating and
reestablishing sessions all fall into
MitM category.
Password chaining
“Did you forget your password?
Enter your email address and we
will reset it for you.”
What happens if one of your
accounts is compromised?
Can the attacker use it for gaining
access to other accounts?
Think email-PayPal link.

Physical - Examples
Rogue Access Point
Remember the flow?
What if the “Café 99 – PUBLIC”
Wi-Fi access point is not set up by
the kind owner of Café 99, but by
the attacker?
What communication is the
attacker able to intercept?
Keylogger
Police officer arrested you for
minor offense and inspected your
computer.
Nothing else happened, all
charges dropped.
How do you know, your keyboard
is not richer of hardware
keylogger?

Logical
Broad category, where software attacks in forms of malware meet with
manipulating the flow of data.
Specific aspect of logical attacks is identification of more complex
structure and attacking weak point, traversing further once successful.

Profiling
Profiling can be perceived
as reconnaissance stage
to real attack or attack
against privacy itself.
Using publicly available
information and
analyzing them can lead
to results beyond
intuitive expectation.

Human error

Risk management
We manage risks all the time – by taking decisions.
Problem is, people are bad at risk analysis and they decide based on
feelings, not facts.
Risk management is about tradeoffs.
Risk management is mix of science, statistics, crystal ball estimates,
decision making, strategy and personal preferences.

Terminology
Threat. Theft of data. Arrest. Public shaming.
Vulnerability. Unpatched system. Existence of sensitive data.
Risk. Likelihood that Threat will exploit Vulnerability into Incident.
Incident. My data got stolen. My computer got confiscated.
Impact. Loss of money. Arrest and prison. Loss of job.
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
Annualized loss Expectancy (ALE) = Annualized Rate of Occurrence
(ARO) x SLE

Risk Register
Now we create risk register. This is supposed to be brainstorming and
just writing down everything.
Identify threats and record respective risks with expected likelihood of
occurrence. It is ok to have empty fields now.
Focus on crown jewels, services and assets identified earlier.
Use low, medium, high as quantifiers for probability and impact.
Risk Vulnerability Probability Impact Risk mitigation
Loss of travel
photos
Stored in Picasa Low Medium
PayPal
compromised
Low High

Risk Analysis
Risk register is just first step.
Once ready, it is important to go through all the risks one by one and
re-evaluate the risks.
The proper way is to assign absolute values in percentage for likelihood.
The “good enough” way is to stay with relative values of low, medium,
high.

Impact Analysis
Now go through the risk register again and focus on impact.
Preferred way is to have the impact explained in monetary value.
“Good enough” is still using the low, medium, high.
Think about collateral damage.
We can add the CIA classification to the risk register, to make it more
detailed.

Risk Mitigation Strategies
Accept the risk. Do nothing.
Transfer the risk. Your problem, not mine.
Reduce the risk. I quit Facebook.
Reduce impact. I don’t send nude pictures over email.
Plan for recovery. I back up my data.
These are general classes of risk mitigation strategies. Implementation
and specific ways how to do it will be part of the next block.

Risk Management Plan
Now we have all we need to form our risk management plan.
The first question is – how big is your risk appetite. Are you risk taker or
risk averse? How much do you value security, as expressed in money or
effort required?
Risk management plan focus on selecting the generic risk management
strategies.
You can start by accepting the risk of everything with probability and
impact being medium or lower.
Then go for easy wins as they are obvious.

Ways of OPSEC
OPSEC stands for being able to use cyberspace (Availability) while
maintaining Confidentiality and Integrity.
You can go for anything between easy wins and clandestine operations
within own infrastructure with advanced deception.
Higher levels of OPSEC represent significant mental effort and stress
and are unrealistic to maintain over long period of time.
Absolute key for OPSEC is to set it to the level you are comfortable and
able to maintain.
Let risk management plan be your guide.

