Getting an Edge on Online Threat Actors

Johnmichael O’Hare

Law enforcement agencies must contend with the proverbial double-edged sword when they attempt to chase down crime in the online world.

On one side, threat actors leave a trail of information through Internet activity, social media posts and cell phone use which investigators can track. But, on the other side, those same actors – if sufficiently knowledgeable – can use born on the Web techniques to conceal their activities and evade detection. The same dichotomy also surfaces when gathering evidence. The telltale data needed to identify a threat actor and build a criminal case is out there, but that data, often scattered across a multitude of online sources, can prove difficult to obtain and even harder to manage. Finding the informational gems hidden in vast volumes of electronic records can be an onerous and time-consuming job.

It’s a tough challenge. You’ll need a combination of legal knowledge, emerging technologies such as Artificial Intelligence (AI), and old-fashioned legwork to overcome the obstacles and turn online data to your advantage.

Hide and Seek Online

Threat actors, depending on their level of sophistication, use a variety of methods to cover their online tracks. The creation of fictitious user accounts tends to be the first level of activity masking. At this level, a person might build a presence on any of the social media platforms under an assumed name or a “handle.”

In some cases, the account holder’s identity could prove fairly straightforward to uncover: A person may create a fake account using an E-mail address from a service provider which requires a phone number for identity verification. The task becomes more complicated, however, when the bogus account is based on an E-mail address from a service provider which doesn’t require a phone number or takes steps to shield the user’s personally identifiable information.

Higher up on the sophistication scale, a threat actor may operate in the deep Web which is not indexed by search engines such as Google, or the dark Web, a portion of the deep Web where illegal activities abound. People use several techniques to mask their identities in the dark Web. They may use a privacy and identity protecting router to ward off surveillance, proxy servers to conceal their IP addresses or logless virtual private networks which don’t track user activity. Cryptocurrencies, the typical payment method for illicit dark Web commodities, introduce another element of pseudo-anonymity. 

Tapping OSINT, WEBINT and AI for Online Investigations

Open-Source Intelligence, or OSINT, is law enforcement’s ally for identifying online threat actors and building a criminal case against them. OSINT covers a broad spectrum of publicly available information, including traditional print and broadcast media outlets. These days, social media platforms, blogs, Internet forums, and other online resources account for a growing portion of OSINT.

Technical investigators can generate and pursue a variety of leads through OSINT. Phone numbers, social media handles and IP addresses are among the items which are searchable across the open Web. In one case I’m familiar with, a burner phone number couldn’t be traced back to the person making threats. A Web search, however, discovered the phone number was associated with a user’s account on a leading social media network which included a photo of the potential threat actor.

The open Web can move a case along, but its usefulness is limited. Google only indexes four to five percent of all Web sites. So, agencies will often need to dig far below the surface Web to execute a fruitful investigation. Billions of unchartered sites exist in the deep Web and the dark Web. That’s a lot of ground to cover for law enforcement agencies searching for threat actors and investigating illegal activity. Compounding matters are the 26 billion social media profiles in existence today.

The process of combing OSINT sources and extracting the pieces of actionable data is called Web Intelligence (WEBINT). A skilled investigator can conduct OSINT and WEBINT manually, but to zero in on the data you need in a timely fashion requires technical horsepower. 

Specifically, effective online investigations call for an automated WEBINT capability which can probe across the various layers of the Web and multiple social media platforms. Automation – skillfully applied – can help you rapidly locate threat actors and point you toward the data which may be used as evidence.

To make that happen, however, automation must be infused with AI to effectively gather, process and make sense of the staggering amounts of data generated in a WEBINT sweep. AI, for example, lets agencies create custom search parameters to penetrate deep Web sites beyond the reach of conventional search engine technology. In addition, AI can help investigators draw the line of logic between the bits of data an automated WEBINT process uncovers. AI can make crucial connections much faster than investigators using manual methods.

Preserving Evidence and Issuing Subpoenas

Automation, coupled with AI, can help investigators assemble threat actors’ profiles and unearth evidence. But, the investigative task, of course, is far from over. Law enforcement personnel must perform due diligence to ensure that they have identified the right threat actor and singled out the online platform which was used to make the threat.

At this stage, investigators must seek to preserve the evidence, with preservation letters dispatched to the social media platforms or cloud services in question. The objective here is to make sure the sought after information isn’t wiped from the servers of cloud storage and service providers, those of any of the social media platforms, or wherever the data is thought to reside.

Here, investigators need to understand how to write the request to preserve evidence. This calls for knowledge of the applicable laws and a grasp of the specific language required to obtain the data you actually want. Next comes the subpoena process and investigators will need to understand case law – which often shapes the evolving field of cybercrime – as well as the relevant statutes.

