homepage
Open menu
Contact Sales
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Free Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • In-Person Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Live Online Events List
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Free Training & Resources
    • Cyber Ranges
  • Enterprise Solutions
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Group Purchasing
    • Build Your Team
      • Assessments
      • Private Training
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
      • Leadership Courses
      • Executive Cybersecurity Exercises
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
      • Webinars
      • Live Streams
        • Wait Just An Infosec
        • Cybersecurity Leadership
        • SANS Threat Analysis Rundown (STAR)
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
        • Blueprint
        • Trust Me, I'm Certified
        • Cloud Ace
        • Wait Just an Infosec
      • Summit Presentations
      • Posters & Cheat Sheets
    • Internet Storm Center
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
      • Open-Source Intelligence (OSINT)
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • Australia
    • Brazil
    • France
    • India
    • Japan
    • Middle East & Africa
    • United Kingdom
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. What is OPSEC?
Ritu_Gill.jpg
Ritu Gill

What is OPSEC?

Learn what OPSEC is, why it's important in the world of OSINT, and some best practices when conducting investigations.

July 6, 2023

What is OPSEC (Operational security)?

OPSEC stands for Operational Security and is a term derived from the United States Military. Since its introduction, OPSEC has been adopted by many organizations and sectors to safeguard sensitive information in various contexts beyond the military. The objective of OPSEC is to prevent sensitive information from getting into the hands of an adversary, primarily by denying access to the data. First, we want to identify the data that can be compromised and then take steps to reduce the exploitation of this data and minimize the risk.

For some, having a better OPSEC program might mean preventing bad actors from identifying you online or knowing where you live and work. Still, some may need more protection because of the work you do. Both of these mean reviewing your overall digital footprint, those breadcrumbs you leave behind online, the associations to family and friends on your social media, or even images you post online that may disclose your location. Consider this: a threat actor could use information you share online and break into your home when you are away on vacation, and they might know this because you shared photos indicating that you are on vacation with family.

Having good operational security may include modifying one's online behaviour and applying security best practices. It means protecting sensitive data that an adversary could gather and abuse.

An example of when OPSEC fails:

Ross Ulbricht is the founder and admin of the darknet marketplace called Silk Road, which sold drugs and weapons and was considered the largest darknet marketplace at the time. In Silk Road forums, ULBRICHT was known as the "Dread Pirate Roberts." One of the several operational security mistakes was in 2011 when ULBRICHT posted a question in a forum looking for an "IT pro in the bitcoin community" and urged candidates to write to rossulbricht at gmail dot com. ULBRICHT made several OPSEC mistakes that led to his eventual arrest, and is currently serving a life sentence.

What is the OPSEC process?

OPSEC is an analytical process that entails assessing potential threats, vulnerabilities, and risks to sensitive information.

The five-step OPSEC process:

  1. Identify sensitive data - understand what your sensitive information might be.
  2. Threat Assessment - identify potential cybersecurity threats, i.e., think of what adversaries could exploit about you.
  3. Vulnerability analysis - identify where you are vulnerable and/or weaknesses in security.
  4. Risk assessment - measure the level of risk to do with each previously identified vulnerability.
  5. Apply countermeasures - develop countermeasures to minimize the identified risks.

Everyone's OPSEC will look different depending on what they are doing, who they are, and what types of activities they are engaged in. You can ask yourself some questions to understand this in a better way and to identify your current threat model: What information do you want to protect? i.e., House address, work location, family members, and assets.

What can an adversary gain from looking at your online footprint? Who might want to gain access to that information? This can be in the form of people you don't know who are looking for a soft target online or in the form of you applying for a job and the recruiter finding you on social media to see what you post about to get an idea about your character.

Where do you expose yourself too much? Do you have privacy settings on all your social media? What do you post online? These questions may assist with making your assessment.

Why is OPSEC important?

We all have something to keep from the general public, and if we didn't, we wouldn't password-protect our devices, lock our front doors, or sign out of our emails. Your online footprint says a lot about you, some of what you might not want to be accessible to just about anyone.

Why is OPSEC important to OSINT investigators?

OSINT investigators are required to have good OPSEC. This means they should avoid using their personal social media accounts to conduct investigations. The reason for this is to uphold their privacy and security and ensure the investigation's integrity. Research accounts are created to isolate OSINT research, ensuring a separation between the personal and work lives of OSINT investigators. It is essential to emphasize the importance of separating an OSINT investigator's real identity from research accounts.

