Tapping into the dark web

Scott Goodwin at DigitalXRAID explains the importance of proactive intelligence

 

Since the dawn of social media, tech founders like Mark Zuckerberg have discussed the idea of a “digital town square”, where people discuss topical events, form new connections, and organise in a virtual space.

 

But not all interactions are appropriate for the town square. Some interactions – selling illicit goods and planning illegal activities, for example – exist in the shadows. In the virtual realm, the forums and sites dedicated to criminal activity makes up the dark web. 

 

The international LockBit takedown in early 2024, centring around the gang’s ransomware leak site, highlighted just how central this secret cyber-space has become for coordinated cyber-criminal activity.

 

However, there is hope for security teams. These forums also hold invaluable insights into hackers’ intentions, tactics, and exfiltrated data sets, helping teams to prevent future breaches. 

 

A dark underbelly

The dark web offers criminal organisations, discontented individuals, and even nation states a network of increasingly specialised hackers and technologies. This cyber-crime as-a-service models has allowed cybe-rcriminals to launch more sophisticated attacks with fewer skills and resources.

 

Initial Access Brokers offer to find their way into businesses’ networks, while those looking to extort money from victims can find dedicated ransomware and negotiation experts. The sale of stolen credentials, common in dark web forums, allows bad actors to infiltrate networks with relatively low-skilled breaches through credential stuffing. 

 

Law enforcement agencies have long used these forums to access criminal groups and prevent incidents, but the threat landscape is changing. It’s clear that accessing this criminal eco-system is the key to gaining real-time threat intelligence and getting ahead of modern threats. Research shows that today,  93% of CISOs are concerned about dark web threats. In the face of surging attacks, every organisation should be tapping in.    

 

Getting ahead

Amidst a rising tide of breaches, expanding attack surfaces, and budgetary pressures, the time has come to pursue a new outlook. In today’s world, proactivity, rather than reactivity, is king. 

 

Embracing proactivity requires a holistic approach that many will know well. Security leaders should use audits and frameworks, such as NIST, to establish a baseline of risk mitigation, with sensitive servers and data receiving further layers of defence. Human processes, such as establishing clear lines of escalation, must be in place to increase awareness of suspicious activity and facilitate quicker incident response.

 

But true proactivity requires real threat intelligence, at all times. Any time in which a network is not actively monitored presents a window of opportunity for would-be attackers, and fast-evolving attack methods are working to evade standard security tools each day. Without up-to-date insights, leaders will remain on the back foot. And yet 21% of CISOs have no threat intelligence capability at all. 

 

Bolstering incident response

Dark web intelligence can be critical to triaging an active incident, thereby feeding into effective incident response. Ransomware actors have been known to overplay their leverage to their victims, exaggerating the size or nature of stolen data sets.

 

Meanwhile, it could well be the case that these actors failed to access the most sensitive data stores in a network, or they may not have breached their target at all. Organisations with compelling access to ransomware data leak sites have the power to pose as interested buyers and assess these claims before making any rash decisions. This empowers security teams far beyond refusing to pay a ransom: knowing the nature of stolen data can shine a light on how a breach occurred and exactly what servers have been affected, enabling teams to respond as effectively as possible. 

 

The dark web also offers insights into other active breaches. We have observed a spike in threat actors breaching networks and laying low within their victims’ systems, locating sensitive data stores or gaining a better understanding of internal communications to launch more sophisticated attacks. While this can be catastrophic for the victim organisation, it’s impact can have a far wider reach.

 

Hackers can easily leverage their invisible status to launch secondary attacks on their victims’ supply chain. From sending false invoices to customers to finding footholds into partner networks, having access to the networks in which cyber-criminals discuss and coordinate attacks is critical to preventing these attacks before they can occur.

 

Often, hackers’ online claims and the sale of stolen data can indicate an undetected breach to security teams. When forums are selling the data of multiple organisations with a common supplier or software provider, this is a tell-tale sign of an active supply chain attack, allowing security professionals to react faster and reduce the damage. 

 

Dark web intelligence should become a fundamental part of all due diligence. A new supplier or partner that has experienced a breach could bring more risk into an organisation, so understanding their true security posture is key. This becomes particularly true when considering a merger or acquisition. Taking dark web intelligence into account in the consideration process proactively reduces risk whilst protecting their wider supply chain.

 

Prioritising resources

There are two main challenges to tapping into the dark web: access and accuracy. As discussed, law enforcement agencies have long had fake criminal accounts on these sites, and criminals have become increasingly suspicious. Gaining access is now a time-consuming process that requires building and maintaining a convincing online presence, with a believable amount of time on the platform.

 

Automated data collection is not an option: many sites detect and ban any accounts that are crawling the site, or complex captchas are used to ensure that only manual users are accessing the site. If caught out, organisations are banned and left to build a new account from scratch. 

 

There is also no guarantee that postings critical to an investigation are still available on any given forum. Initial access brokers take down their posts once they have found a buyer, as do those selling exfiltrated data. Catching this intelligence in time is a case of checking forums regularly, and manually. Without dedicated time and expertise, much of the dark web is, unsurprisingly, impenetrable. But it is now necessary to staying ahead.

 

Seeking out expert partners allows organisations to gain the peace of mind and proactive stance that dark web intelligence can offer, without draining resources. In the process, security leaders free up a little more time to  optimise and improve their defences.

 

---

 

Scott Goodwin is COO and Technical Director at DigitalXRAID

 

Main image courtesy of iStockPhoto.com and Eightshot Studio