Authentic8 answers FAQs about managed attribution and misattribution from online investigators who need to cloak or be anonymous for research.
It is estimated that just within the U.S., there are roughly 1.5 million people conducting online research – in every industry and sector of the economy. From private corporations to government and law enforcement organizations and even academia, teams are doing research that spans surface, deep and dark web. Online investigators rely on specialized tools and techniques to conceal their identities. Just like undercover agents, they want to blend in, remain in the shadows and stay off the radar of the persons and groups they are looking into.
Authentic8 is a premier provider of technologies for managed attribution. Silo for Research offers a full array of capabilities designed to give online investigators the tools to control and manage how they appear online. With Silo, researchers can spoof their location and IP address, configure time zone and keyboard settings to blend in with regional traffic, and even modify how their hardware attributes appear to website owners – all important steps in obscuring one’s digital fingerprint and not standing out from the crowd.
Since managed attribution is our specialty, we receive a lot of questions from both seasoned investigators and researchers just learning their craft. Below, we have assembled some of the common topics that come up in discussions. As usual, if you have any additional questions, feel free to ask!
Q: Many online investigators were forced to work from home during the pandemic and some still haven’t returned to the office full time. Is working remotely using an employer-issued laptop and VPN considered safe?
A: Not entirely. If you're using an employer-provided VPN and laptop, and you're connected to your home WiFi, there’s still risk. First, there’s a risk of attribution. You're still doing research that's attributable to your employer – even if it goes through the VPN, because of things like browser fingerprinting, or if you are accessing services that are already associated with your identity.
If the VPN were to disconnect, which often happens for a variety of reasons, you won’t be able to get to your organization's files and websites, but you might still be able to browse the web. The browsing activity that’s not going through the VPN is putting you at risk.
Similarly, any investigation activities that you’re doing using your own home network on your home computer or other devices can be a problem. You need to be very careful when doing investigation work on any device that you use to log into your personal social media accounts or shopping sites – anything that could lead adversaries back to you.
Q: Is using mobile phones for research safer than using a regular workstation?
A: Phones are often used to do research, especially in organizations that have IT policies that block access to certain sites and content, and so, investigators reach for their phones. But, of course, there are still the same types of risks that you have when browsing on a laptop or a desktop computer – most sites use tracking mechanisms to collect information about their visitors, and there’s even malware that specifically targets certain types of phones. The bottom line is – browsing on your phone may give you a false sense of security, but the risks are still very real.
Q: Are burner accounts a useful way to conduct certain types of research, like on social media for example?
A: In some ways, burner accounts can indeed be very useful, and we see this often with law enforcement, especially when investigators want to get access to certain groups and join discussions using false identities. But this approach can be very tricky and time consuming, and by no means is it completely fool-proof. You must carefully craft your persona and diligently maintain it, in order not to raise any red flags. Little things like home address, profile photo, activities, check-ins, status updates, etc. – can quickly add up to create a huge administrative burden. You need to pay attention to which sites you visit under your disguise and which time zone your persona operates in… and even with all that care and maintenance, the smallest slip-ups could quickly arouse suspicion and jeopardize your mission.
Q: How effective are various browser extensions and apps?
A: Some browser extensions can presumably provide additional protections, but analysts should still be aware of hidden risks – your browsing behavior and other trackable attributes can still lead the adversaries back to you; and what’s more – having certain extensions installed on your device may actually make your online profile even more unique and identifiable.
How does TOR impact attribution?
A: Tor anonymizes traffic – the traffic originates on your workstation through a special browser, then bounces around through multiple hot points before it gets to an exit node, which then retrieves content from the website. At a high level, that’s how the dark web achieves its anonymity. The downside of using the dark web for research is that you might stumble across some objectionable content that shouldn't be on your local workstation or malicious content that can infect your device or your employer’s network.
You may still have some risk of attribution too: not necessarily from the IP address, but rather from your online behavior, such as the patterns you use for accessing certain websites, or the way you communicate in online forums – many of these seemingly small things can be catalogued and tied together to create a profile, which can then be tied back to your real identity and affiliations.
Most organizations’ IT security policies block Tor because IT is not able to properly monitor traffic to ensure security of the internal network. The bottom line is that it’s hard to recommend Tor as a safe alternative to a properly managed attribution solution. But managed attribution with dark web access can allow investigators access to Tor sites safely.
Q: Is using sock puppet social media accounts a good idea when researching online?
A: In general, we recommend staying away from standard or stock profiles because any traits that are consistent across these profiles can be used by adversaries to figure out your true identity. It’s not difficult to spot patterns – for instance, around election times we often see a lot of propaganda-type accounts that tend to have similar usernames. Having a pattern makes it easier to script the creation of these accounts, but it can also help spot similar accounts and take actions against them.
Q: How exactly does managed attribution help eliminate its own "unique identifiers" when investigating online?
A: A dedicated managed attribution solution allows users to safely view and interact with untrusted websites and other content, save and annotate data, and even translate content into different languages. It uses a one-time-use browser built on-demand in a secure cloud-based container. All web code is rendered in the cloud and converted into a high-fidelity remote display of the session, protecting endpoints from malware, ransomware and drive-by downloads.
With managed attribution, you should be able to spoof your location from anywhere in the world, manipulate your hardware and software fingerprints, and to collect, annotate and securely store internet-based data.
Q: Even when using Silo, what behaviors/tradecraft should we practice to avoid giving ourselves away?
A: A managed attribution service is a great way to keep your research safe and anonymous. But of course, you still need to practice sound tradecraft. Even with secure browsing, analysts need to be mindful of behaviors and actions that can link their online activity to their organization. Simple things like including a company name in your username or using a corporate email address when accessing online services can compromise an investigation – even when you are using secure cloud browsing. Additionally, pay close attention to how you use features like time zone and certain browser-based attributes. Make sure to set your language, location and other properties to values that fit with your research profile and goals.
Q: What other benefits does a solution like Silo provide to researchers – besides managed attribution?
A: Silo uses browser isolation, which isolates devices and networks from web-borne threats. So, when you are using an untrusted device to access your social media accounts or a bank website, you can use Silo’s web-based client to browse securely without having to install anything on the device itself. Say, you are using a shared computer at a hotel business center or in a public library – with Silo, you can be assured that no data remains on that computer after you close your session and leave.
Silo also has built-in features to enable customers to encrypt their log data with a customer-supplied key to ensure integrity, security and non-repudiation of user activity captured by audit logs. With this encryption enabled, only the customer's administrators would have insight into the websites visited or other activity after the session launches.
To learn more about Silo for Research and our approach to managed attribution, visit: authentic8.com/demo-request
Anonymous research Dark web research