Situational awareness is critical in every kind of engagement. The internet is no exception. Effectively all modern conflicts take place, at least in part, online. To understand the threats you will inevitably face, you need to go hunting outside your perimeter. Only by surreptitiously monitoring and engaging with potential attackers and malware developers will you successfully gain information about emerging attack methods, patterns, and practices in the cyber underground.
Security teams have embraced the idea of threat hunting within their enterprise, but extending that hunt outside the firewalls is much less common. It requires special skills and enhanced precautions and brings with it many unknowns. Even with these barriers, it’s undeniable that threat hunting in the wild can yield significant new threat intelligence for those organizations bold enough to undertake it.
Hunting overtly is like a marked police car cruising down the street. Criminals can easily run and hide before the car gets close. To avoid this, police use plain-clothed officers in unmarked cars. You can do the same thing on the internet, but there are some tricks and pitfalls to keep in mind.
It might seem that you could simply turn on “incognito mode” in your browser and go to work. However, incognito mode only means that your browser of choice does not save a history of the sites you visit or ordinary cookies. It does not mask your IP address, advanced trackers, or browser fingerprint, which are critical identifiers to keep hidden when hunting anonymously.
Your IP address allows anyone to identify your organization. The first step to getting out of uniform online is to use an IP address that is not associated with you, your organization, or even your general location. It is important to make sure that your real IP is not leaked. Specialized tools can make this much easier.
Trackers, like cookies and supercookies, make it easy for websites to recognize you when you visit. These trackers are how websites know your account name when you visit. Advertisers also use trackers to target ads at you all over the web. While it is easy to delete normal cookies, so-called ‘supercookies’ are a different animal entirely. Because tracking techniques are always evolving, it is difficult for scrubbers to ensure all the trackers have been removed. The safest approach is to use a newly initialized and installed operating system every time you start browsing. Virtual machines (VM) allow you to do this without too much effort. By running a VM, you can create a clean image before every web session. At the end of every browsing session, you can restore your VM to the saved version, thereby eliminating all trackers along with any undetected malware you may have picked up while browsing.
Your browser has a unique fingerprint made up of all the software and plugin versions, configurations, fonts, and characteristics of your computer. Together, this data is generally unique to each visitor to a given website. Even if you do hide your IP address and remove all the supercookies, a website can still identify you by your browser fingerprint. It is impossible to completely hide your browser’s fingerprint. However, using a browser fingerprint that is shared by many other people can help obscure your identity. The most common browser fingerprint is a freshly installed operating system. From there, they diverge quickly. By using a VM, you can always appear as if you’ve newly installed your operating system. That same virtual machine image that protects against supercookies can also provide you with a generic browser fingerprint.
By managing all of those identifiers you will successfully blend in with other internet denizens and be able to monitor online activities without drawing attention or tipping anyone off to your interest. This should empower you to begin anonymously hunting threats in the wild, while leaving your “marked car” browser behind.