1 of 17

Investigations & Intelligence

Week 6

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

2 of 17

Learning Objectives

  • Learn investigations and intelligence team roles
  • Understand the investigations and intelligence lifecycle

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

3 of 17

Role Definitions

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

4 of 17

Investigations

  • Deep dive into past and present behavior
  • Looking to uncover networks
  • Work with leads
  • Outcomes result in actions, refinements, and monitoring

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

5 of 17

Content Moderation�vs�Investigations

Both part of Trust & Safety team

Content moderation detects, labels, and removes content

Investigations seeks to uncover networks and patterns and shapes the work of content moderation teams

Different workflows and skill sets

Source: Trust & Safety Professional Association

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

6 of 17

Intelligence

  • More forward looking
  • Emerging and evolving trends
  • May be focused on certain actor groups

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

7 of 17

Job Titles

Other specific roles also commonly seen:

Child Safety Investigator

Fraud Analyst

Payment Abuse Analyst

Counterterrorism Analyst

Information Integrity Analyst

In general: Analyst, Investigator, Investigations Analyst, Abuse Analyst

Individual contributors (ICs) may be generalists or subject matter experts (SMEs) in topics/verticals

Source: Trust & Safety Professional Association

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

8 of 17

Threat Intelligence Lifecycle

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

9 of 17

Lifecycle

Planning

Collection

Exploitation

Analysis

Dissemination

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

10 of 17

WHO

WHAT

WHERE

WHEN

WHY

HOW

Methodology

Motivation/Purpose

Length/Timing

Location

Abuse/Crime

Victim/Actor

5Ws+H Investigation Framework

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

11 of 17

How Actors Differ

Actors differ by skill/ability level, motivation, targets (size and type), and funding/support

Some actors want secrets to then use or provide to other teams in their organization/government to use while others seek funds or data they can sell for funds and still others seek revenge

Some actors want recognition for their conquers, while others want the opposite—to not have their name attached so less is known about their organization

Some actors act alone while others have very organized teams assigned to specific goals

Attribution Differences

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

12 of 17

Organized (Financial) Cybercrime Gangs

Ability Level: High level of hacking and malware skills with organized structure

Motivation: disruption and financial gain directly from the hack or from reselling data

Targets:  Large corporations with some focus on retail, banking, healthcare, or larger financial teams

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

13 of 17

Nation State Groups

Ability Level: High level of hacking, malware, programming, and reconnaissance skills well supported by funds and training from their government

Motivation: disruption, data or knowledge theft, fundraising

Targets: Critical infrastructure, military, government and contractors, political organizations

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

14 of 17

Risk Mitigation

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

15 of 17

Risk Mitigation

  • Potential for and likelihood of harm to the company and users
  • A key focus of all Trust & Safety teams
  • Involves determining and mitigating
  • May involve regulations, advertisers, employees, company reputation and funds

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

16 of 17

Process

Identification of abuse lead

Assessment of case and damage potential

Review of possible actions

Recommendation of next steps

Investigations and intelligence may be combined across all topics or combined into focused verticals

Source: Trust & Safety Professional Association

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium

17 of 17

Case Example

CJ407/CJ507 Digital Safety © The University of Alabama at Birmingham / Trust and Safety Teaching Consortium