Site icon We are

Basic OPSEC Tips & Tricks for OSINT researchers

Often i get asked if i’ve got some pointers and tools for OPSEC during online investigations.

My primary answer would be first: I can’t give any tips or tradecraft pointers until I know what research questions you are trying to answer. In short, what is your threat model?

First of all, one should know where the term OPSEC originates from. OPSEC stands for Operational Security and is a term derived from the US military. The goal of good OPSEC is to deny an adversary information that could compromise the secrecy and/or the operational security of a mission.

And that is where it should always start of you ask me. Defining your threat model against the research questions you are trying to find answers for.

For instance, it wouldn’t make sense if you harden your machine or browser when all you are going to is look op geographic information through Google Earth. It would make sense if you are going to deep dive in a website and forum full of persons that are building Remote Access Trojans.

You might find it useful to layout some scenario’s that fit your threat model based on that specific research.  One could do this by making an mind map or flowchart and use that as sort of blueprint.

You could think of it like this:

  1. What tools are needed
  2. What sources am i going to use
  3. What research machine am i going to use
  4. Who is my adversary?

When you think of tools that you need for this specific research question try to think what risk that tool could bring to harm your Operational Security. Some automated scrapers are very “loud” and certainly not low profile when in action. This can form a problem when your adversary actively scans for certain fingerprints for instance. When it comes to Operations Security and leaving traces one should always try to look as natural as possible, try to blend in and move over the internet like the vast majority does.

This is what you want your tools to do, you do not want them to stand out. But I can also imagine you want them to stand out and be “loud” as a tactic to let the adversary know: “we are actively watching you”.

When it comes to tools you also want to look at the source code if possible. Is the tool leaking sensitive information about your machine? Is it communicating and reporting to somewhere or someone you do not want it to communicate with?

Pick those tools that are most trusted and tested. Always keep them up to date to prevent being a victim to vulnerabilities. Build a trusted toolbox and choose the tools from that toolbox based on a scale of being “silent” to “loud”.

The picking of sources is similar to picking the tools from your toolbox. You want to pick them from being as “silent” as possible to being “loud”. There is one big difference in this method, online sources can be tools but it can also be the sources where you adversary is active. As an example, it can be a vehicle database where it is less of a risk to be known by the adversary versus a website owned by your adversary.

When you choose a source do not immediately just go there. Think before you act. What is the risk, what can you do to keep a low profile and blend in. Is there a language barrier? You may want to change your keyboard settings and overall language settings to prevent on standing out. Is there a time zone difference? Then you may want to change your time zone setting to match your adversary time zone. But also, you may only want to be online at those times it would make sense to be online given the time zone. Setting an alarm clock at night is a real possibility to keep your Operations security is good as possible.

Much Operational Security mistakes are made based on bias. Assumptions made by what you think you know but actually do not know. To prevent these kinds of bias based mistakes you can ask collogues, friends or friendly experts to be your devils advocate.

This picking of machine is a sensitive subject because it always has to do with budget.

It would be awesome if you had an endless budget and buy clean new machines and internet connection for every research case. In reality this rarely is the case. Even on a low or zero budget there are still some good steps to take to harden your machine or obfuscate your device fingerprints.

You can physically harden your machine by taping your built-in microphone and webcam or even go as far as removing them from your device.

But you can also install additional software that blocks your microphone and camera usage.

You can consider the usage of proxies or vpn to mask your machine’s ip address or the country you are using the internet from.

Maybe you want to block certain or all forms of tracking cookies for operational security reasons.

One thing you always want to do is update and patch your machine immediately to prevent security risks.

If you don’t have that much of a budget, you can use virtual machines to mimic other machines on your existing machine. As example it is possible to run a Smartphone or Tablet virtually on your laptop or run other operating systems then the machine operating system you are currently using. But all depends on the research question you are trying to answer.

As example when you are doing research on “hacker” like persons you might want to try and mimic the machines and operating systems they use. But if you want to do research on Snapchat you might want to install a virtual smartphone and make a trustworthy sock puppet.

know your adversary

When it comes to Operations Security knowing your adversary is key to defining your countermeasures. Before picking your machine, sources and tools you should invest on getting to know your adversary. When you know these details only then you can determine the amount of “loudness” you can use in your research. As example, looking into an APT has a whole different level of OPSEC compared to looking into a 16-year-old kid selling illicit goods online. Don’t get me wrong both have a risk and threat for your Operational Security, a 16-year-old kid can have more honeypots and traps out there compared a APT. But when you do a risk assessment based on your research question you will learn and determine what the risk is if compromised.

With all the above being pointed out i would like to give some tips and tools that might help you step up your OPSEC game:

There are two sides of OPSEC, The adversaries OPSEC and your OPSEC. You need to keep both in mind at all times.

These next points count for both sides:

The next step is to search for weaknesses in OPSEC. You can do this by doing online reconnaissance.

This reconnaissance is based in the research questions you are trying to answer. As an example, when you are trying to profile a person you could look for:

Another example is more specific for something i call more technical OSINT:

Al above can be pivot points that can be exploited to explore weaknesses in your or the adversaries Operational Security.

Next up some OPSEC tips to consider when conducting OSINT research.

Try to keep away from being fingerprinted based on correlation.  This could happen based on:

Be Mindful at all times:

Think before you act:

blend in

Low Profile / Blend in:

Your device tells a story. You can look at sources like – & – to determine your device fingerprint. Based on the research question you can take actions to blur your device fingerprint or harden your browser.

Some useful addons or extensions for The Firefox and Chrome browser that you may want to use are:

Some extra tips: