Editing Operational Security (OPSEC)

= [[Operational Security (OPSEC)]] =

'''Operational Security (OPSEC)''' is the discipline of hiding intentions, infrastructure, and activity to avoid detection and attribution during an engagement. Good OPSEC keeps the operator, the tools, and the objective invisible until the mission is complete.

== <span id="why-it-matters"></span>Why OPSEC Matters ==
* '''Stealth drives effectiveness:''' Undetected operators keep access longer and gather cleaner intelligence.  
* '''Attribution protection:''' Removing links between operator, infrastructure, and action prevents legal or commercial consequences.  
* '''Resource efficiency:''' Fixing a trace left behind costs more than preventing it.

----

== <span id="core-cycle"></span>The OPSEC Cycle ==
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Step !! Action !! Output
|-
| 1. Identify || List critical information: domains, IPs, aliases, tooling paths, timing. || Protected data inventory
|-
| 2. Analyze || Determine who wants that data and why. || Adversary list
|-
| 3. Assess Risk || Rate probability and impact if data leaks. || Risk matrix
|-
| 4. Apply Countermeasures || Choose technical and procedural controls. || Mitigation plan
|-
| 5. Monitor & Review || Check logs, traffic, and behaviour for exposure. || Continuous feedback
|}

----

== <span id="threat-modeling"></span>Threat Modeling ==
* '''Adversaries:''' Law-enforcement, CERTs, blue teams, third-party monitors, OSINT hobbyists.  
* '''Capabilities:''' Packet capture, endpoint telemetry, subpoena power, cloud API logs, blockchain analytics.  
* '''Indicators collected:''' IP blocks, TLS fingerprints, user-agent strings, unique command sequences, file hashes.  
* '''Risk prioritisation:''' Focus on data or behaviour easiest to link back to the operator.

----

== <span id="identity-infrastructure"></span>Identity & Infrastructure Separation ==
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Layer !! Best Practice !! Example
|-
| '''Personas''' || One mission &#8594; one alias. Never re-use names, emails, or PGP keys. || <code>alpha.ops@proton.me</code>
|-
| '''Devices''' || Burner laptop or dedicated VM per persona. || Low-cost x86 device, no personal accounts
|-
| '''Networks''' || Route traffic through chained VPN&#8594;Tor&#8594;proxy. Never connect from home IP. || 4G router + VPN + Tor
|-
| '''Data Stores''' || Encrypt at rest with strong passphrases; separate vaults per mission. || <code>gpg --symmetric AES256 dossier.txt</code>
|}

----

== <span id="environment-isolation"></span>Environment Isolation ==
* '''Bare-metal host:''' Harden BIOS/UEFI, disable Wi-Fi, use full-disk crypto (e.g., LUKS).  
* '''Virtual machines:''' Snapshot before use, discard after action. Avoid shared clipboards.  
* '''Containers:''' Apply seccomp, AppArmor, and read-only root.  
* '''Live OS:''' [[Tails]] or [[Kali]] in Live mode for zero local residue.

----

== <span id="communication-hygiene"></span>Communication Hygiene ==
* Encrypt end-to-end (e.g., [[#tools|SimpleX]], Signal) and prefer forward-secure protocols.  
* Strip metadata from attachments ([[#tools|MAT2]], ExifTool).  
* Randomise message timing and content length to resist traffic analysis.  
* Host C2 over domain-fronted HTTPS or CDN edge nodes.

----

== <span id="network-obfuscation"></span>Network Obfuscation ==
* '''IP Masking:''' Multi-hop VPN chains, Tor bridges, or commercial proxies with mixed exit geos.  
* '''TLS Camouflage:''' uTLS libraries randomise JA3 and H2 fingerprints.  
* '''DNS Hygiene:''' Query via DNS-over-HTTPS/TLS or local resolvers on isolated VPS.  
* '''Traffic Shaping:''' Insert padding packets and mimic popular SaaS patterns.

----

== <span id="anti-forensics"></span>Anti-Forensics ==
; Pre-Incident  
* Use memory-only implants (fileless).  
* Store scripts in tmpfs or ramdisk.  
* Redirect shell history to <code>/dev/null</code>.  

; Post-Incident  
* Purge log lines: <code>journalctl --rotate --vacuum-time=1s</code>  
* Timestamp spoofing: <code>touch -t 201501010000 file</code>  
* Secure erase on SSDs with blkdiscard or ATA Secure Erase.

----

== <span id="planning-checklist"></span>Operational Checklist ==
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Phase !! Tasks
|-
| '''Before''' || Create fresh persona, provision burner VPS, stage payload on dead-drop, test tunnel chain.  
|-
| '''During''' || Record actions locally (encrypted log), monitor latency for anomalies, rotate tunnels every N minutes.  
|-
| '''After''' || Remove VPS, revoke keys, shred drives, review logs for leaks, update personal OPSEC playbook.  
|}

----

== <span id="opsec-failures"></span>Notable Failures ==
* '''ANOM (2021):''' Backdoor chat app distributed to criminals; cleartext keys gave LE full visibility.  
* '''Silk Road (2013):''' Alias “Dread Pirate Roberts” reused on programming forum &#8594; deanonymisation.  
* '''LulzSec (2011):''' Static IRC nick + unchanged time zone in tweets &#8594; correlated identities.  
* '''Blockchain deanonymisation:''' Taint analysis linked mixer outputs to known exchange KYC accounts.

----

== <span id="tools"></span>Tools ==
{| class="wikitable" style="width:100%; text-align:left; background:#1c1c1c; color:#e0e0e0;"
! Tool !! Function
|-
| [https://tails.boum.org Tails] || Live OS that routes all traffic through Tor and leaves no local traces
|-
| [https://www.whonix.org Whonix] || Dual-VM architecture isolating workstation from Tor gateway
|-
| [https://protonvpn.com ProtonVPN] || No-log VPN service with multi-hop and Tor over VPN options
|-
| [https://github.com/refraction-networking/utls uTLS] || Go library for configurable TLS fingerprints
|-
| [https://www.kali.org/tools/exiftool/ ExifTool] || Metadata removal for images and documents
|-
| [https://0xacab.org/jvoisin/mat2 MAT2] || Automated metadata stripping for multiple file formats
|-
| [https://simplex.chat SimpleX Chat] || Decentralised messaging with no server-side metadata
|-
| [https://github.com/Whonix/onion-grater Onion Grater] || Tor ControlPort filter to reduce information leaks
|}

----

== <span id="glossary"></span>Glossary ==
; '''Attribution''' : Evidence that links an action to a specific actor.  
; '''Compartmentalisation''' : Separating resources so compromise of one does not expose the rest.  
; '''Indicator of Compromise (IOC)''' : Observable artefact (hash, IP, string) used for detection.  
; '''Live Operating System''' : OS that boots from removable media and wipes RAM at shutdown.  
; '''Taint Analysis''' : Blockchain tracing technique tracking coin lineage.

----

== <span id="references"></span>References ==
* NIST SP 800-150 – ''Guide to Cyber Threat Information Sharing''  
* NIST SP 800-86 – ''Guide to Integrating Forensic Techniques into Incident Response''  
* MITRE ATT&CK – ''Defense Evasion'' and ''Command & Control'' tactics  
* EFF – ''Surveillance Self-Defense'' guides  
* Bruce Schneier – ''Operational Security in the Real World''  
* CPNI UK – ''Information Security Briefings: OPSEC for Red Teams''

[[Category:Operational Security]]