A common visualization for the Internet is an iceberg. The indexed ‘surface’ web is less than 10% of what is visible, but 90% is non-indexed and known as the deep web. A small subset of the deep web includes hidden information and services: the dark web, or darknet.
It’s a common misconception that the darknet is purely for illicit activity. After its creation by the US military in the mid-90s, public users jumped at the concept, seeing the darknet as a platform to freely share information, software and services without fear of censorship.
The darknet has several advantages which enable this, including anonymous marketplaces, hidden forums and a lack of state-based governance. The New York Times, for example, publishes on the darknet to reach readers whose governments might prohibit access, while TOR has reportedly been used by activists to undermine regimes in North Africa.
A resource for cybercrime
This same ‘freedom’ has also enabled criminal underground actors to operate in somewhat of a safe space. The illegal information and services there are limited to specific internet users – those who gain access via TOR, I2P, invitation-only closed forums or Telegram groups, or those with enough technical skill to force their way in.
You can then find threat actors marketing their services and seeking recommendations and reviews in much the same way as legitimate sellers. Their goods can be bundled together or sold as kits, essentially lowering the barrier to entry to cybercriminals. For example, a less-sophisticated hacker can purchase their own stealer malware, perhaps including a user’s manual or 24/7 customer support, deploy it to harvest credentials from a target, then sell them on to a buyer in a different marketplace.
We outline some of these methods in our in-depth report into the Credential Theft Ecosystem.
Given the darknet’s structure, often criminals join forums to find the really juicy stuff. In many cases you have to contribute to these forums in order not to get banned. In others, you need to be invited or even be recommended by a trusted relationship to gain access. Here for example, illicit trade of very high-quality credentials is conducted through personal relationships and private messages, rather than sold openly.
What data should companies be looking for, and why?
Companies should be looking for data related to their organization first. For example, compromised credentials are traded in dark web marketplaces, and the faster organizations can detect them the better. Proactively monitoring the dark web and finding stolen credentials at an early stage – within days after they are compromised – can massively reduce the impact of an attack.
Additionally, we recommend monitoring (using defined search terms) documents or PII which might have been stolen or unintentionally leaked. For example, confidential documents shared on poorly-secured file sharing providers often end up the dark web, and this can impact more people than simply the documents’ owners. Stricter data protection regulations mean that data leaks can have an even larger impact on an organization’s bottom line, as well as its reputation. In the event of a GDPR penalty, a company that can demonstrate robust detection capabilities can vastly reduce its liabilities – this is covered in our GDPR whitepaper available to download for free, here.
Companies should also be monitoring the dark web for exploit kits, actors and TTPs that could target their sector more generally. Enhancing visibility and gathering relevant, actionable intelligence from dark web sources helps security teams strengthen their security posture and put in place appropriate defence measures before adversaries can strike.
“Know your enemy”
The darknet is tough, but not impossible, to penetrate. There are ‘public’ TOR indexers but these can’t reach closed forums, or other networks like I2P, Freenet or zeronet. Our threat intelligence modules crawl the darknet, index the content and provide a search engine to those who purchase these services. Forums meanwhile might need to be penetrated in the same way as a real-world criminal organization – going in undercover and conducting espionage.
Using these methods is like putting a spy in the enemy’s camp: listening in on conversations to prevent attacks before they happen, hunting for malware that can exploit unpatched vulnerabilities, discovering new TTPs that could impact an organization, or searching for compromised credentials and other confidential information.
Despite these tools, the question remains whether you can actually fight crime effectively on the darknet, or like so many real-world security forces, simply try to keep illicit activity spilling over into the public domain.
The best way to fight cybercrime on the darknet is to operate in much the same way as the bad guys. Where they build communities to exchange information and TTPs, so must we. In May 2017, Europol launched a dedicated team “to find sustainable solutions and a common coordinated approach to respond to criminality on the dark web.” Threat Intelligence involves actor tracking, sharing IOCs, malware distribution information, all enabling private sector entities to collaborate better amongst themselves and with law enforcement – ultimately, we’re on the same side.
Blueliv has it’s very own Threat Exchange Network – this community of law enforcement professionals, academics and security professionals has thousands of members and it’s free to join.
Proactive threat monitoring improves resilience in several ways, but the key is using fresh, actionable intelligence to eliminate blind spots in your threat landscape. For a demonstration of our intelligence capabilities request a demo here.