While many online investigators recognize the need to avoid tipping off the target, they still are fuzzy on the specifics of what is managed attribution
What is managed attribution? Is it the same as misattribution? How about non-attribution? Can it help me stay anonymous online and conceal my identity? We get these questions from online investigators and researchers in virtually every industry and every part of the world. In our line of work, we are used to the term “managed attribution,” but there’s indeed a lot of confusion out there about what it is, and what impact it can have on analysts’ safety and productivity. So, let’s try to unpack this.
Defining managed attribution
Let’s start by defining “attribution” itself. Attribution means something is designated or credited to someone; in the context of online presence, attribution refers to all the traceable elements and properties that can help locate and identify you, your organization and your mission. And as much as researchers want to blend in and conceal their online identity, modern browser technology has made it very easy to know who’s visiting a site.
Every time we open a browser, we leave a trail of digital breadcrumbs. Sites that we visit (and even ones that we don’t) collect a slew of information about our connection (IP address and provider), hardware (device type, OS, video and audio cards), configurations (keyboard and language settings, time zones, etc.), installed software and plugins, and even seemingly random things like battery status to help track us across sessions.
Then, there’s our behavior online. Every link we click on, every term we search for, every post we “like” and every comment we publish gets tracked, catalogued, processed, packaged, and sold to advertisers. And while millions of web users around the world have similar devices and search for similar items, browsers are capable of fingerprinting us based on small inconsistencies and distinct combinations of settings and behaviors that make our online presence unique.
And if you’re an online investigator, being unique is the last thing that you want to be — especially if you’re investigating financial crime, terrorism or high-profile fraud that’s sponsored by well-funded groups capable of counterintelligence and retaliation.
What you want to do instead is blend in, conceal your online identity and be allowed to browse the web anonymously. And this is where managed attribution comes in.
Listen to NeedlStack's Hidden dangers of the digital fingerprint podcast episode for information on better protecting yourself and your organizations.
Managed attribution isn’t the same as mis- or non-attribution
While the three terms sound similar, they employ very different approaches to concealing your online identity.
The idea behind non-attribution is the attempt to stay completely anonymous while browsing the web. Organizations try to accomplish this through a combination of DIY and commercial solutions ranging from connecting through the VPN to creating dedicated networks and maintaining “dirty” devices to get their analysts online. Ultimately, none of these are capable of creating a completely anonymous browsing environment, because, as we discussed above, browsers track much more than your IP address. And even that can be revealed if a VPN connection were to temporarily fail.
“Private” or “Incognito” browsing modes promise to erase some obvious cookies, but there’s a lot of information that’s still being tracked, which in the wrong hands, can lead the adversary back to the investigator. Plus, when you have one machine for your everyday tasks and another on a separate network for sensitive investigations, it can become very tricky to share information with others (on your own team or even law enforcement and regulators) and maintain a proper chain of custody for the evidence. Experts agree that with all the tracking mechanisms built into modern browsers, the idea of non-attribution is quickly becoming obsolete and unattainable.
Misattribution refers to intentionally misleading your targets (subjects of investigations or adversaries) about who you are and what your intentions may be. Some of the tools used to accomplish this are essentially the same as in non-attribution — connecting through VPN, using “Incognito” browsing, maintaining “burner” machines, etc., but misattribution effort mainly focuses on maintaining a false online identity. Here, too, things can go very wrong very quickly. Even if you spend hours constructing and nurturing a fake profile, a single slip-up can give you away and jeopardize your mission. Plus, while a VPN might disguise your real location and spoof a fictitious one, that alone may not be convincing enough for a sophisticated adversary. Will an Eastern European cartel leader be willing to believe that you are a harmless observer if signs like your time zone or keyboard/language suggest that you are not who you say you are? All the tools that are available to advertisers can also be used by bad actors to dig deeper when something might seem suspicious, and once they discover that they are being investigated, they could either hide their operations or worse, retaliate against the researchers with malware and other methods.
Managed attribution helps you blend in and conceal your identity
And this brings us to managed attribution — the only way to blend into your environment and conceal your identity during online investigations. With managed attribution, you can completely customize how you appear to sites and people that you interact with online by manipulating a variety of device details including language, time zone and keyboard settings, as well as the browser, OS and other elements. Using a global egress network, you can adjust your location to appear to be coming from any of dozens of points around the world, showing a local IP address that never refers back to you or your organization.
Purpose-built managed attribution solutions can also improve researcher productivity and workflow. For example, each session can use the same manipulated settings or start fresh, depending on the needs of your investigation and governed by user-specific policies.
And managed attribution solutions, like Silo for Research, also improve security so online investigations don’t introduce cyber risk. Silo for Research uses a cloud-based web isolation platform that executes all web-native code remotely, so it never reaches the endpoint and keeps your device and network safe from malware. And all evidence can be safely collected, stored, translated and shared through the solution.
With managed attribution working to conceal online identity during investigations, researchers from financial fraud analysts to corporate trust and safety teams to law enforcement can ensure the integrity of their investigation is maintained and their work doesn’t put themselves or their organization at risk.