Going Dark: Fact vs. Fiction on the Dark Web

May 1, 2017 • Amanda McKeon

Mention the dark web and many people summon imagery of a massive, mysterious online criminal underground, where all manner of products and information are bought, sold, and traded, hidden away from the prying eyes of the public and law enforcement.

But, is that really what it’s like, or is that just cyber security marketing hype?

In this episode, we take a tour of the dark halls and back alleys of the dark web with the aim of separating fact from fiction. We’ll learn the truth about the people and products on the dark web, and find out the part it plays in threat intelligence today.

Our tour guides are Andrei Barysevich, Director of Advanced Collection at Recorded Future, and Emily Wilson, Director of Analysis at Terbium Labs.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and thanks for joining us, I’m Dave Bittner from the CyberWire. This is episode four of the Recorded Future podcast. Mention the dark web and many people summon imagery of a massive, mysterious, online criminal underground, where all manner of products and information are bought, sold and traded, hidden away from the prying eyes of the public, and law enforcement as well. Like a scary back alley on a moonless night, it’s one of those places you’re probably best off steering clear of. Scammers, criminals, and maybe even terrorists supply their wares there, lurking in the virtual inky shadows of their private online markets — goodness.

In this episode of the Recorded Future podcast, we explore the dark web with a couple of experts as our guides. We’ll separate fact from fiction, learn the truth about the people and products on the dark web, and we’ll find out what part the dark web plays in threat intelligence. Stay with us.

Andrei Barysevich:

It’s a marketing term.

Dave Bittner:

That’s Andrei Barysevich, director of advanced collection at Recorded Future, after I asked him to define the dark web.

Andrei Barysevich:

There’s no strong definition of what the dark web is. I’d like to name it “criminal underground.” It usually just a website or number of websites hosted either on Tor and accessible only through Tor browser, or hosted on the clear web but not accessible to general public.

Emily Wilson:

One of the most interesting things about working in the dark web space is that people have kind of varying and overlapping concepts and definitions of the dark web.

Dave Bittner:

Emily Wilson is director of analysis at Terbium Labs. One of the services they provide is dark web monitoring.

Emily Wilson:

When I think about the dark web, I think of it a little bit less as a collection of sites and more of a type of content. I think about the dark web as the kind of place that you don’t want to see your information appear, and the kind of places where it tends to appear. Right, so this could be everything from, you know we all agree, kind of Tor hidden services, great place to look, paste sites, IRC channels, some of these password-protected, invite-only, limited-access forums.

Andrei Barysevich:

It sometimes means you have to be vetted by current members. In many cases you have to prove that you also have been a member of other communities, so let’s say if we’re talking about top-tier Russian cybercommunities, and very often they will ask you, “Okay, so tell me where else you’ve been conducting business?” You have to provide them with your profile. They’ll review it. Sometimes admins will ask questions, ask other members about you. Some forums will require you to pay quite hefty entrance fees. Some forums also require financial guarantees from people who invited you to the community, so let’s say if somewhere down the road you didn’t deliver on the business deal, they will be reliable and responsible for your actions financially.

Emily Wilson:

A lot of these sites, a lot of these places where you see a lot of information being dumped online are sites that are accessible through your normal browser, things that are really easy to get to, right? These are sites that are Russian top-level domains or Kokus Islands or Cameroon, you know, people kind of gravitate toward one or the other, so when I think about the dark web, it’s really about the kind of content that appears and a little bit less about specifically the site type.

Dave Bittner:

What kind of content do we typically see on the dark web?

Emily Wilson:

That’s an interesting question because some of the content that we see on sites we would typically think of as dark web sites is all perfectly legal, plenty of Tor hidden services have legal content, but the interesting stuff, the stuff that we really care about, especially for this kind of a conversation, we see everything from personal information being traded, whether that’s financial details, general personal information, name, address, telephone number, email address, everything you could need to spam someone, to things like exploits or terrorist propaganda, from time to time, although frankly, most of that isn’t hidden away on the dark web. People want to be getting that out in front of as many people as possible.

We also see things like drugs, of course, and pharmaceuticals, and then some more nefarious content, child exploitation comes to mind, obviously, and human trafficking in other forms.

Andrei Barysevich:

Requests of assistance, quite often criminals are managing to get, let’s say a foot in the door when they try to hack certain organizations, but then somewhere, sometime down the road, they need help, and sometimes they will actually post an open question, and solicit help from other, more experienced hackers.

Emily Wilson:

The threat intelligence then that you can start putting together, I know a lot of people think about fraud and personal information. There are definitely people or law enforcement agencies who work with drugs or pharmaceuticals, but let’s take fraud for example. You can start seeing where information first appears, is it something where a data set appears for sale and the reason that you know that is because you see a sample of it that’s being shared with a link to where you can buy it. What else is this vendor selling? Where else are they operating? What other kinds of goods and services do they trade in? How long has this data set been around, maybe none of it leaked out before but now it’s starting to kind of appear in certain circles. Why is someone leaking it? Are they doing it for vandalism? What do they have against this particular individual or this particular company? That’s just one narrative example of how you can start building a story or kind of an investigation around a particular data set.

