Cube figure and social connection lines showing threat intelligence and dark web

Infiltrating the Dark Web for Threat Intelligence Collaboration

The frequency and scope of cyberattacks are rising – and threat actors have long been thriving on the Dark Web to gain valuable insight and increase sophistication in their attack methods.

While the TOR network, often used for access to the Dark Web, was originally created to protect U.S. intelligence communications online, it has since evolved into a collaborative space and safe haven for criminals and cybercrime. In addition to the sale of narcotics and firearms, much of the Dark Web is used for selling services (such as stealing credentials), malware kits, and stolen data.

Today, ransomware is a top concern – particularly for organizations in manufacturing, critical infrastructure, finance and healthcare industries – as hackers have advance their attack playbook, combining ransomware attack methods with malware tools to exfiltrate sensitive data. This has only been further exacerbated by the COVID-19 pandemic. Forum members have express fears and concerns of the pandemic but also to share new ways to exploit remote working setups and conduct phishing scams around nationwide crises. Scammers have targeted individuals searching for COVID-19 information or relief funds.

However, cybercriminals aren’t the only members utilizing the Dark Web.

Law enforcement collaboration to track down cyber criminals

While what can be seen on pages of the Dark Web show only piecemeal tactics of much more complex, interdependent schemes, infiltrating these communities is essential for law enforcement agencies to gain a larger understanding to help fight international organized crime.

For example, the U.S. Cyber Command has recently acknowledged that the U.S. is taking offensive action to disrupt cybercriminal groups that have launched ransomware attacks on US companies.

Despite U.S. efforts to mitigate criminal behavior in its tracks through Dark Web monitoring, previously Russian hackers have been able to find a safe haven in Russia as local law enforcement has not always arrested cybercriminals and there were not extradition treaties within Russia so as long as the individuals remained on Russian soil.

Recently, Biden and Putin have been in meetings to further discuss the possibility of geopolitical collaboration efforts to actively hunt down threat actors. However, based on conversations collected from the Dark Web, a segment of cybercriminals now seem to be worried that Russian authorities may be actively hunting them down. Eastern-European ransomware operators are increasingly trapped as they are no longer safe in their own country and cannot physically pick up their operations and move to another location with extradition treaty agreements now in place.

Just months prior, these forum members would joke about being caught and arrested. But now, these same forum members are discussing how to prepare themselves for the possibility of being captured or receiving potential sentences for crimes.

Exploiting the dark web to get ahead of attacks

It’s important that not only law enforcement and government monitor Dark Web trends and activity, but also that businesses do so in order to keep up with current attack methods or discover new bots, viruses or malware to combat potential malicious activity.

Using Dark Web hacking trends knowledge combined with known enterprise security weaknesses, security administrators can test their environments to find gaps and strengthen their overall security posture.

In addition to analyzing potential threat intelligence, Dark Web monitoring can prepare organizations in the following ways:

  • Monitor what data has been breached, including company domain names, email addresses, facility references and the names and information of executives. Security experts can be alerted that their company has been breached. Then, they can potentially initiate conversations with bad actors for more detailed transactional data as appropriate, based on the evidence discovered while monitoring.
  • Understand where there might be weak links at the employee and enterprise level. Through social engineering tests of the latest tactics that can be investigated on the Dark Web, security professionals can ensure security on the employee level and enforce security training, providing best practices and tips. On an enterprise level, this intelligence can allow security professionals to block access to phishing domains and share them as they become known, so that unintended compromises don’t take place where system users are most susceptible.
  • Share intelligence through advisories to make the entire security community smarter — and businesses more informed. As seen in the Dark Web forums, collaboration is important both between governments internationally and within the U.S. between private sector organizations and vendors as hacking groups can target anyone.
  • Develop tools to detect exploits and block attacks as they emerge to advance security methods beyond antivirus and firewall protection.

Advanced knowledge of Dark Web chatter can reduce risks and allow organizations to take a strategic, proactive approach to their security. With more advanced knowledge of a potential threats, security professionals can better prepare by hardening defenses and strengthening their response playbooks to mitigate the effects of an attack.

Building trust on the dark web

While entering the Dark Web is straightforward with installation of an open-source anonymity Tor Browser, building trust with members to gain access to closed forums often requires an existing member to provide an invitation link. Many forums also maintain a reputation system to reflect how trustworthy users are. Active users who regularly contribute to the community with comments and reviews will be rewarded with more points and more access.

Thinking like a hacker is a crucial part of security expertise. It’s in the mind of the highly motivated, resourceful and creative computer scientist, social engineer or transactions officer where we find the most promising tools to anticipate and defend against attacks and limit the severity of possible outcomes.

As such, many organizations rely on third party vendors who have built their undercover reputation in the Dark Web to gather threat intelligence and help to monitor internal security processes to identify potential gaps and vulnerabilities.

The path forward for threat intelligence

We will likely see ransomware and hacker groups toggle ‘offline’ and ‘online’ in order to cover their tracks when law enforcement gets too close. Alternatively, some gangs might go dark and close their business, while others emerge to get their share.

Regardless, organizations must be vigilant. In the cases of GoldenSpy, SolarWinds and more, we’ve seen that malware can be cleverly hidden in any software. Keep in mind that entities on the Dark Web continue to gather data from breaches over time, connecting the dots between isolated instances of petty theft and larger national – and international – malicious schemes.

Governments, law enforcement and private sector organizations must work in tandem to share intelligence, strategies and tools to combat the ever-growing threats as seen on Dark Web chatter and further mitigate the effects of potential future breaches.