Operator Procedures

Since each digital platform has its own special needs, the approaches to the console utilization for the information analysis may vary.

The main goal of this chapter is to provide an overview of several common (elementary and more advanced) techniques and give advice on how to use them for building a daily operator’s routine from scratch. With time, the described methods can be adapted more precisely to the observable needs of a platform.

From this perspective, we discern two major groups of techniques an operator can employ while putting gathered intelligence under scrutiny. That is:

1. User score review

2. Supplemental investigation

   • Rules review

   • IP address signals

All the techniques in these groups mostly differ in the initially observed signals. At the subsequent stages of the inspection, they tend to intertwine, such that an attentive tracing of any signal may lead to uncovering illicit pathways across different entities.

However, we generally recommend starting an operator’s daily routine with the first group of techniques and using the second group (more specifically, rules review) for further investigation of particular use cases.

User Score Review

On a day-to-day basis, we suggest beginning an operator’s session by proceeding to the Review queue page of a console. This page displays users with the lowest trust scores. Here, inspecting data in each row of the queue table, an operator has a choice of either:

• Setting user status right in the table’s row.

• First opening a page with more detailed user information by clicking on a user email.

In the latter case, on a user page, note the matched rules, warning signals, and the overall activity of a user. The more abnormalities an operator discovers, the higher the chance this is a fraudulent account. The status can be set on this page (see the upper-right corner) without getting back to the queue.

To set the status of a user, click the Not reviewed button and then choose an applicable action: Whitelist or Blacklist. Both actions remove a user from the review queue. Additionally, clicking the Blacklist button triggers the move of all tracked user identities onto a blacklist.

A similar sequence of actions can be performed starting from the Users page. This page gives access to all the users, not just the ones with low trust scores, which can sometimes be a preferred approach for getting a bigger picture of the user base.

Supplemental Investigation

A supplemental investigation implies an analysis of the additional warning signals. And since any characteristic that looks even vaguely unusual can be interpreted as a warning signal, in this section we specify the things to focus on in the first place.

Predominantly, an operator may undertake this part of the analysis by concentrating on such straightforward signals such as:

• Risky email addresses.

• Blacklisted entities.

• TOR network usage.

• VPN detection.

• Shared entities.

We look at each in greater detail in the ensuing subsections.

Rules Review

We advise beginning a supplemental investigation with the rules review.

The foundational instructions on the rules engine utilization are laid out in the Rules section. In the context of the supplemental investigation, use the second of the described methods. Namely,

1. Trigger rules manually to get a list of matching users.

2. Proceed with scrutinizing the user’s identities and activity.

Alternatively, open the Users page. On the page, note the rules filter at the top part of the Users table. This filter enables the selection of users with matching rules, thus easing access to the records that require an operator’s attention.

IP Address Signals

Rules review is not the only type of supplemental investigation. In this subsection, we describe one more way to begin the examination.

Open the Dashboard page. Here, have a look at the bottom row of the widgets. Observe the following indications:

Shared IP addresses

Several users with the same IP address can be a sign of a cyber-threat.

IP belongs to TOR

TOR is a tool that enables users to establish anonymous communication with digital platforms. Since the TOR network makes it more difficult to trace a user’s activity, it might be used to cover felonious actions.

Multiple IP addresses

It is typical for cybercriminals to hide their actual location and identity behind different IP addresses. The higher the number of IP addresses used, the more attention should be given to the examination of the corresponding user behaviour.

Procedures Outline

Consider the below action plan as the foundation of an operator’s routine.

1. User score review

   1. Open the Review queue page.

      • Either assign a fitting status to each user in the queue table.

      • Or open a user page by clicking on an email address.

        • Examine information presented on the page.

        • Set user status in the upper-right corner.

   2. Alternatively, open the Users page.

      • Apply the steps in 1.A. to the rows marked as Not reviewed.

2. Supplemental investigation

   1. Open the Rules page.

      • Click Action button to get a list of users matching the rule.

      • Open each matched user page for inspection.

        • Examine information presented on the page.

        • Set user status in the upper-right corner.

   2. Open the Dashboard page.

      • Set a time period in the upper-right corner of the page.

      • Scrutinize entities in the top rows of the following widgets:

        • Shared IP addresses

        • IP belongs to TOR

        • Multiple IP addresses