Analytics

6/23/2015
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The Dark Web: An Untapped Source For Threat Intelligence

Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here's how.

Blind spots are everywhere in cybersecurity. To make it worse, the threats are increasing in both form and frequency and it’s a daily struggle to defend against threats you can’t see coming. From traditional malware infections and active network attacks to new kinds of social engineering spear-phishing and novel hardware exploits, attack vectors evolve right along with your company’s risk surfaces. You evolve, they evolve – it’s a continuous cycle.

Finding information on these threats is a dynamic, moving target and there isn’t any one-stop source or service that gives you all you need to know. Worse, the details are full of irrelevant, noisy information, nearly impossible to decipher.

For most companies, shedding light on these areas of cyber defense is increasingly being accomplished by standing up expensive cyber intelligence initiatives such as threat intelligence (at varying low-to-high levels), risk intelligence and traditional human (HUMINT) activities. Companies are buying data, acquiring tools, and hiring pricey investigators and cyber analysts to build up their own miniature intelligence agencies. This is an expensive operation. Plus, both the field and approach is so immature in the private sector, it’s hard to know which activities will provide any real return on what is becoming a very significant investment even for individual parts of an "intelligence program."

Surprisingly, for what is perhaps the  "darkest" of the blind spots, the Dark Web, can be one of the easiest to overcome.

The Dark Web is veritably tiny in comparison to the more familiar public Web and miniscule when compared to the larger Deep Web that is not searchable by search engines. When most people think of the Dark Web, they immediately think of trade in drugs and pornography. While those are indeed the predominate commodities in a space built for illicit commerce and trade, the Dark Web offers other things too, including:

  • Hacking for Hire (along with resumes of prior conquests and targets)
  • General and Specific Cyber Exploits for Sale (malware aimed at particular tech targets, businesses or industries)
  • Vulnerabilities for Sale (hacked accounts, back-doors and many more)
  • Stolen Intellectual Property, Designs and Counterfeits (everything from stolen electronics designs to shoes to fake pharmaceuticals)
  • Spam and Phishing Campaigns for Hire (Twitter targeting, malvertising and more)
  • Doxxing and Investigation for Hire (Is your competition snooping on you?)
  • Hacktivist (and other) Targeting Forums (Who’s about to get hit with a DDOS? The Dark Web is very good for gossip.)
  • Insider Threat for Hire (Who’s got a grudge for sale against whom?)

In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses. Start monitoring activities on Dark Web sites. Find out what may have been stolen or used against you and improve your overall security posture to close the infiltration hole.

When you go looking, the data found in the Dark Web is almost always highly relevant to you and your business. Because you (presumably) know you, your employees, your products, your customers, your IT, your supply chain, you have all the information you need to begin filtering through Dark Web data looking for things that really matter.

And the things you find do matter, quite a lot. 

Thousands of Dark Web index sites exist on the open web and, once you’re in, you’ll find thousands more. Because most of the sites are set up to do illicit e-commerce the black market way, they’re pretty easy to find and use. After searching, you’ll soon find information that can have significant impacts on your business concerns such as your finances, of course, but other areas, too – like your brand and reputation, customer loyalty, life’s blood intellectual property, product development, legal defenses, sales, software and hardware baselines, cybersecurity strategy and acquisition, and a litany of other very important - not just cyber – concerns.

If there is a silver lining in all of this, it’s that most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations within their own existing IT and cybersecurity teams. I have personally been a part of Dark Web data mining operations set-up, implementation and being productive in just a day’s time.

Setting up your own Dark Web mining environment using TOR, private browsing on air gapped terminals via sequestered virtual machine clusters (VMs), is something that’s well-understood among cybersecurity professionals already on your team. When you pair them with the security analysts and intelligence personnel you’re hiring to staff up your cyber intelligence initiatives, it becomes something you can start almost in complete logistic (and fiscal) parallel with these other efforts.

Further, once you’re up and running, collecting and storing this information in a standard way -- the same way you do other cyber event, incident and alert data  -- means it’s possible to begin creating a long-term data repository that can be mined and analyzed to perform forensics, predictive analysis, root-cause analysis, and other analytic activities that help you get better organized in your other, more traditional cyber defense operations. Those who don’t are losing out.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:45:43 PM
Bromide
As the saying goes, "Keep your friends close and your enemies closer."

Of course, even air gaps aren't foolproof... There was that instance of the malware that found its way onto a space station via a Flash drive.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.