How Managed Attribution Empowers Online Researchers

Share This Post

Chances are, anyone involved in online research – cybersecurity specialists, fraud and brand misuse analysts, law enforcement investigators – has heard of the concept of managing attribution in order to stay safe and anonymous online. But there’s still a lot of confusion around both terminology (is managed attribution the same as misattribution and non-attribution?) and techniques used to manage one’s digital fingerprint and conceal their identity. So, let’s talk about these and explore how the ability to manage how an analyst appears online to the sites they visit can impact their safety and productivity.

So what is “managed attribution”?

Let’s start by defining “attribution” itself. Attribution means that something is designated or credited to someone; in the context of online presence, attribution refers to all the traceable elements and properties that can help locate and identify a specific person, their organization and their mission. And as much as researchers want to blend in and conceal their online identity, modern browser technology has made it very easy to know who’s visiting a site.

Every time an analyst opens a browser, they leave a trail of digital breadcrumbs. Sites that they visit (and even ones that they don’t) collect a slew of information about their connection (IP address and provider), hardware (device type, OS, video and audio cards), configurations (keyboard and language settings, time zones, etc.), installed software and plugins, and even seemingly random things like battery status to help track users across sessions.

It’s no secret that site owners collect and sell data on their visitors’ online behavior. Every time someone clicks a link, “likes” a social media post or leaves a comment, their actions are carefully tracked, catalogued, processed, packaged, and marketed to advertisers. And while millions of web users around the world have similar devices and search for similar items, browsers are capable of fingerprinting specific individuals based on small variations and distinct combinations of settings and behaviors that make their online presence unique. 

For an online investigator, being unique is not a good thing – especially if they’re probing into activities related to financial crime, terrorism or high-profile fraud that might be sponsored by well-funded groups capable of counterintelligence and retaliation. What online researchers want to do instead is blend in, conceal their online identity and find the way to browse the web anonymously. And this is where managed attribution comes in.

Managed attribution is unique from mis- and non-attribution

While the three terms sound similar, they employ very different approaches to concealing the user’s online identity. 

Non-attribution: Non-attribution refers to the attempt to stay completely anonymous while browsing the web. Organizations try to accomplish this through a combination of DIY and commercial solutions ranging from connecting through the VPN to creating dedicated networks and maintaining “dirty” devices to get their analysts online. Ultimately, none of these workarounds can create a completely anonymous browsing environment, because, as we discussed above, browsers track much more than IP addresses. And even that can be revealed if a VPN connection were to temporarily fail.

“Private” or “Incognito” browsing modes promise to erase some obvious cookies, but there’s a lot of information that’s still being tracked, which in the wrong hands, can lead the adversary back to the investigator. Plus, when researchers have one machine for their everyday browsing and another on a separate network for sensitive investigations, it can become very tricky to share information with others and maintain a proper chain of custody for the evidence. Experts agree that with all the tracking mechanisms built into modern browsers, the idea of non-attribution is quickly becoming obsolete and unattainable.

Misattribution: The main goal of misattribution is to mislead site owners about one’s identity and intent. Many of the tools used to accomplish this are essentially the same as in non-attribution — connecting through VPN, using “Incognito” browsing, maintaining “burner” machines, etc., but misattribution effort mainly focuses on maintaining a false online identity. Here, too, things can go wrong very quickly. Even when analysts invest in constructing and nurturing their fake profiles, a single slip-up can give them away and jeopardize their mission. Plus, while a VPN might disguise a person’s real location and create a fictitious one, that alone may not be convincing enough for a sophisticated adversary. For instance, it might be hard to fool an Eastern European cartel leader that a visitor is a harmless local observer if their time zone and keyboard/language settings mismatch their spoofed location. All the tools available to analysts can also be used by bad actors to dig deeper when something might seem suspicious, and once they discover that they are being watched, they could either hide their operations, or worse, retaliate against the researchers using malware and other methods.

 Read more: Misattribution vs. managed attribution

Managed attribution helps you blend in and conceal your identity

And this brings us to managed attribution — the only way that allows online investigators to blend into their environment and conceal their identities. With managed attribution, analysts can completely customize how they appear to sites and people they interact with online by manipulating a variety of device details, including language, time zone and keyboard settings, as well as the browser, OS and other elements. Using a global egress network, researchers can adjust their location to appear to be coming from any of dozens of points around the world, showing a local IP address that never refers back to their organization.

Purpose-built managed attribution solutions can also improve researchers’ productivity and workflow. For example, each session can use the same manipulated settings or start fresh, depending on the needs of the investigation and governed by user-specific policies.

Managed attribution allows researchers to:

  • Isolate online research: Ensure your personal and everyday business browsing is separate from your investigative work. It’s key to avoid specific actions and behavior patterns that can be used to identify you, and erode any intentional misattribution you’ve put in place. 
  • Manipulate your online appearance: Like a physical undercover agent, your online identity needs to blend in as appropriate to your investigation. 
  • Use disposable browser sessions: To minimize attribution risk, start fresh each time you browse. At the end of each session, have a system that clears all cookies and tracking data, erasing any evidence of your device or your online activity.
  • Automate for efficiency and productivity: Your managed attribution solution should make it safe and easy to work efficiently, such as scheduling jobs, automatically downloading sites for later research, capturing content in isolation, as well as built-in tools for translation and audit trails you may need.

Listen to the NeedleStack podcast: Hidden dangers of the digital fingerprint episode explores how protect yourself and your organization while researching online.

Managed attribution solutions, like Silo for Research, also improve security so online investigations don’t introduce cyber risk. Silo for Research uses a cloud-based web isolation platform that executes all web-native code remotely, so it never reaches the endpoint and keeps devices and networks safe from malware. And all evidence can be safely collected, stored, translated and shared through the solution.

With managed attribution working to conceal online identity during investigations, researchers from financial fraud analysts to corporate trust and safety teams to law enforcement can ensure the integrity of their investigation is maintained and their work doesn’t put themselves or their organization at risk.

This article was written by Jeff Phillips, Director of Product Marketing Authentic8. To learn more about our secure online research solution, visit our website. Or tune into NeedleStack, the podcast for online researchers. What’s in your digital fingerprint to learn how blending in with the crowd is critical to performing successful online research.

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.