Earlier this month, I had the privilege of hosting a Peer2Peer speaker session at RSA 2018, where I joined attendees on an exploratory deep-dive through the pros, cons, and intricacies that surround the practice of proactively infiltrating malicious groups online. My goal was simple: learn how my peers are conducting anonymous operations, what problems they are experiencing, and where they have seen success.
Effective misattribution allows researchers to directly engage with their target and gather rich intelligence. This practice is both necessary and risky. During the session, the attendees and I shared war stories of both failure and triumph, dissected the dangers of penetrating hostile online groups, and assessed the real-world tools that are made available for teams to effectively and securely execute their mission.
One heavily debated topic was whether intelligence-gathering missions should be handled internally or delegated to “grey hats.” Grey hat hackers are computer security experts who sometimes violate laws or typical ethical standards, but lack the malicious intentions of a “black hat” hacker. Some attendees argued that, if grey hats were to be engaged for intel missions, they would need to pass a rigorous background check to ensure they would not engage in criminal activity while gathering research. Ultimately, the group agreed that a strategic incorporation of grey hats could greatly reduce the risk of exposure for both the individual and the organization as a whole.
Social media and the use of publicly available information (PAI) was also a topic that weaved in and out of our conversation. Participants divulged instances where analysts would use these sites or forums to collect general information and observe public activity. Many participants agree that laws increasing liability for websites have created an unexpected problem for researchers. In the past, a great deal of illegal activity was conducted openly on websites like Reddit. Now, many of those public sites have been shut down and replaced with sites that contain less serious content and a few well-protected spaces for more risky activities (e.g. heroin sales and child pornography). Most investigators, at least at the corporate level, make due with basic and commonly available tools to ensure trackers are eliminated from their computers. However, these solutions still leave room for human error, and one mistake in enabling these privacy tools could compromise the entire mission.
The real risk for researchers is exposure – making misattribution and operational security the key component of successfully invading the perimeter of malicious online groups. To learn how Ntrepid’s suite of managed attribution solutions help streamline the workflow of your investigations while providing unparalleled security and anonymity, please visit https://ntrepidcorp.com/explore-our-products/.