“Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities. The process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and application of appropriate countermeasures.”
OPSEC can be used for Blue and Red Teaming (With RT's adversary being the Blue Team!)
- Identify, Protect and Control
OPSEC Five-step process:
- Identify critical information
- Analyse threats
We consider any adversary with the intent and capability to take actions that would prevent us from completing our operation as a threat:
threat = adversary + intent + capabilityIn other words, an adversary without the intent or capability does not pose a threat for our purposes.
- Analyse Vulnerabilities
OPSEC vulnerabilities
Another example of an OPSEC vulnerability would be an unsecured database that's used to store data received from phishing victims. If the database is not properly secured, it may lead to a malicious third party compromising the operation and could result in data being exfiltrated and used in an attack against your client's network. As a result, instead of helping your client secure their network, you would end up helping expose login names and passwords.
- Assess Risk
- Apply countermeasures
DoD's OPSEC Manual