The Basics of Due Diligence

Last month, Centry blog featured an article on identifying tells associated with Third Party Risk as it relates to your business. Today, we will dive into the basics of what comes next – conducting due diligence.

What is Due Diligence?

Due diligence is the act of making reasonable inquiries of an individual or entity that has been flagged as a potential risk.

The first step is to have a written policy, which ought to be followed with significant documentation – there should be a due diligence file for each individual investigation. However, when creating due diligence policy, there is no one size fits all solution. Thus, a business should engage in risk ranking and develop a policy according to it.

Where Do We Start?

Risktrack

Figure 1. Course of Action

This may sound like a lot to organize, especially around unique cases, but there is a step-by-step approach to implementing the due diligence program.

Step 1. Classify Third Parties

We established the different classifications of Third Parties in our Quick Tips to Recognize Third Party Risk article. For a quick refresher, these can be any of the following:

Commercial third parties (i.e. agents and distributors), regulatory third parties, vendors/suppliers, professionals, and local officials.

Decide where the object of interest falls in one of these categories and then you will be able to progress to the next step.

Step 2. Develop a Risk-Ranking Formula

It is important to create an objective system, rather than a subjective system of ranking, which relies on gut feelings and personal perspectives. The use of a consistent risk formula and policy is the best course of action to protect the due diligence system and your organization.

Value should be assigned to each category of risk in terms of how important it is. In order to define the value of each risk category, it is efficient to use a scale of 0 to 100, as seen in the following chart, where low risk level is 0-30, medium risk is 31-70, and high risk is 71-100. For the low risk threshold, only a basic level of due diligence is necessary. As the risk value escalates, more emphasis should be put into the inquiries, potentially ultimately leading to a formal investigation.

Risk chart example

Figure 2. Example Risk Value Graphic

In the chart below, you may visualize the weight of each risk category. It should also be considered that combinations of categories raise the risk level of the subject.

Third Party definition

Figure 3. Example Risk Classification Pie Chart

With the risk value of the individual/entity established, the due diligence process can continue.

Step 3. Monitoring and Auditing

The biggest thing to keep in mind is that due diligence is fluid. Things can change as new events and connections occur, and new information becomes available. In this case, it is best to have an annual auditing plan, which is developed using a specific risk formula. Depending on the business, the amount of auditing resources and risk criteria, specific steps can be taken based on thresholds of risk value. For example, one may issue spot-checks on specific issues when a certain threshold of risk is reached. There may also be transaction testing, desktop or phone audits, as well as formal audits.

Document Everything!

To safely conduct due diligence, the file for each investigation should be substantial. Consider it to be like keeping a running log of the due diligence process. The file should contain every piece of information related to the investigation and every action take. At appropriate points, it should also have attorney approvals for actions proposed and taken. In very high risk circumstances, it should include an Advice of Counsel letter.

If there are any questions on how to proceed further with due diligence, a representative at Centry would be happy to help. Feel free to contact us at info@centry.global.

This article was written by Kristina Weber, Content Supervisor of Centry. She holds a Bachelor’s Degree in History from the University of Calgary.

Case Study: The In Amenas Hostage Crisis

On 16 January 2013, the AQIM splinter faction ‘Signed in Blood Battalion’, a group which normally operates in southern Algeria, attacked a natural gas facility near In Amenas in Western Algeria.

Terrorist Attacks on Business Operations

The operation commenced when vehicles transporting expatriate and local workers from the facility to the nearby airport were intercepted by what appeared to be security personnel, based on the use of false uniforms and vehicle markings, an act of perfidy which disguised the militants and prevented the workers from escaping.

Another group assaulted the main gate of the complex, employing RPG and heavy machine gun fire to suppress local security personnel, enabling them to enter the facility and start taking hostages. This included going from room to room at the residential complex immediately outside the facility, dragging out Western expatriates who were hiding from the danger. The hostages were gathered in groups and forced to wear explosive belts, and many others were bound and gagged.

Within an hour, the facility was surrounded by Algerian military forces, preventing escape. It is likely that this may have been according to plan for the militants, as their leader, Mokhtar Belmokhtar, specialized in kidnap-for-ransom operations. Another indicator is the relatively light damage sustained by the complex itself, indicating the militants did not intend to remain and destroy the facility.

