TyperTech
Regular Member
- Joined
- Feb 26, 2024
- Posts
- 44
- Reaction score
- 0
- Status
- Offline
- Last Seen
You, Yourself, and the Meaning of Opsec- Continued
A Not-Completely-Beginners' Guide to the Dreadful Art of Opsec
This is a continuation of Part 1, which started here⚠️.
The Traffic-Light System of Threats
There isn't a simple way to group threats like there is for critical information, which makes them somewhat harder to discuss without specifics. At a general level though, it's useful to think of three phases of threat level. You won't know or have any control over which phase you're in most of the time, but you can make an educated guess and adjust your planning accordingly. So, without further ado, let me show youuuuuuu
A TRAFFIC LIGHT!
Green: Don't throw away your opsec, but take a deep breath and relax. In the green phase there's no active investigation, which means basic measures should be enough to keep you safe if you don't go through life turning everybody against you like there's no tomorrow. This is the phase a minor crime, like buying personal quantities of drugs or downloading copyrighted materials illegally in a humane country, will put you in. There's still no excuse for complacency though. Follow basic opsec, and follow it properly.
Amber: Tread with caution, and prepare for the red phase. Your identity is a secret, but you are being investigated and your every mistake will be used against you. Whether you're running a drug market, breaking into computer systems, or running a phishing campaign, you should not do anything at all before you've thoroughly planned your opsec. If you did, dump it completely and plan with a new, different identity. Nothing less is enough when you're preparing for
Red: Once you know you're in the red phase, it's already too late. Here your adversary has identified you as the culprit and suddenly there is nowhere to hide. They may already have all the evidence they need, or be silently watching you in real life to build their case from the ground up in what's known as parallel construction⁶, but you can no longer rely on anonymity or pseudonymity to protect you. Instead you will need to deny, deny, and deny. Do not go around destroying potential evidence- that only makes your situation worse- but, if you've planned well, put into action your plan to obscure it. Know your legal rights and use them to minimize the amount you reveal. Use technology (see Chapter 2) to keep your files and correspondences out of the adversary's hands when you aren't using them, and to rapidly lock things up and disable them if they come when you aren't expecting it. Practice doing it. It may be only seconds before all your evidence is out of your control that you even know you're in the red zone.
Fine- an upside down traffic light with a very large red globe and a 0% chance of stopping car accidents. It does stop opsec accidents though, and sometimes that is worth far, far more.
The Risk Assessment Matrix
Last but not least, the fourth stage of analysis has a rather sexy little tool that you can apply to each critical information/adversary combination. You've probably seen the risk assessment matrix elsewhere, but it's worth keeping close because it is so wonderfully useful. Just assess how likely a breach is, how much damage it could do, and then look at this 6x6 piece of perfection⁶:
Across: Impact
Down: Chance Negligible Minor Moderate Significant Severe
81-100% Low Risk Moderate Risk High Risk Extreme Risk Extreme Risk
61-80% Minimum Risk Low Risk Moderate Risk High Risk Extreme Risk
41-60% Minimum Risk Low Risk Moderate Risk High Risk High Risk
21-40% Minimum Risk Low Risk Low Risk Moderate Risk High Risk
1-20% Minimum Risk Minimum Risk Low Risk Moderate Risk High Risk
Then just use that to determine how much effort to devote to mitigating each risk- easy as cake!
A Not-Completely-Beginners' Guide to the Dreadful Art of Opsec
This is a continuation of Part 1, which started here⚠️.
The Traffic-Light System of Threats
There isn't a simple way to group threats like there is for critical information, which makes them somewhat harder to discuss without specifics. At a general level though, it's useful to think of three phases of threat level. You won't know or have any control over which phase you're in most of the time, but you can make an educated guess and adjust your planning accordingly. So, without further ado, let me show youuuuuuu
A TRAFFIC LIGHT!
Green: Don't throw away your opsec, but take a deep breath and relax. In the green phase there's no active investigation, which means basic measures should be enough to keep you safe if you don't go through life turning everybody against you like there's no tomorrow. This is the phase a minor crime, like buying personal quantities of drugs or downloading copyrighted materials illegally in a humane country, will put you in. There's still no excuse for complacency though. Follow basic opsec, and follow it properly.
Amber: Tread with caution, and prepare for the red phase. Your identity is a secret, but you are being investigated and your every mistake will be used against you. Whether you're running a drug market, breaking into computer systems, or running a phishing campaign, you should not do anything at all before you've thoroughly planned your opsec. If you did, dump it completely and plan with a new, different identity. Nothing less is enough when you're preparing for
Red: Once you know you're in the red phase, it's already too late. Here your adversary has identified you as the culprit and suddenly there is nowhere to hide. They may already have all the evidence they need, or be silently watching you in real life to build their case from the ground up in what's known as parallel construction⁶, but you can no longer rely on anonymity or pseudonymity to protect you. Instead you will need to deny, deny, and deny. Do not go around destroying potential evidence- that only makes your situation worse- but, if you've planned well, put into action your plan to obscure it. Know your legal rights and use them to minimize the amount you reveal. Use technology (see Chapter 2) to keep your files and correspondences out of the adversary's hands when you aren't using them, and to rapidly lock things up and disable them if they come when you aren't expecting it. Practice doing it. It may be only seconds before all your evidence is out of your control that you even know you're in the red zone.
Fine- an upside down traffic light with a very large red globe and a 0% chance of stopping car accidents. It does stop opsec accidents though, and sometimes that is worth far, far more.
The Risk Assessment Matrix
Last but not least, the fourth stage of analysis has a rather sexy little tool that you can apply to each critical information/adversary combination. You've probably seen the risk assessment matrix elsewhere, but it's worth keeping close because it is so wonderfully useful. Just assess how likely a breach is, how much damage it could do, and then look at this 6x6 piece of perfection⁶:
Across: Impact
Down: Chance Negligible Minor Moderate Significant Severe
81-100% Low Risk Moderate Risk High Risk Extreme Risk Extreme Risk
61-80% Minimum Risk Low Risk Moderate Risk High Risk Extreme Risk
41-60% Minimum Risk Low Risk Moderate Risk High Risk High Risk
21-40% Minimum Risk Low Risk Low Risk Moderate Risk High Risk
1-20% Minimum Risk Minimum Risk Low Risk Moderate Risk High Risk
Then just use that to determine how much effort to devote to mitigating each risk- easy as cake!