Often i get asked if i’ve got some pointers and tools for OPSEC during online investigations.
My primary answer would be first: I can’t give any tips or tradecraft pointers until I know what research questions you are trying to answer. In short, what is your threat model?
First of all, one should know where the term OPSEC originates from. OPSEC stands for Operational Security and is a term derived from the US military. The goal of good OPSEC is to deny an adversary information that could compromise the secrecy and/or the operational security of a mission.
And that is where it should always start of you ask me. Defining your threat model against the research questions you are trying to find answers for.
For instance, it wouldn’t make sense if you harden your machine or browser when all you are going to is look op geographic information through Google Earth. It would make sense if you are going to deep dive in a website and forum full of persons that are building Remote Access Trojans.
You might find it useful to layout some scenario’s that fit your threat model based on that specific research. One could do this by making an mind map or flowchart and use that as sort of blueprint.
You could think of it like this:
- What tools are needed
- What sources am i going to use
- What research machine am i going to use
- Who is my adversary?
- What tools are needed
When you think of tools that you need for this specific research question try to think what risk that tool could bring to harm your Operational Security. Some automated scrapers are very “loud” and certainly not low profile when in action. This can form a problem when your adversary actively scans for certain fingerprints for instance. When it comes to Operations Security and leaving traces one should always try to look as natural as possible, try to blend in and move over the internet like the vast majority does.
This is what you want your tools to do, you do not want them to stand out. But I can also imagine you want them to stand out and be “loud” as a tactic to let the adversary know: “we are actively watching you”.
When it comes to tools you also want to look at the source code if possible. Is the tool leaking sensitive information about your machine? Is it communicating and reporting to somewhere or someone you do not want it to communicate with?
Pick those tools that are most trusted and tested. Always keep them up to date to prevent being a victim to vulnerabilities. Build a trusted toolbox and choose the tools from that toolbox based on a scale of being “silent” to “loud”.
- 2. What sources am i going to use?
The picking of sources is similar to picking the tools from your toolbox. You want to pick them from being as “silent” as possible to being “loud”. There is one big difference in this method, online sources can be tools but it can also be the sources where you adversary is active. As an example, it can be a vehicle database where it is less of a risk to be known by the adversary versus a website owned by your adversary.
When you choose a source do not immediately just go there. Think before you act. What is the risk, what can you do to keep a low profile and blend in. Is there a language barrier? You may want to change your keyboard settings and overall language settings to prevent on standing out. Is there a time zone difference? Then you may want to change your time zone setting to match your adversary time zone. But also, you may only want to be online at those times it would make sense to be online given the time zone. Setting an alarm clock at night is a real possibility to keep your Operations security is good as possible.
Much Operational Security mistakes are made based on bias. Assumptions made by what you think you know but actually do not know. To prevent these kinds of bias based mistakes you can ask collogues, friends or friendly experts to be your devils advocate.
- 3. What research machine am i going to use?
This picking of machine is a sensitive subject because it always has to do with budget.
It would be awesome if you had an endless budget and buy clean new machines and internet connection for every research case. In reality this rarely is the case. Even on a low or zero budget there are still some good steps to take to harden your machine or obfuscate your device fingerprints.
You can physically harden your machine by taping your built-in microphone and webcam or even go as far as removing them from your device.
But you can also install additional software that blocks your microphone and camera usage.
You can consider the usage of proxies or vpn to mask your machine’s ip address or the country you are using the internet from.
Maybe you want to block certain or all forms of tracking cookies for operational security reasons.
One thing you always want to do is update and patch your machine immediately to prevent security risks.
If you don’t have that much of a budget, you can use virtual machines to mimic other machines on your existing machine. As example it is possible to run a Smartphone or Tablet virtually on your laptop or run other operating systems then the machine operating system you are currently using. But all depends on the research question you are trying to answer.
As example when you are doing research on “hacker” like persons you might want to try and mimic the machines and operating systems they use. But if you want to do research on Snapchat you might want to install a virtual smartphone and make a trustworthy sock puppet.
- Who is my adversary?
When it comes to Operations Security knowing your adversary is key to defining your countermeasures. Before picking your machine, sources and tools you should invest on getting to know your adversary. When you know these details only then you can determine the amount of “loudness” you can use in your research. As example, looking into an APT has a whole different level of OPSEC compared to looking into a 16-year-old kid selling illicit goods online. Don’t get me wrong both have a risk and threat for your Operational Security, a 16-year-old kid can have more honeypots and traps out there compared a APT. But when you do a risk assessment based on your research question you will learn and determine what the risk is if compromised.