The Algerian government, which has a firm no-ransom policy, always takes a hardline approach with militants. As such, it should come as no surprise that they launched attacks without consulting with foreign governments, some of whom could have provided valuable hostage rescue capabilities. A series of armed assaults over several days, which included the use of tanks and helicopters, resulted in the deaths of 39 expatriate workers, as well as over 20 militant fighters.

Although the operation failed to achieve a ransom, and the entire attacking force was either killed or capture, one desirable outcome for Belmokhtar was that he earned notoriety and prestige among other militants. This was important because he was a rival of the AQIM leader, Abu Musab Abdel Wadoud.

Insights

  1. Local security forces are not always reliable. The government security forces did not detect nor intercept the attacking force prior to the assault, despite the importance of the plant. However, on the other hand, the attack also highlighted the difficulty in preventing terrorist attacks by a determined adversary, which is a problem that is not unique to Algeria.
  2. Suspected subversion among the staff. It is probable that some staff members may have provided intelligence to the militants, which enabled the attack. This reinforces the importance of independently vetting locally employed workers.
  3. Local security guards were overwhelmed. They could not hold out against the superior firepower of the attacking force, and thus were unable to deny penetration of the facility.
  4. Lack of ‘panic rooms.’ Expatriate workers were unable to access any fortified facilities to ensure their safety, as these facilities did not exist. A residential area may, therefore, benefit from a central location that can be defended until reinforcements arrive.
  5. The militants made no distinction between the nationalities of the expatriate workers. Those who were killed came from ten different countries, ranging from the US, to the UK, to Norway and Japan.
  6. Algerian government maintained no-negotiation policy. The government of Algeria has a policy that it will never negotiate with terrorists, and the attack in Amenas was no exception, even though there were a large number of foreign citizens in danger. It is likely that Algiers regrets the loss of expatriate lives, however, it sees their actions as a necessary requirement; they successfully proved their commitment to destroying terrorist groups. Furthermore, the Algerian Army lacks the training, experience, and equipment to undertake hostage rescue operations that minimize the risk of casualties among those taken hostage.

 

Spies in History: The Story of Elizabeth Bentley

testify

Figure 1. Elizabeth Bentley testifying before the House Committee

In 1945, American-born Elizabeth Bentley defected from her role as a Soviet spy and ousted more than eighty associates in her network, many of whom held positions in the government of the United States. She had contacts in the Office of Strategic Services, War Production Board, Board of Economic Warfare, U.S. Senate, Foreign Economic Administration, U.S. Army and Army Air Force, Treasury Department, State Department, Office of the Coordinator of Inter-American Affairs, and the White House itself.

A Self-Made Spy

Bentley’s career in espionage began of her own volition in 1935, when she took a job at the Italian Library of Information in New York City, which was colloquially known as fascist Italy’s propaganda bureau. During her time working there, she expressed interest to the Communist Party of the United States (CPUSA) in spying on fascists. An NKVD officer named Jacob Golos was assigned as her primary contact.

When Golos was forced to register as an agent of the USSR, he was not able to manage the bulk of his work and so he gave Bentley some responsibility of the network. She was primarily in charge of the day-to-day business of a front organization – the United States Service and Shipping Corporation. Most of her contacts were part of what was known as the Silvermaster Group, which was a network of agents centered around Nathan Gregory Silvermaster.

After Golos died in 1943, Bentley continued her work in espionage and ultimately took his place. Her new point of contact was the leading NKGB undercover spy chief, Iskhak Akhmerov. Her network expanded when CPUSA General Secretary Earl Browder gave her responsibility of the Perlo Group, which had contacts in the War Production Board, United States Senate, and the Treasury Department

She resisted the order to have her contacts report directly to Akhmerov rather than a chain that went through her to him. Eventually she was forced to give up her sources and quit her position at U.S. Service and Shipping.

A year later, she met with her newest NKGB contact, Anatoly Gorsky, and threatened to become an informant – after which, Gorsky recommended that the next course of action be to eliminate her as a threat. The real impetus came when Louis Bedenz, one of her sources at CPUSA newspaper, had made the decision to defect. Thus, Bentley likely feeling that she was stuck between a rock and a hard place, ultimately made her choice to defect on November 6, 1945.