Read more about Sock Puppets here:https://www.sans.org/blog/what-are-sock-puppets-in-osint.

Those conducting OSINT investigations can make OPSEC mistakes, including:

  • Network attribution (visiting the target's website without altering their footprint)
  • Using personal accounts and devices for OSINT investigation research
  • Accidentally interacting with a target (liking, commenting, friending them on social profiles)

Those of you who are not conducting OSINT research can also make OPSEC mistakes, including the general oversharing of personal information online, and one example of poor OPSEC is leaving unused social media profiles online (especially when they contain old photos and other information you have posted in the past). The general rule to understand is that we might make mistakes, and the objective should always be to reduce the impact of these mistakes.

Best Practices for Good OPSEC

Basics for everyone:

  • Use strong and unique passwords. Do not create passwords based on your pet's name, kids, spouse, etc.
  • Use a password manager or use a password notebook
  • Turn on two-factor authentication on your email/social accounts.
  • Install the latest software & app updates to all your devices
  • Activate screen-lock when idle
  • Don't leave your device unattended
  • Use webcam covers and privacy filters
  • Use encrypted email services such as Proton Mail
  • Use encrypted cloud storage like Proton Drive
  • Adjust privacy settings on social media platforms
  • Use a secure search engine like search.brave.com or startpage.com
  • If you use public Wifi at coffee shops, hotels, or airports, use a Virtual Private Network (VPN)
  • Check the permissions apps ask for before downloading
  • Educate yourself and your family/friends about online privacy and security

Additional tips for the OSINT investigator:

  • Avoid using your personal devices and social media profiles to conduct OSINT Investigations. Use sock puppets (research accounts).
  • Use dedicated devices and accounts for investigations to avoid cross-contamination and compromising an investigation.
  • Use a paid Virtual Private Network (VPN) to mask your IP address. Website owners can view who and what IPS visit their site. Expect that a target is looking at who views their personal website. This does not apply to social media research, as only the social media company would see the IP address.
  • Use a Virtual Machine (VM) to sandbox your OSINT research, and make sure a VM is used as an operating system with your computer's operating system. If you click on malware, your device will not be impacted.
  • Think of your device fingerprint (network computer's IP address when visiting a target's website). You want to make attribution to you difficult. This means taking steps to mask our personal identifiable information (PII).
  • Consider the time/days you conduct research (9-5?) - adjust settings to match the target's time zone.
  • Vet the OSINT open-source tools you use.
  • Have Standard Operating Procedures (SOPs) about how you will conduct online research.
  • Avoid posting your security clearance on social media.

It is important to note that OPSEC is an ongoing process that requires continuous evaluation, adaptation, and improvement to address evolving threats and vulnerabilities. For instance, you may move into a job where you need to reassess your threat model. This is why it's crucial to think about this often and reassess as necessary. It is not a one-time activity but rather a mindset and a set of practices that should be integrated into daily operations.

To learn more about OPSEC in terms of OSINT, check out this webcast from Matt Edmonson: Best Practices and Lessons Learned from Starting Up OSINT Teams.

Learn more about SANS' introductory OSINT course: SEC497 Practical Open-Source Intelligence (OSINT).

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC497: Practical Open-Source Intelligence (OSINT)
  • SEC504: Hacker Tools, Techniques, and Incident Handling
  • SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis

Tags:
  • Open-Source Intelligence (OSINT)

Related Content

Blog
osint_2023_blog_image.png
Open-Source Intelligence (OSINT)
September 22, 2023
A Visual Summary of SANS OSINT Summit 2023
SANS OSINT Summit was a free, global, and virtual event for the community. Check out these graphic recordings of the talks created in real-time.
370x370-person-placeholder.png
Alison Kim
read more
Blog
340x340_Blog_CybDef_Get-Into-OSINT.jpg
Open-Source Intelligence (OSINT), Cybersecurity and IT Essentials
August 31, 2023
How to Get Into OSINT
This blog post shares how to find OSINT resources and communities, practice techniques to build your skillset, and how to find a job in OSINT.
Ritu_Gill.jpg
Ritu Gill
read more
Blog
Exploring_the_Dark_Side_340x340.png
Open-Source Intelligence (OSINT)
April 10, 2023
Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations
The Dark Web's anonymity attracts a variety of users. Explore the various techniques used to identify the individuals behind these sites and personas.
370x370_Matt-Edmondson.jpg
Matt Edmondson
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn