You can’t stop what you can’t see coming. Understanding the value of intelligence gathering on the Dark Web and gaining Open Source tools to better protect your company
The Dark Web is inherently scary for those who are unfamiliar with it, which to be frank, is most of us. Even asking most regular internet users to define what the Dark Web is could be quite a stretch. Most will probably rattle off something about open-air drug markets, illicit pornography, and possibly something about it being used by the Islamic State for planning their plots with sleeper cells in the West.
While some of these nasty groups have found their home on the less traveled parts of the internet known as the Dark Web, the real story and how it affects the world of security, is far, far more interesting than drug dealers and pedophiles.
What is the Dark Web?
In the simplest of terms, the Dark Web is a part of the World Wide Web that is accessible through special browsers like Tor. Built with layers of encryption, the Dark Web provides a level of anonymity and freedom from surveillance that is no longer possible on the open web.
The Dark Web and browsers like Tor were originally built for activists living under repressive regimes to be able to organize and communicate without fear of reprisal, using mirroring tools to hide their identities. A deeper look into the history shows that the U.S. Navy had a hand in this project, seeking a way for undercover agents to send information anonymously. Unsurprisingly, hackers looking to engage in illegal activities, like selling stolen identities and credit cards, also found it a great place to set up shop.
Over time, a collection of chat forums and other online spaces have popped up to serve the hacker community. Need a fully ready exploit kit for your next ransomware attack? Looking for partners to attack that bank in Madrid? Want to take credit for a string of database hacks and find interested customers for the information?
All you need to do is dig a little and you’ll find your niche chat group. More importantly, these are places where hackers can discuss how to carry out attacks and share knowledge. This can be as simple as asking who wants to join in a hack against a specific target. In other cases, they can talk about vulnerabilities in certain kinds of widely used code, utilizing the hive mind to problem solve.
However, just as the black hats have taken a tool designed for good (the Dark Web) and used it for crime, the white hats are entering their sanctum sanctorum, turning the tables on some of these no-goodniks.
Observing Hackers in the Wild
Just as intelligence gathering plays a crucial role for stopping crime in the physical world, the security industry has realized that the discussions playing out online can be just as important — if not more so. Cyber security companies stake out chat rooms and message boards, listening and recording important bits of information, so that they can be in the know and ready to predict the next wave of attacks from hackers.
One interesting case of picking up chatter in Dark Web chat rooms that produced surprising results was discussed in a 2012 study by the cyber security company Imperva. In their report detailing the most popular topics of conversation in Dark Web forums, they noted that SQL injection (SQLi) and DDoS attacks were tied for first place with 19% of the total thought pie. For a researcher that is worth their salt, this should indicate that a whole lot of hackers are very interested in these two techniques, and their clients had better be prepared to handle them.
Beyond techniques that talk about how to carry out hacks, there are often discussions surrounding vulnerabilities that companies should take notice of. Whether they concern vulnerabilities in a widely utilized open source library, or the fact that hospitals are more likely to pay ransoms quickly to get their data back, these forums provide important insights into the hacker mind space.
But gaining access to the deeper level, invite-only chat groups takes time, and frankly a lot of luck. Security researchers are under no illusion that they are about to interrupt the intricate battle plan for the next WannaCry ransomware attack by stumbling through a low level forum of n00bie hackers.
However, the game is less directed at finding that one tip off, and more about watching the herd. Hackers are at their best when they work as a community. Therefore, any noticeable changes in the kinds of job postings that are going up for dirty work or in the kinds of questions that are quickly rising to the top of the heap can lead to some very actionable intel.
Sharing is Caring
So, what can your company do to protect itself against the hordes of hackers that seem to loiter around the shadier corners of the internet, plotting together to undermine your product’s security?
Thankfully, the developer community knows how to come together as well, working to protect each other with information sharing. Once a piece of malware or information regarding an upcoming attack is found, it can be transmitted through various channels, including a number of tools that were set up by the open source community.
The Structured Threat Information Expression (STIXTM) format was developed by the OASIS Open organization as a machine readable standardized language to help share cyber threat intelligence. When a researcher or developer spots a piece of malware or other intel in the wilds of the Dark Web, they can pass the information on using STIX’s application transport protocol known as the Trusted Automated Exchange of Intelligence Information (TAXXII).
The MISP project is another open source threat intelligence platform with its own open standards for sharing information. This free platform also relies on user input and automation to help get the word out quickly.
All these tools detailed above are open for review on GitHub with full documentation.
For those looking for an even more expansive list of resources for tackling threats, feel free to peruse the resources that were compiled by the GitHub user called hslantman.
What does the future hold for staying secure on the Dark Web?
Even with these numerous resources, the Dark Web can still feel like a scary place because — like its cousin the Deep Web — it is uncharted territory. Hoping to shed some light here, the U.S. defense establishment’s DARPA group has backed the Memex project, which aims to build machine learning-based crawlers that are capable of searching through the Dark Web.
While the creator’s objective thus far has been to laudably help law enforcement root out human traffickers, these types of efforts to scan through the murkier sides of the internet should be met with some caution.
As privacy becomes harder to maintain online, the public may turn to the Dark Web for greater anonymity. Like freedom of speech, once anonymity is gone for those we disagree with, it is lost for the rest of us as well.
Even as more tools are developed for automating the search for threats on the Dark Web, much of the hard work will remain in human hands keeping their fingers to the pulse of the forums, listening to chatter, and waiting for new threats to emerge.
Rami Sass is CEO and Co-Founder of WhiteSource , the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.