FBI Response

When Bentley defected, she exposed her former networks to the FBI, including more than thirty individuals who worked in the government. The FBI briefly contemplated using Bentley as a double agent, but they discovered within the year that it would not work. News of her defection had reached leaders in Moscow through Kim Philby, a high-ranking member in MI:6 – later known as a double agent. It was timed just so that the FBI could not gather any direct evidence of the espionage. So, the FBI moved to their next choice – urge the accused to confess. That failed as well, because Moscow ordered that Bentley’s sources had to cease espionage activity, destroy incriminating material, and to prepare for FBI scrutiny. Bentley’s sources were under strict orders to not confess.

Much of the doubt surrounding Bentley’s testimony had to do with the fact that she had no ‘smoking gun’ evidence, as it was only private corroboration and classified documents that substantiated her claims – as such, it came down to her word vs. the accused in court. Her testimony did, however, launch a lot of investigation into the names, and it was found that her story corroborated many of the FBI’s suspicions. One FBI agent later recalled that “We had files here, there, and everywhere … and she kind of sewed it all together.” (Red Spy Queen, p. 100) This was in conjunction with the project conducted by the FBI called Venona. Ultimately, Venona absolutely corroborated the information that Bentley gave, however it was not until the USSR collapsed that Venona became declassified and – by then, Bentley’s case was a distant memory.

The Public Response

Something else to consider was simply that Americans were struck with disbelief by the magnitude of her testimony. The people that Bentley named as associates were so deeply entrenched in all avenues of American politics and management, that it was difficult for the public to suddenly consider that these people were feeding information to a foreign power. Bentley appealed to the public fear of Communism, suggesting that communist spies had a plan to overthrow the government and they represented a threat as real as Fascists. This is particularly important in the context of the period, as the United States had just come out World War II, so whether it was Bentley’s intent to scare her listeners, that would have been a simple way to get the message across.

The wave of fear that washed over the American public led to serious doubt in the Truman administration. Historians Haynes and Klehr suggest that the testimony made Americans believe that the government had been complacent about Soviet espionage, and that the CPUSA in their home was an instrument of a hostile power. This has depth when considering the historical context. While there were anti-communist sentiments rising in Europe over the division of post-war Germany, the memory of the alliance with the Soviet Union only a few years prior was still fresh in the minds of the American public. So, finding out that the USSR was conducting espionage in their home would invite a sense of betrayal.

Both sides of American politics took the opportunity presented by Bentley’s defection to criticize their opposition.  Because Venona was unable to be used as evidence for her claims, many Americans saw the accusations as a symbol available to be interpreted and used for the benefit of any party, even if they were in opposition. Some saw it as part of a conspiracy by the conservatives to uproot the Truman administration’s New Deal programs, which were topics of much contention at the time. Conversely, the proponents of the New Deal saw Bentley as a threat to the reputation of the men who had supported these reforms, because many of the people she accused were in the government. The House Un-American Activities Committee (HUAC) leaped on the opportunity to criticize the Truman administration when it called a congress into session over inflation and not Soviet infiltration. Ultimately, the public response to her testimony propelled HUAC into the McCarthy era. Bentley’s accusations and the fear they elicited served as a stage for Senator Joseph McCarthy to stand upon while preaching the danger of Soviet infiltration.

Why is this important?

Her testimony is important in history as it was one of the first of accusations of the Cold War to shed light on espionage conducted by another world power. Her defection alone named a vast number of spies and put a hold on Soviet espionage in the U.S.A. In her testimony, Haynes and Klehr mention how professionally she described her role and listed the names of her former associates, many of whom had been federal officials that “handed over government military and diplomatic secrets to the USSR.” (Haynes & Klehr, pp. 72-73) The hold on espionage came from a Soviet desire to protect its intelligence by shutting down its active contacts in the United States. They withdrew their officers and many others, even outside of Bentley’s network. Knowledge of the magnitude of this shutdown was only available after the collapse of the Soviet Union and declassification of documents, so Olmsted suggests that scholars before that time under-appreciated the extent of how Bentley affected Soviet espionage in America. Now that documents have become declassified, we know with certainty that Elizabeth Bentley’s testimony was accurate, and can now truly assess the impact she had on the Cold War.

