VPN and Incognito Mode reveal a ton of data to visited websites that managed attribution solutions can conceal and manipulate for analyst anonymity.
Analysts and researchers in a variety of industries have used VPN and Incognito Mode in an attempt to conceal their identity while investigating target sites. I was on a panel recently for the GEOConnect conference and discussed how geospatial intelligence (GEOINT) analysts have this same need for anonymity and operational security while collecting publicly available information (PAI). In the process of researching PAI, the analysts’ browsers are giving up tons of data to the site they’re visiting that could reveal their identity or intent.
Just like an undercover agent, analysts need to blend into the environment they’re researching so as to not tip off the target that they’re under investigation. To blend in, you need to understand what a good disguise looks like for that particular site, which requires a bit of research itself and something called “managed attribution” (i.e., managing the factors that make up the online identity you reveal to a visited site).
While VPN and Incognito Mode can alter some elements of your online identity, there’s much more that they don’t. Relying on these solutions alone falls far short of the tradecraft analysts need to conduct their investigations anonymously and securely.
What attributes do VPN and Incognito Mode miss?
VPN: A VPN will change or “spoof” the geographic location your device appears from, but not other elements of your online identity, leaving your device susceptible to identification. While it’s important to the analyst’s disguise that their machine’s location blends in with average users of the site they’re researching, VPNs don’t address many other components of the “location narrative” such as language, time zone and keyboard settings, among others.
Incognito: Private browsing — or “Incognito Mode” as referred to by Google — blocks certain cookies to limit tracking while you search the web. However, search engines still track your activity in other ways. Even if cookies are blocked in the browser settings, supercookies remain active, among other trackers. While there are a myriad of ways of tracking users online, here are a few examples:
- Canvas fingerprinting: Draws an image in the background of your machine to take a fingerprint of the rendering engine
- E-tags: Continues to track items such as what info you’ve already viewed/clicked on on a page (this is how news sites present new articles even if you haven’t refreshed the page)
- Battery status API: Can be used to continuously identify a mobile phone across multiple contexts
With all this unmanaged information still flowing from analysts' machines, VPN and Incognito Mode have not managed attribution and, therefore, have not concealed identity and intent.
What if I don’t manage attribution?
If analysts aren’t able to maintain anonymity during their research, they could be putting themselves and their organization at a security risk. Bad actors don’t like to be found out; if they realize they're under investigation, they could seek retribution against an individual analyst or the organization they’re affiliated with. Most often this means cyberattacks, but there is unfortunately the threat of physical harm or damage as well.
In cyber terms, without proper isolation of the machine that the analyst uses to conduct their research, all web code is locally executed and malicious code that could launch an attack puts that machine and potentially other assets on the same network at risk.
Additionally, if a target gets wise to the fact that they’re under investigation, they may feed disinformation to the identified analysts, compromising the investigation itself. No analyst wants to blow a case simply because of the means by which they were conducting it, so it’s important to seriously consider those means before diving into research a case.
What should I look for in a managed attribution solution?
To fill the holes in your disguise left by VPN and Incognito Mode, you need a purpose-built solution for managing attribution. Below are some elements to look for when evaluating a solution
- Isolation: Using a cloud browser, ensure that all web code executes off-device and off-network so as not to introduce cyber risk in the process of conducting online investigations
- Manipulation: Manage elements of your online fingerprint such as the user-agent string including geographical location, time zone, language, keyboard, operating system, browser, etc.
- Workflow: Make sure that evidence can be captured according to tradecraft requirements, analyzed efficiently, and stored and shared securely with collaborators
- Integration: Connect the managed attribution solution with your existing OSINT tools to assist in the collection of data
These capabilities combined will protect analysts, organizations and the integrity of investigations while also improving caseload productivity.
Listen to NeedleStack's VPNs, Incognito, free Wi-Fi, oh my! podcast episode for more information on the pitfalls of a VPN.