Identifying networks: protect company assets with intelligence tools



Data security is one of the biggest issues for companies in 2015. Criminals are getting better at organising themselves in order to get at valuable company data. The internet and increasingly globalised markets make it easier for perpetrators to hide their criminal machinations. They operate under various bogus identities and disguise interrelationships. Identifying such perpetrator networks is one of the great challenges for company security in 2015. The management of investigation results in Excel, Word and Outlook is no longer sufficient for this. In order to be able to respond effectively to criminal attacks, companies should be smarter than the perpetrators and deploy an intelligent solution.

Companies are increasingly suffering from larger criminal attacks, often without recognising how they relate to earlier attacks. Usually, the attack patterns are systematic, repetitive and complex. Over long periods of time, data and documents are misused or falsified, meaning that services, products and information are obtained surreptitiously. In order to hide their crimes, perpetrators or groups of perpetrators use numerous professional bogus identities, whether phony individuals, companies, addresses or websites. Typical actions by such networks include the following: several websites that do not appear to be linked with one another sell counterfeit products alongside authentic ones; on auction sites, apparently different sellers offer items at a strikingly low price; and scammers pretend to be existing companies with good creditworthiness, such that deliveries of interesting products reach dubious addresses at home and abroad.

Such criminal networks can wrap themselves around companies like spider webs and cause them permanent damage, which often goes unnoticed for a long time. The attacked companies have only one chance to identify them, provided that they figure out their structures in a timely manner and do not assume that individual crimes are concerned. Especially popular are international groups and SMEs/distributors with interesting products, like IT/electronics. They offer valuable products and services that are difficult to imitate, that are easy to transport and that can be sold globally. Because their corporate structure spans many national borders, they offer numerous points of attack. In particular, companies in the insurance industry, the IT and high-tech sector, the pharmaceutical industry and brand-name manufacturers in the textiles sector are suitable victims. But larger SMEs are also increasingly falling victim to criminal networks, e.g., leading suppliers for the automotive industry. This is because such ‘hidden champions’ also offer goods that are highly sought after and worthy of protection.

First step: properly classify the threat

How can companies identify these networks? It is important to first properly assess the threat in order to ensure an appropriate response. When an event occurs and all research concerns only the individual crime without considering a network attack, this also means that relatively few resources are dedicated to this case. The response is very different with companies that, because of their knowledge, are capable of seeing how the individual event relates to other events (inside and outside the company). They prioritise the case completely differently because the presumed losses for the company are estimated to be considerably higher. Just as important is properly channelling the incurred costs for investigations and deploying resources in a targeted manner. Identifying a network is also important because criminal prosecution will be more tenacious than for an individual crime due to the higher relevance of the case.

Task: collect and manage data centrally

In order to uncover a possible network, all information of relevance throughout the company should be collected and stored centrally. All questionable events, individuals and companies, as well as the relationships between them, can be collected in a database (taking into account the requirements of data protection). In large companies, such data collection often exists in security, trademark protection or legal departments, primarily in a decentralised fashion. If this information is managed in an up-to-date, cross-departmental manner, new attacks can be matched with those that are already known, and possible networks can be quickly identified. For instance, interrelationships between identities can be ascertained. Various websites (protected, for example, with ‘WHOIS privacy’) can be connected with one another using a ‘website fingerprint’ (containing many individual factors, including a comparison of the Google Analytics accounts being used). Moreover, a simple forensic analysis of the public website data and files (downloaded to a secure offline format), such as photos with GPS and other metadata, and other information, can reveal previously unknown interrelationships between existing information.

In full consideration of data protection, this consistent, complete collection of the data of suspicious individuals, events and companies is not only permitted but obligatory. Accordingly, management is responsible for taking the required, reasonable and appropriate steps in order to identify and ward off impending damage early on.

Examine the interfaces between the internet and the real world

If an attack was classified through a link analysis as a potential part of a network, then a very detailed analysis has to be performed to detect all interrelationships and piece together all ‘loose ends’ until the picture of the network is complete. Special attention should be paid to all interfaces at which the virtual world transitions into the real one. For instance, company data listed on the web, such as addresses and phone numbers, and operators of websites are to be verified through research on site. The relevant information then has to be collected and analysed in the database.

It is important that the analyses be performed quickly and proof be collected in a legally compliant manner, since, in many cases, dubious sales offers exist on the internet only for a few days or hours. Bogus identities are abandoned shortly after the event. The IT-based investigation tools suitable for this purpose are now very diverse, and there is no one solution that can handle all tasks. This makes it all the more important that the investigators themselves bring with them a pool of abilities, i.e., current, comprehensive expertise, in order to perform the analyses efficiently and completely with the aid of appropriate tools.

Collect and evaluate information from various sources

Thanks to the internet, the amount of publicly accessible information is so large today that a simple search often leads to a mass of information. In order to be able to use this unstructured data in as targeted a manner as possible, as well as to be able to make comparisons with previous analyses or existing case information, it should be integrated into a central intelligence platform, such as IBM’s i2 solution. With an intelligence platform like this, very large amounts of data from various sources can be analysed very quickly after data collection and import. Even complex search queries can be stored and automatically run again at any time.

From this, various analyses can be performed, such as on domains and websites, link analyses for identifying key individuals and organisations, and investigative due diligence on companies and individuals. The results of the analyses can be used in many ways, e.g., in civil and criminal disputes. A well-considered investment in such a solution thus bolsters corporate security directly by protecting company assets. However, it is important to have a customised solution that meets the customer’s needs precisely and not an out-of-the-box solution.


Jörn Weber is managing director at corma GmbH. He can be contacted on +49 2161 277 850 or by email:

© Financier Worldwide


Jörn Weber

corma GmbH

©2001-2016 Financier Worldwide Ltd. All rights reserved.