Sources

Fried, Richard M. “The “Red Spy Queen” in a Male World”. Diplomatic History Journal, Vol. 7, Issue 5: Blackwell Publishing LTD. (pp. 741-745)

Haynes, John Earl and Harvey Klehr. Early Cold War Spies. 1st ed. New York: Cambridge University Press, 2006. Print. (pp. 60-89)

Kessler, Lauren (2003). “Clever Girl: Elizabeth Bentley, the Spy Who Ushered in the McCarthy Era”. Harper Perennial. (pp. 144-147)

Olmsted, Kathryn S. “Blond Queens, Red Spiders, and Neurotic Old Maids: Gender and Espionage in the Early Cold War.” Published online: 25 May 2006 (pp. 78-91)

Olmsted, Kathryn S. Red Spy Queen. Chapel Hill: University of North Carolina Press, 2002.  (pp. 7-204)

Weinstein, Allen; Vassiliev, Alexander (2000). The Haunted Wood: Soviet Espionage in America–The Stalin Era. Modern Library. (p. 102)

Wilson, Veronica A. “Elizabeth Bentley and cold war representation: Some masks not dropped”. Intelligence and National Security 14, no. 2, 1999. (pp. 49-63)

This article was written by Kristina Weber, Content Supervisor of Centry. She holds a Bachelor’s Degree in History from the University of Calgary.

Exploring the Dark Web, pt. 2

While many of Darknet users use these networks for legal reasons, such as increased security through anonymity, most of the services that are hosted in TOR network’s “.onion” addresses are usually illegal, unethical or borderline legal.  The few licit services include, for example, whistle-blowing and political platforms that protect users from persecution by oppressive regimes.

Threats on the Dark Web

Darknets are utilized for all types of illegal activities that can be imagined. Black markets have taken advantage of TOR and Bitcoin infrastructure. With their help, the volume of online drug sales has increased exponentially and some counterfeit products can be purchased in bulk. Also, various digital goods can be purchased from these markets including personal information, credit card numbers and step-to-step crime instructions. Furthermore, Darknets are also used by hacktivists and terrorists.

1

Figure 1. Search Results, Drugs & Chemicals category

 

2

Figure 2. Search Results, Fraud category

 

Some of the products and services sold through Darknet are more often scams than real. For example, weapons are usually scams if they’re not sold through a 3rd party marketplace. Even then, there’s a high chance that they’re not genuine since the prices can out-weigh 3rd party marketplace security deposits.

 

3

Figure 3. Search results, Weapons>Pistols categories

 

Malicious services are also offered through Darknet. Hackers, scammers, money launders and counterfeiters offer their services through Darknet markets. It is sometimes possible to find local language forums where people crowd-source crime planning, post job adverts, and search for employment. Some of the common things people are hired for include debt collection, smuggling, distribution, front/dummy, and assault.

The business models for crimes that are organized through Darknet are usually those that are most commonly typical for cyber-crime. This can be referred to as Crime as a Service (CaaS). Criminals who operate in this way are specialized in their fields of expertise and provide services to each other. This can maximize profits and minimize risks. Even training and consulting services are offered to criminals.

Darknet 3rd party markets can be very lucrative enterprises, but they are the most visible form of crime in Darknet, which makes them the prime targets for law enforcement and financially motivated hackers. What is interesting is that the product that the marketplace owners are actually selling is trustwithout the help of these marketplace service providers, there are very little methods to make sure that someone anonymous will deliver the product/service you pay for. It is in the market service providers’ interests to make sure that the information, transactions, and anonymity of their users are secure. Some of the service providers make claims that they have audited their services and infrastructure with the most expensive security consultants available.

 

4

Figure 4. Screenshot of a specialized website offering consulting services for criminals

 

The Dark Web and Intelligence

The Dark Web is a possible Intel source for identifying threats and has several other uses. However, it is difficult to find real content from a sea of false information and scams. If you’re able to understand the phenomenon and the culture, you should be able to reap some of the benefits.

