OSINT Case Study: Code Name “Arid Hunter”
Sometimes the best way to understand how a solution might work for you is to see how it was used by someone else. One of our customers kindly gave us permission to use them in an anonymous OSINT case study. I am going to call them “Arid Hunter.”
Listen to the Ntrepid Cast podcast on this topic.
Arid Hunter’s mission is to conduct research, gather OSINT, and build a narrative about their groups of interest using data from various sources, mostly on the internet. Prior to working with Ntrepid, Arid Hunter used a number of different improvised solutions. Their agents used dedicated standalone laptops operating outside the agency’s network to conduct their operations. Those laptops connected to the internet over either fixed discreet commercial internet connection or portable Wi-Fi hotspots. While these solutions provided protection for the organization’s network and infrastructure, it was not effective at hiding the organization’s activity. The devices themselves were also vulnerable to malware and fingerprinting. Their solutions did not provide enough diversity in IP addresses or enable presence in all the geographic locations they needed. Being seen as coming from their actual location immediately exposed them as outsiders in many online environments. Using the same few IP addresses for many different activities also left a clear signature that they were not just normal individuals on the internet. They also had no access to international IP addresses. This all led to an unacceptable level of blocking and misinformation.
Some people in Arid Hunter were sophisticated enough to set up their own virtual machines on the laptops, but these were unsupported and unstandardized solutions. Maintenance was up to the individual agents and there was no analysis of the actual security of their jury-rigged setups.
The final problem was that none of these independent and diverse laptops and other solutions were tied into any kind of centralized collaboration, monitoring, or oversight. There was no easy way to collaborate with other agents on complex operations, and supervisors were effectively blind to the details of their agents’ activities. They were reduced to trusting written notes about the activities or simply watching over the agents’ shoulders.
Then, we became a part of this OSINT case study. To address Arid Hunter’s challenges, Ntrepid deployed two products: Nfusion and Timestream. Nfusion handled their managed attribution requirements and Timestream addressed their data organization and collaboration needs. Our solution addressed not only this client’s issues with standalone laptops and internally built virtual machines, but also provided them multiple ways to manage their attribution, allowing agents to interact on the internet deniably, discreetly, securely, and effectively with a wide range of false identifiers. Nfusion and Timestream work together to make investigations easier, faster, and more collaborative.
With its modular and extensible secure virtual desktop, Nfusion supplied Arid Hunter a coherent platform that incorporates collection tools and custom applications, including integration of our own timeline analysis and presentation application, Timestream.
To address their need to egress from specific dedicated locations around the world, Ntrepid offered discreet procurement and management of our proprietary global network of point of presence (PoPs). These provide unparalleled bespoke backstopping to prevent detection or attribution of these sites to Ntrepid or Arid Hunter. Using Nfusion, agents are able to mask their identity and appear to be in any of the locations we set up for them. In addition to disguising these agents’ whereabouts, this also enables agents to view location-restricted websites and information. Using this diversity of IP addresses, locations, and system identifiers allows Arid Hunter to access previously blocked websites and avoid being shown targeted misinformation.
Nfusion addressed Arid Hunter’s security requirements by isolating all operational activity in a remote virtualized environment, completely separate from the agent’s local desktop or network. In addition, the Nfusion virtual machines are completely destroyed at the end of each session, eliminating even undetected malware, advanced persistent threats, and trackers. Nfusion also safely stores captured data and web pages, and persists selected information between sessions.
Through Nfusion’s integration with Timestream, we provided Arid Hunter with an efficient workflow that includes evidence collection and the collaboration, visualization, and presentation of intricate, long-running investigations.
Finally, Ntrepid’s solution enabled total visibility, monitoring, logging, and oversight of all agent activity. With the unified managed platform, managers were finally able to see every page visited and every browser action taken during operations.
With these new capabilities, Arid Hunter’s agents were able to spend more time on task, devoting their attention to the mission, not the technology. Operating with higher productivity, more security, and much lower risk has been a game changer for their ability to successfully execute on their critical missions.