Dave Bittner:

What are the challenges when it comes to collecting threat intelligence from the dark web?

Andrei Barysevich:

Well, one of the biggest challenges is to get access to the dark web, to a criminal underground. Once you’re there, I would say is not to blow your cover. Criminals also know that security researchers, law enforcement is constantly browsing these communities and attempt to get access to them. We saw quite a few times when people were banned because admins or other members found that they’re not criminals but rather security researchers or law enforcement, so I would say that the biggest challenge, once you’re there, is to preserve your cover, to maintain that access.

Emily Wilson:

Sometimes these sites don’t want to be found. Certainly, when you’re dealing with something like Tor hidden services, right, this is set up to be difficult to go through or to index. Some of these sites you can’t access unless you know the right person, or you can perform the right set of tasks to get in there. In other cases, it is the issue of piecing together data with little context. Not everyone is going to say nicely and plainly, “Hey, this is a database or a list of customers from this bank or this retailer and here’s how I got it and here’s when and here’s why.” One of the real challenges is being able to have the context that you need to be able to go through that and piece that together, and then also genuinely the issue of being able to gather and index that information.

The dark web isn’t nearly as big as some people seem to say it is, you know, the iceberg analogy, we’ve all seen that image. That’s just not accurate, but there’s a lot of information out there and you have to sift through it, and even after you’ve sifted through it, you have to dig in deeper.

Dave Bittner:

When you say, “Dig in deeper,” what do you mean?

Emily Wilson:

You sift through and you find a bunch of information that seems like it might be related or might be interesting. You’re still absent some critical details and from there you kind of need to apply some human power. I think a lot of the key process of developing threat intelligence is around knowing what to pay attention to and what you can ignore, and having the frame of mind and the experience not to buy into a lot of the hype. I think one of the most common misconceptions about the dark web, and I think one of the biggest dangers inherent in going through data from the dark web is often people are looking for more interesting or more exciting stories than actually exist, and so I think that one of the challenges there is being able to look at something and decide whether or not to take it at face value or whether there’s something to dig into more there, and that’s really a discernment issue. I think discernment, at that level, is something where, for example, machine learning is incredibly valuable when you’re trying to help filter, but at the end of the day, one of the real challenges from threat intelligence is being able to look at it with a discerning human eye and decide whether or not it’s interesting.

Dave Bittner:

Do most people just sort of live their lives not really knowing that the dark web is there?

Emily Wilson:

I think we are moving into a world where people are beginning to understand that the dark web exists, at least in so far as people know that large and very prominent data sets are being leaked or shared or sold. I think people are beginning to understand that there is a place out there where this is happening. Now, I think there are plenty of misconceptions about the dark web, both in our industry and then obviously, more broadly, but this is something that definitely isn’t going to stay as quiet as it has been for much longer.

Dave Bittner:

If someone is new to threat intelligence and they’re just getting their feet wet and trying to figure out what their stance should be, what guidance would you give them in terms of what part should dark web research be in their menu of threat intelligence options?

Emily Wilson:

One of the best pieces of advice I can offer here to individuals and organizations who are trying to assess what they need for their company and for their data, in terms of whether dark web coverage or threat intelligence coverage is, there is a danger in assuming that the breaches that you hear about are the only breaches that are happening. The breaches that are in the news are the ones that are big and are flashy, and they make headlines for a reason, but big companies or well-known organizations aren’t the only ones who have sensitive data, and not all attacks are targeted. Most of the data that I see, at least, you’re asking kind of what I know about this, is opportunistic. It’s from much smaller organizations, and so I think the mindset shift of recognizing that you have information, and the information that you have is sensitive to someone, and thinking then from there, what information do I have, what would be a terrible phone call to get in the middle of the night, and how am I going to protect it? I think that threat intelligence is a big part of that.

Dave Bittner:

That was Emily Wilson from Terbium Labs. Our thanks to Emily and Andrei Barysevich for sharing their expertise on the dark web, and thanks to you for listening to this podcast.

To learn more about the dark web, you can read Recorded Future’s blog post, “Going Deep and Dark: Mining Threat Intelligence from the Hidden Web,” or simply search “dark web” in the blog section of the Recorded Future website.

Before you go, don’t forget to sign up for the Recorded Future Cyber Daily email, where everyday you’ll receive top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

You can also find more intelligence analysis at recordedfuture.com/blog.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer, Amanda McKeon, Executive Producer, Greg Barrette. The show is produced by Pratt Street Media with Editor, John Petrik, Executive Producer, Peter Kilpe and I’m Dave Bittner.

Thanks for listening.