Non-Technical Indicators: How to Blend in Online
When conducting intelligence operations, it is important to avoid attention. In the physical world, people have a strong intuition about the methods and tricks needed to blend in with normal life, whether by modifying their behavior to mimic social norms, or wearing a disguise. We have all heard the advice, “When in Rome, do as the Romans do,” but how do we achieve that when we are in Rome.com? What different factors will make us stand out from the crowd and attract unwanted attention during online operations? How do you blend in online? In this blog, we’re going to introduce the idea of non-technical indicators, which are certain aspects of your web identity. However, before we do so, you need to understand the ways in which your identity might be analyzed by online entities.
Listen to the Ntrepid Cast podcast on this topic.
Avoiding unwanted attention during online operations is important because it reduces the strain on your backstopping. If you seem like you belong, your adversary is less likely to spend time and effort digging into your identity. While your identity might stand up to casual inspection, if your opponents put it under the microscope, it could easily fall apart. So, a best practice is to make sure that you blend in with the crowd wherever you are.
Determining the steps required to achieve this depends on where you are operating and who is looking at you. Some social media platforms hide everything from other users except what you choose to share. However, the social media service itself would have total visibility of all activity and technical information. Other services or protocols, like email, can leak much more information to all the people you interact with. Think through what is visible to your opponents, and focus your resources on making those blend in.
Some groups are quite diverse, allowing a spectrum of people that appear to belong, while others are very homogeneous. Additionally, groups might be diverse in some ways, but not at all in others. For example, hacker groups might have people of all ages, genders, races, and nationalities, but might be very homogeneous in their use of hacker slang and Linux operating system.
Non-technical Indicators – Your Operational Footprint
Non-technical aspects of identity, or your operational footprint, are almost always visible to your opponents. They are the social queues that flag someone as being part of a group or not. To easily understand this, I break this down into five types of non-technical indicators:
Names can reveal a lot about us. They suggest national or ethnic group, age, and class. In many online groups, names may actually be handles or nicknames. You want to follow the conventions of the group and choose names that fall well within the typical distribution.
Photos are just as revealing. On many popular social media platforms, the profile photo is expected to be a clear and recognizable headshot. Alternatively, in groups like online forums, it is very common to use cartoons, icons, logos, pets, or other non-human images. If a photo is the norm, it is important to avoid “borrowing” photos off the internet. They can easily be detected using reverse image search.
Language is a strong group identifier in many ways. In addition to language fluency (or lack thereof), the speaker needs to be using the right dialect and slang. Beyond that, the tone needs to be appropriate as well. For example, a 16-year-old girl and a 65-year-old man from the same town would never be mistaken for each other in a chatroom. Tone and speech pattern queues can be subtle and very hard to fake.
Knowledge on a given subject frequently defines a group. Comic collectors know characters, artists, and writers while sports fanatics know teams, players, statistics, rankings, and transactions. Technical expertise and insider knowledge are the lifeblood of many groups.
Behavior can create many signals that identify outsiders. Group membership is established over time. If you have no visible history of activity, you are obviously a newcomer. Activity includes not only posts and visits, but also interactions with others in the group and even visible activity outside group-specific spaces. Being present but never interacting is often called “lurking,” and it creates suspicion within some groups. Surprisingly, time of day can also be group-specific. Being active in a hacker group early in the morning could stand out as much as consistently posting to a knitting group after midnight.
There are many tools out there to help with the technical aspects of blending in online, but it is still important to consider what is normal for any group. Do they operate mainly on phones or do they use computers? Mac or Windows, iOS or Android? What is the most commonly used browser? Firefox, Safari, Chrome, IE? Settings like your language and time-zone are also visible and can conflict with a purported identity. IP addresses can indicate a contradictory location or inappropriate organizational affiliation.
Remember when I said blending in depends on not only where you are operating but also who you are interacting with? Well, there are certain degrees of “paranoia” within different groups or platforms. And, unfortunately, people looking for interlopers generally don’t need proof, especially if the group tends to be overly suspicious and protective of privacy. One small inkling that someone is an outsider can lead them to be banned or otherwise targeted.
Create your online identity by examining the wholistic combination of your technical tools and non-technical operational indicators. The key to blending in online is to avoid raising any flags that may tip off your adversary. Once a loose thread is found, people tend to keep pulling on it.