A necessary pillar of an effective cyber defense strategy is the capability to detect and mitigate threats at the earliest stages of the cyber kill chain. While internal and perimeter security solutions are critical to your security program, external threat intelligence gives you the ability to defend forward by eliminating threats outside the wire.
This ebook is designed to provide a framework for security professionals on how to conduct effective external threat hunting on the dark web.
The dark web is a haven for cybercriminal activity. Accessible only through private browsers, like Tor, that enable anonymous browsing and communication, the dark web allows threat actors to operate in the shadows and maintain relative obscurity and anonymity. While most cybersecurity professionals are well aware of the dangers that lurk across the dark web, many do not have the time, knowledge, or tools at their disposal to identify, validate, and mitigate threats that are being orchestrated against them. The dark web, by far, provides the most challenging landscape for threat hunting due to its anonymous nature and inherent challenges in enforcing regulations.
Creating a game plan: You’re only as good as your sources
Strong intelligence starts with good sources. Your sources can be found in any place where you hunt for or gather intelligence, including black markets, hacker forums, and instant messaging groups, like Telegram, IQ, and Discord. It’s much better to have one source of really strong intelligence than to have thousands that turn up very little. In addition, it’s critical to map the threats, attack vectors, and source types that are most important to your unique organization, so you can focus on establishing the right mix of sources.
Each organization will have different sources and hunting methodologies based on its intelligence needs, weak points, common attack vectors, industry-specific threats, and more. For example, the ways a bank could be attacked are very different from the ways a healthcare organization might be. Therefore, threat hunters must tailor their efforts to the landscape surrounding their organizations and utilize sources that enable them to find relevant threats. Banks probably don’t need to hunt for leaked medical records, and healthcare organizations probably don’t care as much about stolen credit card numbers.
There are many different types of sources across the dark web where you can find threats, and these source types often specialize in a certain area of cybercrime or information trade. Here are some common “sub-categories” of dark web sources:
General Markets: These markets offer almost anything for sale, including drugs, weapons, credit card dumps, miscellaneous services, digital products, counterfeit merchandise, and much more.
PII & PHI: These markets sell personal identifiable information (PII), like Social Security Numbers (U.S. Market), mailing and email addresses, and dates of birth.
Credit Cards: These markets and forums are dedicated to buying, selling, and sharing leaked or stolen credit cards. They can often be purchased in bulk or individually.
Digital Identities: These are relatively new sites on the dark web that sell stolen “digital fingerprints” of a user’s web browsing device (i.e., IP address, OS information, time zone, user behavior). These sites enable the purchaser to impersonate a legitimate online user and circumvent standard security protocols. Some examples of these sites include the Genesis Market and Richlogs.
Information Trading: This can include stolen databases, leaked documents, trade secrets, and more.
Remote Access: These sites sell and trade Shells (exploits) and remote access via RDP, VNC, or other access to hacked servers.
Personal Documents: This might include stolen passports, driver’s licenses, social security cards, or fake IDs.
Electronic Wallets: These sites sell access to stolen or compromised wallets, typically containing Bitcoin or other cryptocurrencies
If there’s one constant across the dark web, it’s change. These dark web sources of cybercriminal activity are never permanent, often being shut down by law enforcement or taken offline by administrators to avoid getting caught. Staying on top of the latest movements and popular hubs is a tricky task given the elusive nature of the threat actors using them. That’s why becoming an active member of the community can open the door for threat hunters to stay on top of the constant change and access the most valuable sources across the dark web.
Establishing access: Venturing behind enemy lines
Cybercriminals and other threat actors are intentionally deceptive, and will try to avoid being identified in any way possible. This makes searching for sources challenging – where do you begin? To compound the challenge, activity hubs are periodically shut down by law enforcement with no notice, forcing threat actors and threat hunters alike to adapt on the fly and find new sources for trade and information exchanges. Since most dark web activity takes place on the Tor browser, which anonymizes users and isolates each site, it can be difficult to keep track of forums and black markets, which are often unindexed and only accessible via obscure URLs.
During the past year, there have been several notable shutdowns – Altenen was shut down by Israeli authorities in May 2018, and Dream Market voluntarily closed its doors at the end of April 2019, which may or may not have been part of a law enforcement sting. Deep Dot Web, Valhalla, and Wall Street Market were shut down by authorities soon thereafter. Going back a couple of years, AlphaBay and Hansa were shut down in July 2017. The more popular a site becomes, the more likely it is to be shut down or taken offline.
These closures and shutdowns of large-scale markets in recent years show there is no singular source of cybercriminal activity. Tracking emerging black markets can be helpful, but the best intelligence is often gathered by assimilation into cybercriminal watering holes. Threat hunters must earn the trust of cybercriminals to become accepted into those communities, which can be a complex and risky task – one that CISOs often outsource to experienced professionals.
“What is the Tor browser?
Tor is a dark web browser that was originally created by the United States Naval Research Laboratory in 2002 as an anonymous communication tool for intelligence agencies. Ever since, it has become the go-to tool for cybercriminals, cybersecurity professionals, researchers, academics, and law enforcement alike. Tor works by randomly routing a user’s encrypted traffic through a series of connected volunteered systems, called relays. This ensures activity cannot be traced back to the end user. Tor users can access special sites with .onion domains, which can only be accessed through Tor browsers.
Tor is now maintained by The Tor Project, a non-profit 501c3 organization based in Massachusetts. While funding is provided by a number of foundations, corporations, and individuals, the vast majority of the Tor Project’s funding continues to come from the U.S. Government. Despite this, Tor is largely unregulated – in part due to its anonymous nature – allowing cybercriminals and hackers to form a thriving ecosystem.”
Assimilating into the hacker community
Threat hunters are faced with a daunting task: infiltrating advanced hacking and cybercrime communities where the barriers to entry are substantial. In order to be accepted into these communities, new users often must pass a series of tests – both literal tests and tests of character – to prove they are both technically capable and, most importantly, not working with law enforcement or cybersecurity groups or companies. In sophisticated forums, you must demonstrate your technical prowess by passing rigorous, challenging tests that sometimes require a referral just to take these exams.