Blog: OPSEC

Do you know your OpSec?

Tony Gee 28 May 2021

Open Source Intelligence (OSINT) is any information in the public domain that an attacker can dig up about you. Because of that it forms the basis of every Red Team engagement, as threat actor scenarios are created using publicly available information.

Bearing that in mind it makes sense to review your organisation in the same light, with OpSec (Operations Security). It is widely used in cyber security, but has its roots firmly in the military where it is used to identify information that may be beneficial to an adversary.

OpSec is:

…a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence.

Source: Wikipedia

 

In a cyber security context understanding and being aware of your OpSec is all about defending your company from attack. This  led to terms such as “that’s bad OpSec” and “knowing your OpSec”. But what does that all mean, and  what can you do about it?

That’s bad OpSec

This is a term commonly used when someone accidentally (or carelessly) reveals something about themselves or their company without realising the security implications. Some obvious examples could include an employee publishing production code with passwords in to Github repository or a photo of an ID card that could be used in a social engineering attack. This could lead to attackers gaining trivial access to internal resources.

Naturally we want to avoid ‘bad OpSec’, this is much easier said than done though. We perform assessments on behalf of clients to review their OpSec and it is common to find things you simply would not want on the public internet e.g. detailed photos of staff ID badges, sensitive classified documents  and countless other issues.

So to avoid bad OpSec we need to first know your OpSec.

Know your OpSec

So where do you start when it comes to knowing your OpSec? Remember in this context it is about understanding what an adversary would be able to obtain about you and your company. How would they do that? OSINT.

So what does that look like? OSINT is often termed a way of life, and this is really because it takes time and skill to perform well. However, there are countless tools and techniques available for attackers to use accelerate the process of gathering information on you and your company.

Knowing our OpSec really comes from thinking about what an attacker would find interesting. What would an attacker need to know to attack you? The most obvious examples include:

  • Who works for you – knowing who works for you gives a target list.
  • What websites / services you publish to the internet – do you have a long-forgotten server with vulnerable software on it.
  • What is your email server configuration – what email security (if any) will they encounter.
  • Who do you work with – knowing who you partner with or who your suppliers are can allow tailored attacks.
  • Are you leaking information on code repositories – this could give credentials or additional targets to attackers.
  • Plus many others…

What can I do?

Some key tools I would suggest getting familiar with are:

  • Security Trails – this is my go-to for getting a quick and easy overview of what subdomains and services are available, what the DNS records and what IPs are in use.
  • Shodan – with a list of IPs you can use Shodan to identify what ports are open and if there are any glaring vulnerabilities.
  • MXToolbox – you can easily query your email configuration (though Security Trails and DIG/NSLOOKUP will work equally as well)
  • LinkedIn – Allows you to find your staff, and tells your adversary who to target.
  • Github – Searching Github for your domain and/or brand name will let you see what you are leaking.
  • Key social media sites, such as Facebook/Twitter – Images are often shared by marketing without considering the security implications, a great example is sharing images with ID badges.
  • Your corporate website – what exactly are you publishing? Not just pages, but documents, etc.

Your WHOIS records are often revealing. This could give away other domains you use. Maybe you have a different domain for staff access tools, the old mindset of “security through obscurity”. Domains using the same registrant information may hold other secrets, this could then give them more subdomains and IPs to look at!

Also of interest are breached credentials, signing up to Troy Hunt’s brilliant haveibeenpwned.com domain monitoring is a must. There are plenty of other services online where you can view the breached data, but I won’t link to those here.

Google Dorks

One of the most useful tools in your arsenal is good old Google Fu. Knowing some key Google Dorks will really help you. Some I find useful:

  • site:domain -www

This will show you other subdomains or content on domains that do not use www as a subdomain.

  • site:domain filetype:pdf

This will show all the PDFs your own domain is hosting, you can also use other file types such as doc/docx/xls/xlsx. You can even combine it with your protective marking keywords – e.g. “confidential” using “site:domain filetype:pdf intext:confidential”

  • “companyname” AND site:slideshare.net

This will show you if your company name is on any slides on slideshare. I have found internal staff presentations on public slide shares before, you can combine searches with (site:slideshare.net | site:trello.com | site:another)

Tools

There are a multitude of tools available to help you, most are simple python scripts, I’ll talk more about these in future blogs, but these are my favourites right now:

  • Pymeta – this will do that document dorking for you and grab the documents from your site and run Exiftool against them to recover meta data. Very simple and very powerful.
  • GoWitness – Written in Go by Sensepost this will quickly screenshot websites and grab header data. Useful for subdomains so you can quickly view what the website looks like.
  • Shodan-Python – this uses Python to interact with Shodan to allow you to quickly query IPs for open ports and vulnerabilities.

That’s good OpSec

Performing this will put us in the mindset of an adversary and help us get better at good OpSec. So what is ‘good OpSec’? That is really complex question to answer. It’s a little like saying what is a good hairstyle. We all know what bad hair looks like, but a hair style is personal, what you may think is average others may think is amazing.

OpSec is very similar. This process though will help you consider what others see about you and your company allowing you to take a more balanced risk-based approach to what you share. It may be that you are happy to share certain pieces of information.

On the other hand knowing what has to be shared, such as DNS records, can allow you to consider any additional monitoring of those services, alternatively it may help you spot a configuration error that has now made a service publicly accessible when you really didn’t want it to be.

OpSec investigations can take time so make sure you allow yourself time to do this task. Yes, you can quickly recover lower hanging fruit in a few hours, but more detailed searching takes time and a lot of reading!

Read more about OpSec in Red Teaming here.

If you’d like any help, do reach out, I’d happily give you some pointers: @_tonygee_.