Monitoring the Dark Web for Cyber Threat Intel

Last week we discussed the Dark Web. Its scope, its architecture, and what lurks (slithers) within its depths. On the flip side, the Dark Web also presents a useful source to mine for cyber threat intelligence. When bricks and mortar criminal types knock off a jewelry store or art gallery they usually attempt to unload their loot on underground markets to avoid detection. These underground markets also provide willing buyers for ill-gotten wares. It’s no different with cyber criminals. Who doesn't like a great deal? Stolen intellectual property, account credentials, and PII are often offered for sale on the Dark Web. Scouring the Dark Web for digital assets belonging to your organization can provide a valuable heads up that a data breach has occurred.

A day late and a dollar short

The shocking reality is that organizations are often unaware that a data breach has occurred until well after the fact. In the case of the Yahoo! email breach it took two years before it was discovered. Many breaches aren't discovered for at least six months after the fact. In the case of stolen credit card info or other financial data, this is ample time for the bad guys to do serious damage to a company’s bottom line.A lot of cybersecurity attention is directed at securing the network and internal assets (outside-in threat detection), but some degree of inside-out detection should also be considered in order to keep an eye out for exfiltrated data. A key point to consider in all this is that hackers are often quite good at hiding their tracks. They accomplish this by concealing and obscuring files and malware left behind to carry out exploits. They will even resort to manipulating log files to make it seem like they were never inside your network in the first place. Companies often don’t know their data has been breached until a credit agency or the media brings it to their attention and by that time it’s way too late.

DIY or hire out?

At this point, it should be clear that keeping eyes as well as ears on the Dark Web might be a useful strategy to have in your Cyber Threat Intelligence arsenal. It then becomes a choice of doing things yourself or outsourcing the job. We’ll examine the cottage industry that has recently sprung up around monitoring the Dark Web, but first, let’s see what’s required if you’re considering doing things on your own.For a quick refresher on the basic tools along with the precautions required to safely navigate the Dark Web please refer to last week’s post. In a nutshell, sites on the Dark Web are only visible using the Tor secure web browser. Connecting to it via a VPN is also highly recommended. Once on the “dark side” caution is required to prevent stepping into anything nasty. The real possibility also exists of landing on the radar of law enforcement. From there, it’s a matter of knowing which sites and forums to monitor for a mention of your organization and where to look for data belonging to you. There are organizations with the human expertise and bandwidth to undertake such an operation. A proper “clean room” environment with an air gap to protect the internal network and its assets is also strongly recommended.Before we move on to looking at third-party monitoring services, it’s worth noting one of the tactics computer security teams employ to track their data and PII. IT teams will sometimes place some amount of fake PII on their network so it’s easy to identify should it show up on the Dark Web. It’s very similar to the use of marked bills by law enforcement and is a variation on the tried and true “honey pot” tactic.Should you decide to go the route of hiring a vendor to monitor the Dark Web on your behalf, then it’s important to understand what they do and the services they provide. The good news as mentioned in the previous post on this topic is the Dark Web is quite tiny when compared to the surface and Deep Web in combination. Unfortunately, all the scams on top of scams and other noise on the Dark Web make sifting out useful intel pretty challenging. This classic risk of distracting your security team with false positives is quite real. Security teams have enough wild geese to chase as a regular part of their duties.

Under the hood

There are two basic approaches to Dark Web monitoring: automated and manual scanning. Automated approaches use a set of algorithms to crawl marketplaces on the Dark Web looking for matches against client data signatures in their databases. It’s not too unlike how search engines like Google function.Manual methods use the old “shoe leather” approach by employing human analysts to monitor forums and marketplaces. The focus with this approach is on uncovering hacking and malware threats to provide both government and private clients advance warning of possible impending cyber attacks.My hunch is that real life application of such services doesn’t rise much above alerting clients to possible theft of employee work or personal user accounts. This assumption arises from one of my employer’s use of such a service. Granted, I’m only observing it in action from a “black box” scenario. The IT department occasionally sends out emails alerting staff that accounts have been found on the Dark Web by the monitoring service. As limited as this kind of intel appears on the surface it probably is still good to know about.This last point underscores the need to weigh the cost versus benefits of subscribing to a Dark Web monitoring service. Regardless of the annual cost, the return can be significant if a data breach is caught early enough in the game before serious damage can be inflicted. Many of the issues touched on by this topic are covered extremely well and in great depth in the Cybrary course on Cyber Threat Intelligence taught by Dean Pompilio.