The Need for Identity Management

“Everything is circumstantial,” this saying is especially applicable to the creation of every individual persona that we make. When there is something that we would like to achieve, we may create a persona specifically tailored to the requirements needed to accomplish said goal, as simple or complex as the goal may be. Fabricating identities is a popular tactic among the spy craft industry, and for good reason: it works.

While fabricated personas may seem straight-forward, it is actually quite time-consuming and tasking to both develop and maintain. It is critical that every individual persona is understood in great detail in order to obtain optimal results; otherwise, an entire operation can fall apart.

There are three key factors that will be looked at in regards to identity management:

1. OPSEC model

2. Identity compartmentalization

3. Mental health & psychological vulnerability

The First Factor: OPSEC Model

An OPSEC model – a set of standard procedures to ensure operational success – should be established for maintaining each individual persona. The goal of our OPSEC model is to mitigate the risk of the operation being jeopardized while maintaining operational capabilities, it is the bridge that allows us to rationally execute operations with success. This OPSEC model will describe the rules and conditions to be followed while using that persona, this protocol will also outline how a persona will react to various situations. The established protocols of our OPSEC model should always be followed.

So, Who Needs an OPSEC Model?

Everyone needs to follow rules of some sort to perform their daily operations safely, but the need for an OPSEC model depends on the operational circumstances. There are a limitless number of possibilities for the various different models that could be created, again, respective to the operational circumstances.

Ross Ulbricht, better known as Dread Pirate Roberts, is an ex-darknet marketplace operator convicted of founding and running the Silk Road. Determining the OPSEC model for a darknet marketplace operator is difficult since there is a vast variety of metrics that must be considered: law enforcement investigators, state level adversaries, targeted blackmail and extortion, and even assassination attempts.

A darknet marketplace operator would require dedicated compartmentalization, the capability of plausible deniability, regular anti-forensic action, a cover-up career, effective money laundering, and strong self-discipline to avoid sharing stories in real life. Additionally, they would require a strong understanding of how to maintain cyber anonymity through cryptocurrency, secure messaging, understanding of metadata, cryptography, and much more. This is an example of an extremely delicate OPSEC model, to say the least.

Corporate OPSEC Models in InfoSec

Realistically, not everyone is a darknet marketplace operator, but we often see OPSEC models used in our very own workplaces; we can think of defensive security policies, rules and guidelines as pieces of a greater corporate OPSEC model.

InfoSec professionals often say that the human factor is the weakest link in security. By developing rules and defensive security policies in the workplace, various types of social engineering attacks can be prevented. Everyone involved with the security industry would benefit by enforcing defensive security in the workplace. Incorporating defensive security, like an OPSEC model, would help maintain corporate reputation by preventing data exfiltration. By using a corporate level OPSEC model, many physical security threats can be mitigated in the workplace.

How Do I Measure my OPSEC Model?

B3RN3D, an OPSEC blogger, introduced a model to define levels of OPSEC for identities. The model has five levels, ranging from Level 0 to Level 4; 0 being the least protection necessary, and 4 being the highest. We will use this model for identifying levels of necessary OPSEC; however, this model is not to be considered a trusted method of evaluation since every operation is unique and should be treated as such. Always take the time to tailor your OPSEC to satisfy the operation’s circumstances.

B3RN3D’s OPSEC Level Model:

Level 0 – No protections. You don’t care about privacy and are not concerned with other people attributing your online activities to yourself.

Level 1 – Minimal: You are concerned about privacy, but choose simple, minimalist tactics to protect yourself. For example, you are using a VPN service for everyday browsing, but being caught is inconsequential.

Level 2 – Medium: You are concerned with your privacy and take action to ensure that you are safe. It is likely that if someone finds out what you are doing, you’ll have to pay a price, but it is not a life-and-death situation. For example, journalists working with a source use the TAILS LiveCD.

Level 3 – High: Those users that are likely to be targeted, and likely to have heavy consequences if caught. They have done everything in their power to maintain their pseudonymity, but still, try to lead some semblance of a personal life.

Level 4 – Extreme: These are reserved for those people doing high risk activities where the result of an adversary outing you is a matter of life and death. You’re prepared to forgo personal relationships, worldly goods, and just about anything to maintain your anonymity.

If you are stuck between two levels, do not fret. Remember that these are only models of a theoretical hierarchy, we can adjust them according to the operational circumstances.

