What is OPSEC?

Operations Security (OPSEC) is a term originally coined by the US military and adopted by the information security community. It's generally used to describe the "ease" by which actions can be observed by "enemy" intelligence.

From the perspective of a red team, this would be a measure of how easily our actions can be observed and subsequently interrupted by a blue team. Although "ease" is probably not a good word to describe it because it's relative to the skills and knowledge of those defenders. However, given the overall threat landscape, body of public knowledge and even consultation with the client, you can make some predication regarding their capabilities.

Every action we take will leave indicators, but it's important to have a good sense of how well those indicators are understood and what the likelihood is that the defenders will see and/or respond to them. Throughout this course you will see notes that attempt to highlight "bad" OPSEC and how it might be improved to reduce the likelihood of detection.

It should also not be assumed that OPSEC works in only one direction. Red teamers may gain access to internal systems used by defenders - such as their Security Information and Event Management (SIEM) system, ticketing systems, response/procedure documentation, email, real-time chat and so on. This intelligence can be used to operate in specific ways that the blue team is blind to, or unable to deal with.

Both red and blue teams should assume that their actions are being monitored and disrupted by the opposite side. Wise operators would also assume that the team they're up against are better than them.