Back to All Events

OPSEC for Investigators and Researchers

  • secwest.net Vancouver Canada (map)

DOJO Details

  • One day DOJO on March 18, 2024 (Monday)

  • Attendance:

    • In-Person Only.

  • No digital recording will be provided after the fact or permitted during the instruction

Last Updated February 21, 2024

 

DOJO Abstract

Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks.

This workshop focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.

The workshop focuses on both the technical and soft - intelligence and counterintelligence aspects of OPSEC, thus it is useful to both technical investigators as well as non-technical folks, like mainstream journalists and lawyers.

From a technology point of view, the workshop covers different browser and infrastructure fingerprinting techniques, ad platforms, browser hooking, instant messaging programs, email security, and tracking.

On the investigative side, the workshop focuses on deception techniques and their application in intelligence and counterintelligence.

Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either a direct attack against their computer or supporting infrastructure, their person or the investigation, which in turn may be as subtle as steering it in the wrong direction or making the evidence inadmissible in court.

As it covers the dangers, this workshop provides a series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint.

In addition, the workshop introduces containerization and how it can be used to segment and streamline the process.

In more details, the agenda roughly looks as follows:

 

DOJO Outline

  • Introduction

  • Discussion about OPSEC and what it means to different groups. Specifically from an intelligence and counterintelligence perspective.

  • A brief discussion about consequences - personal and investigation

  • Contemporary examples: NSO group vs Citizen Lab, Israel vs Hamas, Mandiant leaks, and some booters who turned into swatters and then murderers.

  • A personal example of an OPSEC failure

  • The observer effect and investigations

  • Google and other search engine queries and consequences

  • Ad platforms

  • Overview of tracks we leave as investigators.

  • Usage of DNS for investigations

    1. DNS queries leaks/usage of passive DNS.

    2. iTerm leaks

    3. Passive DNS

    4. Recursive DNS server interrogation

  • Other tools leaks

    1. Vim exploit

    2. Chat programs and data leaks

    3. Perils of VPN and TOR

  • Online services leaks

    1. GMail and GSuite issues

  • Others

    1. URL shorteners

    2. Inband exploitation

    3. Teredo tunnel pitfalls

    4. VirusTotal leaks

    5. BeEF

    6. 0-days and 1-days

  • Mitigation techniques.

    1. Personas

    2. Containers and VMs

    3. Setting up tripwires on your system

    4. Privacy plugin pitfalls (not covering privacy plugins as it’s out of scope).

 

Hardware Requirements

  • To be added at a later date.

 

Software Requirements

  • Requirements: Students must bring: VMWare Player or VBox. (*Note the latter does not perform as well.)

 

About the Instructor: Krassimir Tzvetanov

For the past four years Krassimir Tzvetanov has been a graduate student at Purdue University, focusing his research on Homeland Security, Threat Intelligence, Operational Security Research, and Social Media Influence Operations in the cyber domain.

Before that, Krassimir was a security architect at Fastly, a content delivery network (CDN) designed to accelerate content delivery and serve as a WAF and a shield against DDoS attacks. His current focus is on incident response and investigations, threat intelligence, and security systems architecture.

In the past, he worked for hardware vendors like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation features, product security and security software development best practices. Before joining Cisco, Krassimir was a Dedicated Paranoid (security) at Yahoo!, Inc., where he focused on designing and securing the edge infrastructure of the production network. Part of his duties included dealing with DDoS and abuse. Before Yahoo! Krassimir worked at Google, Inc. as an SRE for two mission-critical systems, the ads database supporting all incoming revenue from ads and the global authentication system which served all of the company applications.

Krassimir is very active in the security research and investigation community, has a number of contributions to FIRST SIGs, and participates in the Honeynet Project.

In addition, Krassimir ran the BayThreat security conference and has contributed to a number of other events like DefCon, where he ran the Radio Communications group, and ShmooCon and DC650.

Krassimir holds Bachelors in Electrical Engineering (Communications), Masters in Digital Forensics and Investigations, and Masters in Information Technology with a focus on Homeland Security.

 
 
Previous
Previous
March 18

Beginner C2 with Sliver

Next
Next
March 18

Artificial Intelligence for Cybersecurity Professionals