The Second Factor: Identity Compartmentalization

What is Compartmentalization?

To compartmentalize is to divide something into sections or categories. Identity compartmentalization is the process of managing identity segregation to mitigate the risk of leaking information to the wrong parties (ex. persona contamination). Put simply, keep your lives separate from one another, no different than a married couple having an affair.

How Do We Compartmentalize our Identities?

Know your identity; know your fabricated identity just like you know your real identity, memorize whatever information that could possibly be needed, and then some more. You can never know your identity too well.

Avoid persona contamination; do not speak about your other identities to anyone outside the scope of your OPSEC model.

Apply data poisoning; logically make identity personalities separate, and give them different backgrounds to prevent cross-identity suspicion.

Be organized; document your identities, it will help you know your identity better by organizing facts in a structured manner. Store these identity documents on an encrypted partition, preferably hidden and outside the cloud so no one can find them. Assume your adversary will intrude on your base site to seize devices and documentation.

Additional Reading on Compartmentalization Theories

B3RN3D also has some good blog posts for strategically compartmentalizing identities. Said blog posts include an exemplary OPSEC model, using psychology to manage state-dependent memory, and an Event Boundary theory that may be worth checking out; although, not mandatory.

Braintricks for OPSEC

Event Boundaries: Helping to Compartmentalize Your Operations

Defining Levels of OPSEC to Your Identities

Perspectives of OPSEC Models

The Third Factor: Mental Health & Psychological Vulnerability

Managing multiple identities is very stressful and taking on the human brain since we must always be conscious of everything we say and do. When using a persona, we should always be mindful of contradicting our own words and views, cultural misunderstanding leading to unfitting communication, maintaining appropriate stylometry, among an infinite number of other possibilities. When operating behind a persona, we are not supposed to be ourselves, we must be mentally prepared to manage our identities without failure.

Lindsay Moran, an ex-CIA operative, expresses the stresses of managing multiple identities in her book Blowing My Cover: My Life as a CIA Spy (99 cents for a used copy on Amazon). She tells the story of the personal sacrifices she had to make in order to properly compartmentalize her identities to maintain operational security as a CIA agent. OPSEC and identity compartmentalization made it difficult to maintain a personal social life, just as the same things make it difficult for some hackers to have personal relationships.

During Lindsay’s CIA training, she had to remain secretive about the entire year-long interview process. The CIA is built on secrecy just as many security circles are, so members and agents must be conditioned to continuously practice a lifestyle built around OPSEC. This is a very lonely journey since your work and operations can consume your entire life, so just like a CIA operative, persona contamination must be considered a sin, secrets must be kept from those close to you.

Let security logic guide you, not paranoia. When OPSEC becomes a daily practice, you will become better at lying on demand and mitigating attack vectors on-the-fly. You will become proactively aware of the car that has been behind you for 2 or 3 blocks in worry of being trailed, concerned about network monitoring in every possible atmosphere, and paranoid that people are asking personal questions to leverage a targeted social engineering attack.

Some people say that paranoia is a good trait to have when practicing OPSEC, but paranoia can psychologically destroy a person through mental burn-out. There is a point where you need to draw the line and prioritize your human sanity over paranoia-driven OPSEC. With that said, let security logic and protocol guide you, not unreasonable assertions.

Never forget your real friends. Basing your entire lifestyle primarily around one privately compartmentalized persona is dangerous territory in terms of mental health. Focusing strictly on “operational” pseudonyms may lead to a lonely place where you will eventually feel the need to find a friend. This leads to the risk of developing untrusted contacts acting as a false proxy to friendship; your entire friendship will be built upon lies, and if you make that personal, that could be emotionally damaging.

Drug markets and malicious cyber circles are not the places for making friends, that is why we have bars and social events in real life. Do not let business control your life, it is critical that you continue to satisfy your psychological and emotional desires.

The Take-Away

Identity compartmentalization must be practiced by intelligence agency operatives, military personnel, darknet users, professional penetration testers, state actors, and just about anybody who needs to create a specific identity to carry out an operation. When creating an identity, an OPSEC model should be considered, and persona contamination must be avoided. We must know our identities inside-and-out, front-and-back, but mental health should always be a personal priority, regardless of the operation. Without good mental health, we are more prone to make mistakes due to personalized psychological vulnerability.