When anonymous web access becomes business-critical, the web's favorite home remedies won't help. Worse, they can harm you and our organization
A few weeks ago, I was speaking with a regional bank in the Southwestern United States, where the lack of anonymity online had jeopardized a recent investigation. The bank was doing online research necessary for them to comply with Bank Secrecy Act and Anti Money Laundering (BSA/AML) regulations.
A financial fraud analyst found incriminating evidence on the web page of a business she was investigating. Imagine her frustration when she went back the next day to collect that evidence, only to find it had been removed in the meantime. What happened?
The bank suspects that the subject of its investigation was tipped off to the analyst's research because web traffic from the bank was hitting the website of the investigated business.
This happens more often than one would think, as I've learned in conversations with other financial services firms before.
Having secure, fully anonymous web access would have kept the bank from tipping its hand in this instance. And lacking a solution to accommodate special web access for its analysts wasn't just jeopardizing the bank's investigations.
It also put the bank's internal IT security at risk, because BSA/AML analysts frequently need to access URLs that are considered "high risk" from a cybersecurity perspective.
Banking is not the only sector with this problem. Law firms face similar challenges. Take practice groups that need anonymous browsing for conducting litigation support research, for example.
Ideally, law firms would have access to a setup where they can browse anonymously while gathering information for litigation support. The legal professionals commonly pushing for these setups do so because they need to conduct online research without getting blocked by their firm's URL filter. They also need to prevent their web activity getting traced back to the firm.
Compliance managers, financial intelligence units, and law firms conducting litigation research are not the only groups facing this challenge. Professionals in other fields depend on unrestricted, secure, anonymous web access on the job as well. Cyberfusion centers, corporate security departments, private investigators, and OSINT professionals also need this level of protection when accessing the web.
And just like leading financial services and law firms, they increasingly turn to a solution that has solved similar problems for federal agencies and the Department of Defense: accessing the web through a secure cloud browser.
What's wrong with using a regular browser for this purpose, you ask? Simply put, the "free" and supposedly "secure" mainstream browser betrays you. It's neither free nor secure.
You don't have to take my word for it. Check out https://sploit.io, a tool built to see what information is being broadcast about you when going online with a browser installed on your local computer or mobile device.
Did you know what kind of information local browsers such as Chrome, Firefox, Edge, and Safari share with the world? That data includes the browser's make and version number, your device's operating system, plugins you use, languages/fonts, your location…
All of these details, together with basic tracking code such as "cookies", can be used to create a unique fingerprint.
That information is frequently used to identify and target individual end users and whole organizations.
Think about it from a security perspective. This "oversharing" by the browser also exacerbates its built-in vulnerabilities. It enables attackers to exploit your browser extensions and plugin - including such that purport to protect you.
Yes, you can find thousands of blog posts and articles on "how to browse the web anonymously" on the web. And no, most don't provide a clear answer.
They suggest a wide variety of approaches, only to then end on a note along the lines of "this is about the best you can do, and you can never be 100% sure."
Did you end up more confused than when you started? Most of these how-to guides suggest a multi-step solution where several methods are combined to prevent your web activity from being traced back to you.
It seems as if the six most commonly suggested methods are imperfect at best:
To be fair - some of these methods can be useful for browsing mostly anonymously, as long as we keep in mind that none of them were built for this specific purpose. For business-critical and compliance-relevant use cases, however, cobbling together a mingle-mangle of tools that keep you mostly anonymous isn't enough.
In the age of remote work, enabling secure, anonymous web access becomes ever more important, because IT doesn't always control the network or machine employees and contractors are connecting from.
The different methods and tools listed above may explain why almost every commercial organization I encounter has developed its own approach to achieving secure and anonymous web access.
When they first recognize the need to better protect their analysts, researchers and investigators online, and don't realize there's a service available to accommodate them, companies often set out to build their own.
The most common approach is to create a separate "non-attribution" network with dedicated endpoints for web research that are isolated from the main corporate network. I've heard these solutions being called "dark rooms", "kiosks" and "dirty boxes", among others.
The "dirty" method has some serious drawbacks. Those who have gone down this path tell me about complicated setup, configuration, and post-mission cleanup requirements that impede their investigations.
This "build-your-own" approach to creating a platform for anonymous online research, it turns out, is time-consuming, expensive, and requires constant maintenance.
We've covered why anonymous web access is often critical for professional web investigations. We looked at what stands in the way (the local browser). We examined the methods and tools used to make it happen anyway (often unsuccessfully). We found severe problems with these approaches.
So by now, you might ask: Is there a better way?
How about one click-access to secure, fully anonymous web browsing as-a-service?
If you want a simple solution that works, without any of the deficiencies, risks, and extra costs associated with the DYI approach, use a cloud browser.
Web isolation with Authentic8's Silo Cloud Browser precludes attribution and exposure to trackers and malware by handling all web content in an isolated cloud container on Authentic8's global server network.
With Silo and Silo Research Toolbox, our platform for professional OSINT analysts, fraud researchers, investigators, and threat hunters, all content is processed and downloaded remotely. No code from the web can touch your computer or network. Web servers are presented only with the disposable cloud browser's IP address, not yours.
Using Silo, you interact with visual display information transmitted back from the cloud instead. You won't notice a difference, because Silo provides the same rich browsing experience you are accustomed to from your local browser. (Silo may be faster.)
Silo provides secure, non-attributed web sessions on demand. No more asking IT for web filter exceptions. No more complicated and costly "dirty box" or "dirty network" setups and cleanups. And no more crossing your fingers, hoping that the patchwork of solutions you've cobbled together is really keeping your team anonymous.
Because, to quote Green Bay Packers coach Vince Lombardi: "Hope is not a strategy."
As an account executive with Authentic8's commercial sales team, Kurt works with organizations of all sizes across verticals to support security operations and intelligence collection.
Want to learn more about the Silo Web Isolation Platform? Have a general inquiry about Authentic8? We’d love to chat! Click one of the buttons below to get in touch with our representatives.
