OPSEC Indicators

by Chris Cox

OPSEC Indicators are friendly actions and open sources of information that can be detected or interpreted by adversarial intelligence systems, and combined with other known information to derive friendly critical information.

An indicator has five characteristics: Signature, Associations, Profiles, Contrasts and Exposure.

A signature causes an indicator to be identifiable and stand out. If a signature is unique and stable, it reduces the ambiguity of a particular indicator and reduces the number of additional indicators that must be observed in order to determine the significance. If the indicator’s signature is stable, meaning that the behavior is constant and repeated, an adversary may accurately predict future actions. By varying the pattern of behavior, the signature’s stability can be interrupted and increase the ambiguity of an adversary’s observations.

An association is the relationship that an indicator has to other information or activities. Adversarial Intelligence Analysts spend a considerable amount of time comparing current observations with past observations, which may reveal possible relationships. For example, an observer may note a particular employee report to work after hours. Though previous observation, the Analyst is aware of that employee’s position as an on-call computer forensics analyst. Given the association between those two observations, the Adversarial Intelligence Analyst could conclude that the organization has suffered a computer breach of some sort.

An association can also take the form of a pattern. For instance, if it is observed that field exercises are always preceded by weapons maintenance and vehicle loading, an analyst may be able to accurately predict these exercises. Lastly, an association can take the form of organizational patterns, particularly in military units. The analyst may be aware that a particular unit is comprised of Headquarters Company, a maintenance company and a transportation company. If one of these elements is detected, the presence of the others would be strongly suspected.

A profile is the sum of multiple signatures. In other words, when multiple signatures are detected, the combination therein would be more or less unique to a particular mission or task. For instance, if signatures are detected that indicate that aircraft fueling capacities are in place, as well as air traffic control, personnel and weaponry, a profile can be compiled indicating future air-based operations. If a unique profile is observed, an analyst may be able to accurately determine which type of operation is in progress, minimizing the need for additional observation and analysis.

Contrasts are any differences between the established pattern and current observations. Contrasts are the most reliable indicators because they depend on differences in established and repeated profiles, and need only to be observed rather than understood. A contrast can take many forms; for instance leaving work at a different time or the presence of vehicles or aircraft that were not previously observed. When noting a difference, the analyst will attempt to determine if the change is isolated or widespread, if the change has occurred previously (and has a matching association), if anything significant has occurred since the change and what the change may represent. While a contrast may not “give away the farm”, it may result in increased adversarial observation.

The exposure of an indicator refers to the length of time and the time frame in which the indicator is observed. If an indicator is allowed to be observed for a long period of time, it will be assimilated into the profile and be assigned a meaning. If an indicator is able to be observed for only a short period of time and does not repeat, it is less likely to attract attention. However, if the indicator is observed for short periods of time, but is repeated frequently, it will begin to be seen as a contrast to a normal profile. It is important to note that if an indicator is observed for any length of time in conjunction with a specific activity, it will gain increased importance as a precursor to that activity.

It is important to understand the different classes of indicators, and to understand the collection efforts of adversaries. After all, if you don’t know what to protect, how do you know you’re protecting it?