Finding threat actors and locating evidence online is tough enough, but the data hold and request phase presents its own set of hurdles which can frustrate law enforcement authorities. Here are some of the issues you can expect to deal with:

  • Steep learning curve – The first hurdle is experience or the lack thereof. Is the law enforcement agency equipped to handle the subpoena process? Has anyone on staff gone through the process previously? If the answer is no, preparing a subpoena for any of the major online platforms will probably seem overwhelming. Indeed, most police departments don’t know how to subpoena an Internet giant. And, even agencies with the process know-how may only have one or two people on hand with experience. You can only stretch those limited resources so far – they don’t work 24/7.
  • Subpoena response time –Law enforcement agencies aren’t the only ones battling resource constraints. Internet platforms are inundated with data requests and must triage and prioritize their responses. One leading social networking site received 128,617 user data requests from government agencies between January and June 2019. That works out to more than 700 requests per day. If you extrapolate that number across the entire population of Internet and cloud service providers, the number of daily requests easily rises into the thousands. Some platforms aim to facilitate the process, providing portals for law enforcement agencies seeking data. Just the same, be prepared to take a number and stand in line – unless your data request is deemed to have national security implications. The biggest challenge is time, especially for time sensitive cases where someone’s life is at risk.
  • Data overload –If you think crafting a subpoena is a daunting prospect, just wait until you face the data deluge at the end of the process. Online platforms may dump massive amounts of information. A global employment Web site reports that tens of thousands of pages long are a possibility. To make matters worse, the data you receive will likely arrive in a flat file containing unstructured data which is difficult to decipher. You may have a couple of people on staff with the skills to translate piles of data into useful information, but they will not always be available to work on a case. Automation can help, but many law enforcement agencies lack the technology wherewithal to handle the amount of information coming back from a data request.
  • Documenting your investigative methods –When it’s time to present a case in court, you’ll need to testify to the methodology you used during the online investigation. Will you be able to do that when a trial begins two years after the investigation concluded? The entire process needs to be described, with each step documented along the way, from identifying the threat actor to issuing the search warrant or subpoena to making the arrest.

Overcoming the Obstacles

The process of pursing threat actors online, gathering evidence and preparing preservation letters and subpoenas involves plenty of headaches from beginning to end. And, those aren’t the types of challenges law enforcement officers were trained to deal with in police academies.

There are some workarounds, however, which can expedite WEBINT and take some of the sting out of the arduous subpoena cycle. Let’s take a look at a few of them:

  • Education –If you’ve never attempted to obtain data from an online platform, the time to educate yourself is now, not when you’re in the midst of an investigation. Learning about Internet platforms’ data request timelines, for instance, is an important step toward approaching online investigations with realistic expectations. An education regimen should also include a review of the current law and relevant court cases.
  • Disrupting potential trouble – When you have reason to believe a threat actor may carry out an attack in the next 12 hours, you’re not in a position to wait two weeks for an online platform to produce the data which could lead to an arrest. Human intelligence needs to assert itself at this point. Physical surveillance of a threat actor identified online may be the way to go if probable cause has been established. A “knock and talk” may be enough to disrupt a potentially dangerous situation.
  • Automation –Automation can support many aspects of an online investigation and plays a particularly important role when dealing with voluminous data sets. Ideally, a law enforcement agency should have some automated means for ingesting and batch processing data. Such a system should make that data interactive and searchable. Automation speeds up the search for the key nuggets of information and can also address resource limitations. If the data is made readily consumable, a person with limited training should be able to use the system. You won’t be entirely dependent on a small group of data experts.
  • Case management – Finally, a law enforcement organization should have some mechanism for documenting the steps of an online investigation. A case management system with a detailed activity log will become a valuable asset when you’re called to testify later on.

Conclusion: Take a Holistic Approach

To wrap up, law enforcement agencies have new avenues of investigation in the online world – and a counterbalancing list of challenges.

Capitalizing on the advantages and navigating the obstacles calls for a holistic approach. OSINT, WEBINT, signals intelligence, automation, bleeding edge AI, and time-tested investigative techniques all play a role. The effective integration of those tools will help you locate online threat actors, uncover evidence and build an effective case.

Johnmichael O’Hare is business development and sales director at Cobwebs Technologies. He is the former Commander of the Vice, Intelligence and Narcotics Division for the Hartford Police Department. Prior to that, he was the Project Developer for the City of Hartford’s Capital City Command Center (C4), a Real Time Crime Center (RTCC) which reaches throughout Hartford County and beyond. C4 provided real-time and investigative back support for local, state and federal law enforcement partners utilizing multiple layers of forensic tools, coupled with data resources and real-time intelligence. For more information, visit or E-mail