With all the above being pointed out i would like to give some tips and tools that might help you step up your OPSEC game:
There are two sides of OPSEC, The adversaries OPSEC and your OPSEC. You need to keep both in mind at all times.
These next points count for both sides:
- Identify in what format (and where) the valuable information is to be found
- How well is this information protected?
- When compromised, what would the personal/professional impact be?
- Know your adversary
The next step is to search for weaknesses in OPSEC. You can do this by doing online reconnaissance.
This reconnaissance is based in the research questions you are trying to answer. As an example, when you are trying to profile a person you could look for:
- Full name
- Place living / working
- SSN Number
- Email Account(s) AND Passwords
- Online Digital Footprint
- Employee Information
- Financial Information
- Mobile/Work telephone numbers
- Social Media Information: Apps/Posts/Photo/Video
Another example is more specific for something i call more technical OSINT:
- Ip addresses
- DNS information
- Pieces of (re)used code (fingerprinting)
- Indicators of compromise
- Known methods or techniques used
- Port scanning
- Open databases or servers.
- Pieces of malware or rats being sold online.
Al above can be pivot points that can be exploited to explore weaknesses in your or the adversaries Operational Security.
Next up some OPSEC tips to consider when conducting OSINT research.
Try to keep away from being fingerprinted based on correlation. This could happen based on:
- Browser fingerprinting
- IP fingerprinting
- Time online or Time zone settings
- Choice of words……etc.
- Behavior (browsing habits / patterns)
Be Mindful at all times:
- Adjust your activities to the threat level.
- Residential internet (ethernet) connection or 4G/5G?
- Proxy / VPN / TOR
- Referrer on/off
- User agent
- Tracking Blockers
- Do not login with a (fake) account in Google, Yahoo, Microsoft, Apple etc.
- What is the risk if a account gets compromised (is it connected to other accounts?)
Think before you act:
- No linking (in any way possible) to your personal identity. Work and private 100% separated.
- Stay away from your private environment
- No office Wi-Fi / Ethernet
- No office terminal for online research
- No connecting or linking to your or private devices
Low Profile / Blend in:
- Study how you should manifest yourself on a certain platform
- What is your story (alibi)?
- Look alive!
- When online? (prevent getting that 9-5 office hours fingerprint)
- Language settings
- Time zone
- Choice of words (slang, l33t, professional)
Your device tells a story. You can look at sources like https://www.whoer.net – & – https://www.deviceinfo.me/ to determine your device fingerprint. Based on the research question you can take actions to blur your device fingerprint or harden your browser.
Some useful addons or extensions for The Firefox and Chrome browser that you may want to use are:
- HTTPS Everywhere
- Encrypts your connections in some places where they would have been unencrypted otherwise. Because there are still http non-secure connections out there
- Prevents reading sensitive information in transit
- Avoids man in the middle attacks. Example: Insert a script in the packages coming from the website to your machine and that could steal your data
- Privacy Badger
- Blocks trackers
- This addon can make certain sites somewhat unusable (trackers/cookies/sometimes XSS, for example Login pages). If this happens you could click on the extension and choose “Disable Privacy Badger for this Site” < OPSEC RISK !
- uBlock Origin
- Blocks trackers
- Blocks some trackers with vulnerabilities that are inseparable to make advertisement work
- Prevents WebRTC ip leak (activate via settings menu)
- Acts like a Operating System and Browser of your choice
- Can also come in handy to look at a page in mobile or tablet view
- Canvas Defender
- Helps to prevent browser fingerprinting
- Note that this type of tracking can be done even in incognito mode, over a VPN, but not when using the Tor Browser
- Most browsers (Chrome, Firefox, etc.) have unique fingerprints for each device
- This extension adds, random, noise to your canvas to prevent tracking
- ScriptSafe (Not for the faint hearted)
- Manage this extension yourself to maintain usability and security based on your threat model
- Blocking scripts can give you extra Operational Security. For example, an adversary could inject a script into a login page that overlays an identical login box but relays your login information (or private keys) to their servers
- ScriptSafe has a large number of anti-fingerprinting features
- Location Guard / Manual Location
- HTML5 geolocation spoofing
- Make you device appear as if it is at that geographical location
Some extra tips:
- Use 2FA (Two Factor Authentication) where you can!
- Store passwords in a password manager like LastPass or KeePass. The advantage is that you only need to keep track of one master password. (PLEASE MAKE A BACK-UPS and remember the master password!)
- Do NOT RE-USE Passwords !