Faces of OPSEC
Average Joe. You chose to blend in. Do what everyone else does, keep
low profile, do not draw attention and be able to deny everything. You
are aware of what you are doing. This is the suggested way for
amateurs.
Ninja. You chose to be invisible. No one is allowed to know what you
are doing, or even that you are doing it. You might need your own
secure infrastructure, skill and paranoia.
Agent Smith. Deception all the way. You have multiple personalities
and instead of leaving no traces you leave false ones. Don’t do this.

Problem with Deception
Not only you leave traces, you leave multiple sets of them.
This increases the chance to slip up significantly.
To create and maintain reliable fake identity you need to invest time
close to your real life to it.
In long term operations, this increases stress as well as likelihood of
getting your cover blown significantly.
Against unskilled adversary, this is waste of effort, against skilled one –
you are going to fail.

Control your Environment - EASY
Your assets are yours to control.
Make sure they are not compromised, perform full factory reset when
in doubt.
Control what others sharing your environment and assets can do with
them and limit it to the minimum.
Using pirated software is equivalent of taking random pill from random
stranger in the street and swallowing it. If you allow anyone to install
software on your computer, it is not your computer anymore.

Control Your Attack Surface - EASY
By now you should have quite good visibility and understanding of your
attack surface.
Reducing it by removing unneeded services should be the first step.
Controlling how you use the rest should be the second.
Think about what data you create and store and where.
Think about what privileges you grant to new smartphone app.
When using multiple devices in sync – aren’t you creating unwanted
chain of accounts?

Password Hierarchy - EASY
“Have one password for each service, complex and change them
regularly.”
No. This is unrealistic to maintain and security practice that is not
maintained is actually worse than no practice at all.
Set up password hierarchy instead with limited number of strong
passwords and change them when in doubt of compromise.
Create rules for yourself and stick to them.

Password Hierarchy - Example
Password tier Password Where to use it
Master password ForestBr33dsThousANDbees! Only for password safe. Never use
it online, never use it in unsecure
environment. When compromised,
everything is compromised.
Main password HowChic4g0FITSKangaroo Main email, important accounts,
monetary services. Compromise
could lead to significant harm.
Regular password TrentMercuryHarris0n# Majority of services I care about.
Social media, paid access to Netflix.
Compromise would be annoying
but not critical.
Garbage password HelloDummy One-time passwords required for
shopping, online registration, sites
that I do not care about. I do not
care about compromise.CC-BY-SA • Petr Špiřík

Two-Factor Authentication - Easy
Three factors of authentication
• Something you know. Password.
• Something you have. Smartphone.
• Something you are. Fingerprint.
Combination of different factors creates multi-factor authentication. It
is much stronger than just the sum. Example: Password + SMS
Combination of same factors does not create multi-factor
authentication. Example: Password1 + Password2
Use it whenever possible and you care about the result.

Encryption - Easy
Data at Rest
File encryption, hard drive
encryption.
The purpose here is to prevent
attacker who successfully steals
your data to be able to use them.
Also for preventing of gaining
evidence.
Data at motion
VPN, secure shell, tunneling.
Basic technique to create reliable
environment over untrusted
environment.
If both ends are reliable, the
connection can be considered
trusted.
Best for preventing interception.

Private Internet Use - Medium
Virtual Private Network (VPN)
Example of encryption at motion.
Creates tunnel between two
endpoints. Communication is
encrypted and resilient against
MitM attacks.
Also allows to modify the network
trace.
TOR
Onion network. Decentralized
network within Internet. Best for
free speech practitioners,
journalists, drug dealers and
criminals.
Allows entry to darkweb and hides
your network trace completely.
It can also draw attention.

Plausible Deniability - Medium
“You have no proof I did this on intent.”
“I forgot the password.”
“I did not instructed anyone to commit crime.”
Plausible deniability comes in handy when dealing with law
enforcement. It is strategy prepared for the case when your cover
blows up.
The point is to be able deny connection between you and evidence in a
way, that is not challengeable.

