The darknet refers to a network of computers, nodes and websites that are purposely hidden from the “regular” Internet, or surface net. They are located on a network that’s encrypted – and because it’s encrypted, it’s not searchable by traditional means like a search engine, nor can it be viewed through traditional web browsers. It’s an overlay network that requires specific authorization or tools to access.
Cyber Threat Intelligence (TI) analysts monitor the darknet all the time, uncovering information about potential attacks. But how do they find the relevant information – and how can their work help you?
It’s All About Engagement
Yes, TI analysts search the darknet for information about criminal activity. But it’s not “just” a question of identifying links, reading known sources, or utilizing the right search engines. While the information one can uncover on the darknet is useful, the more significant data generally comes from engagement with individual criminals that CTI analysts – establishing direct communication with the threat actors themselves.
By learning how hackers interact and collaborate, what language style they use, their habits and means of communication, CTI analysts can reach out to individual hackers, build trust and get “the inside story” about who is selling what – or details of a planned attack. Armed with this intelligence, a threat intelligence analyst can take steps (on an internal level) to avert an attack.
Early Warning of Malicious Behavior
By obtaining information through the darknet, CTI analysts can uncover criminal behavior that potentially targets their clients. This allows them to provide early warning about hacker behavior and possible scams, including malware, fraud, and other types of malicious attacks.
Perhaps a client’s name isn’t mentioned on the darknet explicitly – but the analyst picks up on the fact that the client’s sector is mentioned. Or perhaps the technology the client uses comes up – firewall versions, specific operating systems – anything an analyst can then go ahead and research further, checking vulnerabilities and exploits.
Identifying Data Leakage
Part of an analyst’s work involves monitoring the darknet for data leakage. In this context, data leakage refers to identifying information that has been made accessible – meaning, an organization posted it or made it available online, without realizing what they’d done.
Threat Intelligence analysts conduct research within the darknet to detect references and comments concerning data leakages – and glean that a client’s data is accessible or public. The tipoff perhaps comes from comments made on the darknet by an analyst’s criminal sources regarding data that’s exposed, i.e., that is accessible to those who know how to get to it, which can be used with malicious intent.
Information about data leaks is crucial, because a company’s entire reputation can be ruined if clients discover that there’s been a data leakage that has gone unnoticed. And the financial cost is disastrous, for many companies – as clients lose faith and switch to using other companies or services, which they perceive as being “safer.”
Thus, one of the roles of analysts involves giving clients the bad news that there’s information about their organization that’s exposed and available online – that should be taken down ASAP. In many of these cases, there’s no way of knowing with certainty whether the information that was accessible was used by cyber criminals with malicious intent – or not.
Security Researcher Uncovers Over 300 Million Leaked Records
A particularly eye-catching case of a CTI analyst identifying data leakage hit the papers in June 2018, when Vinny Troia, founder of Night Lion Security, stumbled upon a 2TB data bank containing nearly 340 million records with sensitive information. The data belonged to Florida-based data broker firm Exactis and included personal data on both businesses (110 million) and consumers (230 million) – and exposed details such as phone numbers, home addresses, and religious beliefs.
There’s no evidence, at present, that hackers used Exactis’ data with malicious intent, though it was accessible to anyone who had the necessary degree of expertise. Troia discovered it using Shodan, a search engine allowing users to identify internet-connected devices. He looked up databases visible on the Internet, and found the Exactis database which, apparently, did not have a firewall. Troia reported his discovery to both Exactis and the FBI; the database is no longer accessible.
The Clearnet is Important Too
While the darknet is important – used by criminals for underground engagements and other illegal activities – it has become less significant in the world of cybercrime than it once was.
That’s because today, hackers believe much of what’s on the darknet is fake – placed there by government sources. Furthermore, in 2017 some significant sites were shut down – such as AlphaBay, a dark web marketplace taken down by the U.S. Justice Department, and Hansa Market, removed by Dutch law enforcement officials.
Some groups or forums now prefer to share information about criminal activity on the “regular” Internet – though only on closed groups or closed IRC (Internet Relay Chat), where people can connect on a specific port anonymously. In these forums, only those with the right skill set can engage, monitor, and conduct research. Thus, to operate effectively, analysts adopt a holistic approach – extracting information from all available sources.
Top Markets and Forums
Analysts are aware of the top markets and forums, which are good resources for information about vulnerabilities, data leakage, and discussions of malicious attacks. Some examples include Wall Street Market, Wall Street’s Sub Dread, and the Dream Market marketplace.
Another “trick” analysts utilize in identifying valuable information about malicious behavior relates to a certain kind of language or slang that is common within the hacker community. Knowledge of the most common means of communication helps analysts identify the bad actors.
Tips on Improving Your Security Posture
CTI analysts are most effective when working in tandem with organizations that are optimized in terms of their security posture. Here are a few fundamental tips to improving your security posture and maximizing your organization’s defense against cyber-attack:
- Credentials – Check you’re not using default credentials.
- Server Configuration – Properly configure your server to avoid exposed directory listings.
- Passwords – Review sensitive directories and login panels to ensure appropriate levels of security vis-à-vis password policy.
- Permissions – Review who has permission to which aspects of your company’s data, and make sure permissions remain up-to-date.
Do you have questions about how CyberProof can help you proactive threat intelligence? Contact us today!