March 2, 2017 • Chris Pace
There has been much speculation (not to mention exaggeration) over recent years about the fabled dark web. We’ve heard how this shady underworld is the refuge of the cyber criminal elite and even nation-state threat actors. That this is their “Wolf’s Lair,” where they gather to plot the breaching of businesses, the downfall of governments, and the hacking of celebrities.
As with much mainstream reporting of technology, and in particular cyber threats, there’s a grain of truth here. This less accessible and more volatile corner of the internet as we know it does offer those with less honorable motives a secret marketplace for their wares.
The confusing terminology around what the dark web is or isn’t shouldn’t be a barrier to defenders realizing the potential benefits of information gathered from these anonymous communities, and how it can be used to produce valuable threat intelligence.
So what’s in a name? There has been a tendency to label the dark web as “any website not indexed by Google,” this definition is far too broad.
Recorded Future’s Director of Advanced Collection, Andrei Barysevich, has worked as a consultant for the FBI cyber division and with international law enforcement on many cases involving Russian cyber criminals. More recently his dark web research has uncovered breaches of government agencies and other organizations. He provides a clearer definition of the dark web:
“The term dark web can be confusing. I’d like to name it the criminal underground. Let’s imagine a nondescript entrance to a bar in a dark alley. A place which you will not find in the yellow pages. If you know the secret knock and password, they’ll let you in. Otherwise, good luck next time. The same concept actually applies to the criminal underground, or dark web communities, which you will not find via Google or any other search engine. Some of them may only be onion sites accessible through Tor, and others might only have an IP address, but no name at all.”
Given that there’s no official classification for the deep web or the dark web, the lines between the two can get a little blurred here. Deep web usually refers to communities not indexed by search engines, that are often behind logins but probably don’t require the use of Tor or onion anonymizing. The deep web also encompasses not quite so nefarious information, like databases, government sites, and academic journals.
This description of the dark web immediately highlights some of the challenges facing us if we want to access these communities to look for new threats, targets, or technologies. The first hurdle is how do you get in? In many cases, only current members can tell you how to find a particular community. To be accepted, some forums require a nominal fee, and others will ask for a very significant up-front payment, sometimes even reaching thousands of dollars. Even if you have the money, it’s also likely you’ll have to have several members vouch for you.
These dark web forums are broadly divided into two distinct classes. Firstly, the technical sources purely devoted to development of malicious software and supporting infrastructure, and secondly the commercial marketplaces, specializing in the sale of stolen data, financial information, drugs, compromised accounts, and more. The most private and secret forums are likely to have a very limited number of members, often no more than a couple of hundred individuals. These users are hand picked by the administration and vetted by members. There are more mainstream communities with hundreds of thousands of registered users with no membership fees at all. If you find a way into any of these communities, it’s only one of many; you’d need to scale that effort, and at the time of writing Recorded Future is aware of the existence of at least several hundred illicit communities conducting business on the dark web.
Barysevich sees more common misconceptions about the members of dark web communities:
“Many think that only members of powerful crime syndicates are conducting business there. However, the average participant is more likely a small-time, hacker wannabe, engaging in illicit activities only from time to time, not on a full-time basis. Some members I wouldn’t even call a cyber criminal at all — often they’re just looking to buy compromised Netflix or HBO accounts so they can watch it free of charge.”
The majority of serious forums are less likely to be fully automated marketplaces but have the simplest form of online bulletin boards in the “Craigslist” style. It’s most likely that threat actors are actually using the dark web to either learn new methods and techniques, monetize their skills and trade, and communicate.
There’s no doubt that researchers can obtain highly valuable threat intelligence, quite often relevant to a broad spectrum of potential targets, both organizations and individuals, otherwise not accessible through conventional monitoring.
For example, healthcare organizations can identify compromised patient records. Financial institutions can analyze stolen payment information for common points of purchase, and mitigate against future fraudulent charges. “In one recent case, a multinational software company prevented the sale of highly sensitive source code of yet-to-be-released enterprise software,” Barysevich explains. “The threat actor turned out to be an insider who was working for this company. He stole the code and was attempting to sell it on the underground for $50,000.”
As you might expect, hidden criminal communities are not very fond of researchers. There’s the risk that even an experienced researcher could draw unnecessary attention and potentially make themselves a target. “If you have to be in one of those communities, if you have to gather the information directly, I would recommend not to engage actors, but rather just sit back and listen; just read what they talk about. Get information this way. You have to be trained properly, you have to know what to do, you have to be aware how the cyber criminals are actually talking to each other, what words they use, what code words they use, what slang they use. It’s very easy for them to spot a researcher from legitimate criminals,” Barysevich advises.
The anonymizing tools used by many for dark web access are completely legal and are becoming more prevalent as technology conscious individuals look for ways to keep their internet activity completely private. However, many of the services and goods available in dark web marketplaces are dubious to say the least, that’s why criminals choose them. These communities are also rife with scams — there really is no honor among thieves. As Barysevich explains, “If there are individuals who conduct business on illicit parts of the internet they don’t just steal money from you and me but also from each other.” The existence of “ripper” sites that pretend to be other dark web marketplaces to scam members are a perfect example of this.
It should be clear by now that you can’t simply jump into a dark web community and stumble across brand new zero-days and proof-of-concept malware on day one. You’re facing the challenge of finding the right locations in the first place.
Threat intelligence providers can help here, with the expertise to access and collect from dark web sources. Remember that in many cases the same information you might uncover from the dark web will find its way to other sources, like social media, paste sites, or code repositories.
For this reason you should look to monitor for threat intelligence from the dark web in combination with other sources of threat intelligence. Recorded Future’s own patented intelligence engine can scale to automatically collect and analyze data from dramatically more sources than human analysts alone. Because our technology works 24x7x365, across multiple languages in real time, delivering a significant advantage to human analysts.
If you’re keen to learn more about how to exploit threat intelligence from the dark web to better protect your organization, here are some resources you might find useful:
Or, you can simply request a demo of Recorded Future.