Control Your Service Providers - Medium
Unless you are big enterprise or government, you can hardly affect the
way your service provider does business.
You can select service provider that better suits your needs.
For OPSEC purposes you can go with the biggest one (Google,
Microsoft) to blend in – or search for shady providers (offshore, secure
hostings) designed to deliver security and risk them being honeypots or
amateurs.
Selection of service provider is both function of reason and trust.

Covert Communication Channels - Hard
“Canary in a coal mine”
In 2013, Apple put into their privacy statement warrant canary. They
claimed that they never exposed their customers’ privacy to
government. In future, if this sentence disappears from this annual
report, it will mean something changed. This will work even if
government prohibits Apple to tell anything.
Lorem Ipsum and Google translate
In 2014, the effect of using capitalization of Lorem Ipsum phrase in
Google translate was discovered that could lead to sending covert
messages using just Lorem Ipsum phrases.

Secure Infrastructure - Hard
If you want to be extra secure, building your own anonymous and
private infrastructure might be the only way. It is harder than you think.
Money. If you are afraid of government actors, you must use
anonymous currency. Obtain it. Bitcoins, prepaid cards.
ISP. Which ISP will accept anonymous currency and not ask questions?
Server. Can you administer secure server so it does not get breached?
Set up. You must set it up when nothing goes on and securely.
Use. Have plan how to use it in secure way so you don’t blow yourself.
Maintain. Be prepared to monitor it, maintain it and renew it.

Tools of OPSEC
OPSEC is not about tools, software or equipment, but about
understanding, behavioral changes and informed decision making.
Tools can help, but technology is and never should be viewed as
omnipotent solution.
Open source available tools follow.

Keepass Password Safe
One of many software tools for managing passwords.
Using strong encryption, KeePass provides reasonable security and
allows easy management of stored passwords, including their
generation.
Available in portable version.

Truecrypt 7.1a
Encryption
TrueCrypt can provide both
encryption into file containers as
well as full hard drive encryption.
Be careful to use 7.1a version, the
newest one is not trustworthy.
Plausible Deniability
To achieve plausible deniability,
TrueCrypt offers the option of
creating hidden partition.
When forced to give away
password to your system, you can
open up the one that does not
contain sensitive data.

Off The Record (OTR)
Simple plugin for instant messaging communication.
Once you establish secure communication with your counterpart by
confirming keys, your communication will be encrypted.
Works best with jabber or google talk protocol as implemented in
pidgin application.

TOR Browser
Tor network was discussed earlier, Tor browser or Torplugin are
available for download from Tor project website.
Strong organization is behind Tor project now – it has US army origins
(created and released to public in order to blend in) but now it is
maintained independently.
Monitoring Tor site is worth the time as any new threats to Tor security
are discussed and dealt with openly.

Live Kali/Tails Linux
Kali is the new BackTrack. It is toolbox with security and offense in
mind.
Linux distribution designed for offensive security, penetration testing,
forensics investigation – any ideas what does this mean?
Tails is Linux distribution designed for anonymous use of Internet.
Lightweight, slick and easy to use for anyone.
Learning to use them at the user level might be fun and useful in the
future.

Summary
The way forward is through understanding, rational thinking and good
decision making.
Know yourself.
Know your enemies.
Plan ahead.
Follow the plan.
Enjoy and have fun.

Feedback
This workshop is in early beta and you are the test subjects.
Feedback is essential for me to improve it.
What will follow is three-steps process:
1. Freeform discussion now, impressions. Now.
2. Structured feedback with questions. In 3 days.
3. Long-term feedback with different questions. In 3 months.
I will really appreciate your time you dedicate to the feedback.

Thank you!
Petr Špiřík
petr.spirik@gmail.com
@HidenatNet
http://www.slideshare.net/zapp0/civilian-opsec-in-cyberspace

Civilian OPSEC in cyberspace

More Related Content

What's hot (20)

Viewers also liked (12)

Similar to Civilian OPSEC in cyberspace (20)

More from zapp0 (6)

Recently uploaded (20)

Civilian OPSEC in cyberspace

Editor's Notes