By Rick Holland
Today in the security industry, we are faced with an unrelenting barrage of attacks, including those aimed at infiltrating corporate networks and stealing data. To prepare for the eventuality that critical assets will be compromised, most companies have some sort of operational security (OPSEC) procedures in place to deny adversaries information that could be used to do harm to an employee or their organization.
Typically, the standard OPSEC baseline that applies during normal operations includes periodic security awareness training that covers topics like social media risk and social engineering. In addition, many companies require employees use a Virtual Public Network (VPN) when working outside of the office or, at a minimum, 4G and LTE that are not completely safe from attacks but safer than public Wi-Fi.
These baseline measures are all well and good, but I have seen them fall short when the threat landscape, the state of critical information and business operations evolve. We have an unfortunate history of operating with our heads in the sand, making critical decisions with incomplete information. We forge ahead, our OPSEC program unchanged, leaving our organizations exposed and vulnerable to an attack.
I have found that in order to build resilience into your OPSEC program, you need to be aware of the changes around you and prepare for scenarios beyond normal operations, including the following:
Your OPSEC program needs to be able to proactively and reactively respond to adversaries. If you get an indication that attackers may have you in their sights, you need to be able to provide ad hoc security awareness training to staff that are likely to be targeted. For example, a spate of ransomware attacks against healthcare organizations this year should cause such organizations to take additional security measures. The campaigns were allegedly conducted by a threat actor named “thedarkoverlord” who threatened to sell the compromised data on the dark web marketplace the Real Deal if the ransom wasn’t paid.
Awareness and training on the threat of ransomware, how it is delivered, how to avoid becoming a victim and how to report suspected phishing attempts should be added to training. Additionally, incident response programs need to feed into the OPSEC program so companies can provide specific training and monitoring during an intrusion.
Business-Driven Event Scenario
There are also several types of business events that will require you increase your OPSEC levels. Consider mergers and acquisitions (M&A). Adversaries have many opportunities along the M&A process to execute an attack, from the beginning when speculation by astute financial analysts can put attackers on the scent, to due diligence and negotiations when valuable data is being shared among multiple parties. New product launches and expansion into new regions also trigger the need for increased OPSEC. For each of these events, you will need to expand your monitoring until the business event is successfully executed. Internal monitoring should include increased logging on individuals and assets. External monitoring should focus on product keywords, project code words, key staff members and adversaries known to target these types of scenarios. Encouraging face-to-face communications, conducting refresher training on spear-phishing campaigns (a method cybercriminals often use to conduct reconnaissance and acquire valuable data), as well as requiring multiple authorizers for certain activities should also be part of the OPSEC program.
As business operations take executives and employees out of the office, companies need to be aware of the potential hazards associated with this travel. This includes targeted monitoring by foreign governments or hacker campaigns, similar to Darkhotel, aimed at hotels or airlines. For added security while traveling, policies against charging devices in public charging stations or public power outlets; turning off cellular, Bluetooth, and wireless capabilities on all devices; and ensuring devices are encrypted and not left unattended should be included in the OPSEC scenario. Burner devices (prepaid or disposable devices) as well as travel post-mortems should also be instituted.
The threat landscape is challenging enough; we don’t need to make decisions in an uninformed manner enabling attackers to be more successful. Our adversaries are evolving and adapting their OPSEC, so we should be too. In each of these scenarios, gaining visibility into your digital footprint and that of your attackers will allow you to implement tailored OPSEC practices that can deny or delay an adversary’s ability to do your organization harm. With your head out of the sand you can make decisions and investments that maximize your resources and strengthen your organization’s security posture.
About Rick Holland
Rick Holland has more than 14 years’ experience working in information security. Prior to joining Digital Shadows he was a vice president and principal analyst at Forrester Research, providing strategic guidance on security architecture, operations and data privacy. Rick also served as an intelligence analyst in the U.S. Army.