Accessing the Dark Web from a corporate network is not safe. If there is an interest in using it for gathering intelligence, one should assess the need for precautions, such as setting up a specified Darknet-only computer with a dedicated connection, i.e. mobile prepaid internet connection. Threats, such as phishing via cloned websites, are more commonplace in Darknet. Many of the illegal users use bitcoins for transactions making them tempting targets for financially motivated hackers and scammers. For a long-term solution for light usage, one should set up an appropriate operating system. Tails Linux is a good alternative. Its benefit is that it doesn’t allow writing anything on drives and it wipes the memory after each use.

Surfing through Dark Web content for threat information is not all-inclusive, as the more sensitive aspects of crimes are discussed person to person. Our professionals at Centry are currently exploring different mitigation options that are related to the digital underground, and would be delighted to discuss the topic further.

Exploring the Dark Web, pt. 1

Most security professionals have heard of the term Dark Web, and information security professionals browse through it routinely. However, the usage of anonymizing infrastructure is not an issue that only involves information and cyber-security anymore. The spectrum of threat is very wide and consists of pretty much anything you can imagine.

1

Figure 1. An anonymous user is looking for dummy fronts in a Finnish language forum.

Background Information: Terminology

Clearnet refers to the traditional World Wide Web and areas of internet that are accessible to search engines. Its services identify their users by IP.

Deep Web refers to the parts of internet that are not visible to common search engines.

Bitcoin is the most popular virtual cryptocurrency available. As a currency system, it is decentralized, making it difficult for governments to regulate and officials to trace. Each Bitcoin is unique and the transaction system is open source, so they aren’t exactly built to support anonymity, however services exist that can enhance it. Darknet users use Bitcoin tumbler services to prevent tracking. A tumbler will deposit the bitcoins into a large pool of bitcoins, shuffle them, and then let the user withdraw different bitcoins to another bitcoin wallet.

2

Figure 2. Bitcoin exchange machine in a Finnish shopping mall 24 Feb 2017

Darknet as a term is usually associated with an encrypted overlay network that is accessed with a specific method.

The most popular darknet is the TOR network, also known as the Onion Router. It is a network of thousands of proxy servers that shuffle the traffic inside this network for anonymity. Addresses with .onion are only visible through this proxy network. Other darknets exist but they haven’t gained similar popularity. Dark Web is the content that is accessed through these networks.

Background Information: Online Marketplaces

Goods and services are traded through several channels in Darknet. A lot of transactions are made through 3rd party moderated marketplace service providers. These services offer buyers and sellers a platform with bitcoin accounts, escrow system, anti-fraud policy and feedback system. When a buyer orders a product, bitcoins are placed in an escrow which releases the funds to the seller after the buyer verifies that he/she received the product. This is not scam-proof because in disputes it will be word against word and it could also be the buyer that is scamming the seller. Many of the 3rd party moderated black markets require a substantial registration fee or security deposit from seller accounts. In case of misconduct this deposit is not refunded to the seller. The feedback systems work in similar fashion as eBay’s feedback system.

Several bulk vendors have set up their own websites to sell and market their products. Most of these types of websites are scams. However, they should not be totally neglected as some of the one-vendor-only sites are real and connected to major vendors in popular 3rd party markets.

Various forums and boards, with little or no moderation are also popular channels for vending. From these forums you can find vendors that can’t afford security deposits or want to sell items that are against mainstream marketplace policies. Usually the only system against scamming in these forums is a feedback system. In local area markets, some of the users meet face to face for bigger transactions. In these forums/markets you are also likely to find goods, services and various things that are offered as short-term or one-time offers, such as job ads, job seeking profiles, business offers, company insider information and stolen goods.

Less visible channels for online black market trading are people to people conversations in anonymous messaging services. It would seem likely that bigger bulk purchases and custom or sensitive orders are handled via private conversations.

Dark web services are constantly hunted by law enforcement, other criminals and vigilantes. The services are not untouchable, as is clear in this recent incident that sparked a lot of news stories and social media shares.

3

Figure 3. Social media analysis of shares and comments

Link to a story about the incident:

https://www.scmagazineuk.com/major-dark-web-host-hacked-381000-sets-of-user-details-leaked-online/article/636259/