We received a ton of great questions from our webinar on financial crime investigations and are putting up our Q&A with industry attendees.
In the webinar We Asked, You Answered: Unveiling 2020 Online Research Trends According to FinCrime Specialists, we discussed the findings of our recent survey of financial crime investigations. The survey revealed many surprising findings in terms of the typical scope of investigations and, especially, challenges the analysts conducting them encounter.
Webinar attendees submitted the questions below, the answers to which may be relevant to other financial crime investigators. We will continue to update this page as the webinar series continues on this topic.
How do you get financial institutions to buy into dark web accessibility?
Dangerous organizations and individuals operate in the shadows; in online terms, this means the dark web. So, for many financial crime investigators, the dark web is a critical component of their online research. It’s important to remember, though, that accessing the dark web comes with a unique set of risks, both to the integrity of the investigation and to the analysts and organizations behind it.
For IT managers, this means giving analysts the tools they need to conduct investigations securely and efficiently, while meeting all of your audit and control requirements.
Many financial institutions have restrictions around accessing certain websites due to security reasons. How do you suggest incorporating other web investigations?
No matter where investigations take you online, it’s important that analysts still adhere to the policies of their organization. Unfortunately, many of these policies run contrary to functions analysts need to engage in, including accessing risky sites on the open, deep and dark web.
There are a couple ways around this that can satisfy both parties. The first is a DIY approach, where IT builds and maintains “dirty” computers and connections analysts can use and abuse without bringing risk back to the corporate network. Additional features of these environments can deliver “managed attribution” (see more in the Tradecraft and Terminology section), so digital fingerprints don’t tip off targets that they’re under investigation. The problem with the DIY approach is often the weight of its overhead — it’s a lot for IT to keep maintain and introduces inefficiency in analyst workflows.
The second is a SaaS option. Using a SaaS solution offloads not only risk but also upkeep. For example, Authentic8’s Silo Web Isolation Platform gives you the browser isolation and user misattribution needed to conduct secure, compliant financial crime investigations through a cloud-based solution. It helps improve the efficiency of investigations, gives analysts the tradecraft tools they need and still puts audit and control in the hands of IT.
How can I increase my dark web capabilities for dark web investigations? Is there a website that can be accessed without going onto the dark web to obtain knowledge of dark websites?
OSINT and the open web are great places to start dipping your toe in the dark web (seriously, just Google “dark web forums”). Open-web searches can point you to sites that are of interest to you and give you marketplace analysis of forums, databases, etc. across the dark web.
Also, combining OSINT with intel collected from the dark web is needed to give the full scope of evidence related to an investigation.
How and where do you get training for the dark web?
Training not only allows you to be better at your job, it allows you to be faster, so you can work through more cases and produce better quality investigations.
To what extent should investigators conduct open source search, including dark web?
Each organization is different in terms of the documentation you should provide to law enforcement/FinCEN in a suspicious activity report. My personal preference is the more information you can acquire the better. It means someone can quickly pick up and continue the case to completion and thwart criminal activity as swiftly as possible.
How reliable are dark web sources?
Reliability of dark web sources is never guaranteed. Like with any investigation, the validity of collected evidence needs to be verified. This can be done by cross-referencing dark web information with open web data or information from other sources. For example, individuals will sometimes reuse usernames across websites on dark web and the open web (I’ve found people that use the same name on Instagram that they do on a dark web forum). Humans are creatures of habit — dark web users are no exception.
And remember, especially if investigators have inadvertently given away their identity, they could be receiving disinformation from a knowing target. Always verify intelligence to make sure you haven’t been duped.
How do you manage your digital fingerprint on the web?
VPN is a good first step, but not the safest, best answer to managing your digital fingerprint. While VPN can change the location of your browser, it largely leaves other items unchanged, such as your browser type and version, operating system, etc. Changing these items can help you blend in with the rest of site visitors and not tip off the webmaster that their site is being used in an investigation.
When conducting online investigations, do you want to appear as a ninja lurking in the shadows or do you want to appear undercover and be able to engage with your investigation targets to glean intelligence? I’ll assume it’s the latter.
If you’re not using purpose-built managed attribution tools (i.e., to disguise your digital fingerprint) and simply blocking cookies or other tracking mechanisms, it becomes a dead giveaway that you have something to hide. A purpose-built tool like Authentic8’s Silo for Research ensures that the means by which you manage attribution while conducting various actions on target sites (accessing, translating, screen grabbing) doesn’t compromise the ends of your investigation.
What is a user agent string?
A user agent string is essentially the device that you’re appearing as online. As mentioned above, you want to blend in while conducting online research in various ways (geography, browser, OS). Knowing how to properly disguise your user agent string is key to the success of your investigation.
How does Authentic8’s Silo for Safe Access compare to Silo for Research?
Check out this side-by-side comparison of the two products of the Silo Web Isolation Platform. Essentially Silo for Research comes with all the features of Silo for Safe Access to provide access to web-based apps with security, identity and data policies embedded directly in the browser, plus loads of additional features for managed attribution.
In case you missed it, here’s some of the resources I mentioned during the webinar (additional ones linked throughout this blog):