type: guide
title: "OPSEC — Monitoring, audits & incident response"
parent: "[[manual-paranoid-opsec]]"
source: "cyber-intelligence-toolkit/manuals/paranoid-opsec-manual.md"
tags:
  - topic/opsec
  - topic/incident-response
  - method/review
processed: true
status: seedling

OPSEC — Monitoring, audits & incident response

Sub-nota atomica del manual maestro manual-paranoid-opsec.

14. Monitoring, Audits & Incident Response

14.1 Importance of Continuous Monitoring

Even the best OPSEC setups degrade over time. Software updates, new adversary capabilities, and operator mistakes introduce fresh risks.
Regular monitoring ensures that vulnerabilities are caught before they become catastrophic failures.

14.2 Self-Audits

Perform monthly audits of all OPSEC compartments.
Use a structured checklist:
- Verify browser fingerprints via Cover Your Tracks or BrowserLeaks.
- Confirm VPN, Tor, and proxy routing; test for DNS/WebRTC leaks.
- Inspect devices for unauthorized services, rootkits, or persistence mechanisms.
- Check logging and metadata retention policies.
- Test kill-switches and emergency wipe mechanisms.
Document results and track changes over time.

14.3 External Red/Purple Team Drills

Conduct red team tests: allow trusted analysts to attempt deanonymization or correlation attacks.
Run purple team drills: simulate persona compromise and measure detection + containment time.
Scenarios should include:
- Device seizure.
- Metadata correlation across personas.
- Stylometric attribution.
- Social engineering or phishing.
Maintain written after-action reports with lessons learned.

14.4 Incident Response Workflow

When compromise is suspected or confirmed:

1. Containment

Isolate compromised devices or accounts immediately.
Trigger kill-switches if supported (wipe storage, disable accounts).

2. Rotation

Replace compromised credentials, encryption keys, and devices.
Retire affected personas and migrate operations to fresh compartments.

3. Notification

Inform stakeholders who may be affected (team members, trusted partners).
Share IOCs (indicators of compromise) with relevant internal parties.

4. Threat Model Update

Reassess adversary capabilities in light of the compromise.
Identify what information was likely exposed.

5. Post-Incident Review

Conduct root cause analysis: what failed — tool, process, or operator discipline?
Update SOPs and training to prevent recurrence.
Maintain records for accountability and long-term tracking.

🔥 Extreme Practices (Optional)

Run continuous monitoring agents inside disposable VMs to automatically alert on fingerprint drift or unexpected outbound connections.
Deploy canary personas that exist solely to act as early-warning systems when touched by adversaries.
Use decoy infrastructures (fake servers, dummy accounts) to track intrusion attempts.
Maintain parallel redundant infrastructures: if one network or device stack is burned, instantly switch to a cold standby.
Practice instant evacuation drills: operators rehearse what to do if devices are seized in real time.
Automate nuclear kill-switches: one command wipes devices, revokes keys, disables accounts, and retires personas across multiple jurisdictions.
Treat every incident as an opportunity for adversary intelligence gathering — capture their TTPs (tactics, techniques, procedures) during the breach.

Themes

tema-opsec-completo-analista