This is a three-part blog about OPSEC for Blue Teams. This first part expresses some of my ideas about the risk of alerting the adversary and OPSEC for getting OSINT and context on domains and IPs. The second part is about testing tools (I performed tests on PassiveTotal and VirusTotal) which provide context and/or OSINT in relation to OPSEC. The last part will be on sandboxes, secure communications and sharing of info & data when dealing with a targeted attack.
When talking about adversaries in this series, I mean the ones which are targeting your company. So I do not discuss a threat actor executing a malware or phishing campaign against a large and diverse group of victims. You can be less strict on following certain OPSEC rules when you know you deal with a non-targeted attack. Still, following secure practices in both cases will make sure your default behaviour is in line with good OPSEC rules.
The risk of alerting the adversary
You have an advantage as a defender when you found a trace of a targeted attack. This is called defender's advantage or the intruder's dilemma: "The attacker needs to hide all his traces, but the defender needs to just find one trace to unravel the intrusion.". Use this advantage to get a complete picture of the attack and take at once all actions necessary to flush out the adversary.
Among others, OSINT and sandboxes allow the execution of practices producing signals telling the adversary the blue team is onto them. Obviously, that is not a good thing and you can lose defender's advantage. Based on the type (one signal is stronger than the other) and/or number of signals the adversary picks up, they will take action to make sure not losing access to your IT infrastructure. Changing the malware installed on endpoints to prevent detection, replace the current C2 domain and IP with a new one, spread to more systems or deliberately go silent for a while or change techniques to prevent being detected a second time. They may have made a mistake from which they have learned and will not make the second time.
OPSEC for getting context and OSINT
There are many cases in which you need more info about a domain name or IP address. Many tools and third-party services are available which can help you in getting context (whois data, passive DNS, autonomous system number, etc.) and/or OSINT. Make sure you know what your tools are doing in the background. For domains and IPs you do not want them to do any of the following actions by default:
Setting up a connection to the domain or IP to perform an analysis.
Active DNS resolution on the domain.
These activities leave signals that can be picked up by the adversary. Imagine an adversary is using the following domain for its C2 server: apiv2.attacker.com. They would only expect their malware to contact to this domain. The adversary could monitor for example on the following related to apiv2.attacker.com:
DNS resolutions for this domain:
The source IP of the DNS request is within a subnet which has no close relation to the company you are attacking.
The source IP belongs to a security vendor such as VirusTotal.
Seeing HTTP requests that are not in line with what you expect to receive from your malware on this domain: abnormal User-Agent, unknown URL paths, signs of scanning activity, etc.
Regarding DNS, use passive DNS for which there are many sources. When dealing with a targeted attack, third party passive DNS sources will not be of any help. Use what you already have, such as DNS logs. When you do need to perform a DNS lookup, perform the query from a company system. The reason you are doing this in the first place, is that an IP can help you in providing additional context and OSINT. Be aware though to only perform DNS queries on domains you have seen, do not start guessing domain names by querying for example apiv1.attacker.com till apiv5.attacker.com. This is a signal that can be picked up by the adversary.
The main message I want to provide here: be as passive as possible when using tools and performing manual actions. In addition, when you send out signals, they have to look as normal as possible and correspond with what the adversary expects to see.