Analytics

6/23/2015
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The Dark Web: An Untapped Source For Threat Intelligence

Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here's how.

Blind spots are everywhere in cybersecurity. To make it worse, the threats are increasing in both form and frequency and it’s a daily struggle to defend against threats you can’t see coming. From traditional malware infections and active network attacks to new kinds of social engineering spear-phishing and novel hardware exploits, attack vectors evolve right along with your company’s risk surfaces. You evolve, they evolve – it’s a continuous cycle.

Finding information on these threats is a dynamic, moving target and there isn’t any one-stop source or service that gives you all you need to know. Worse, the details are full of irrelevant, noisy information, nearly impossible to decipher.

For most companies, shedding light on these areas of cyber defense is increasingly being accomplished by standing up expensive cyber intelligence initiatives such as threat intelligence (at varying low-to-high levels), risk intelligence and traditional human (HUMINT) activities. Companies are buying data, acquiring tools, and hiring pricey investigators and cyber analysts to build up their own miniature intelligence agencies. This is an expensive operation. Plus, both the field and approach is so immature in the private sector, it’s hard to know which activities will provide any real return on what is becoming a very significant investment even for individual parts of an "intelligence program."

Surprisingly, for what is perhaps the  "darkest" of the blind spots, the Dark Web, can be one of the easiest to overcome.

The Dark Web is veritably tiny in comparison to the more familiar public Web and miniscule when compared to the larger Deep Web that is not searchable by search engines. When most people think of the Dark Web, they immediately think of trade in drugs and pornography. While those are indeed the predominate commodities in a space built for illicit commerce and trade, the Dark Web offers other things too, including:

  • Hacking for Hire (along with resumes of prior conquests and targets)
  • General and Specific Cyber Exploits for Sale (malware aimed at particular tech targets, businesses or industries)
  • Vulnerabilities for Sale (hacked accounts, back-doors and many more)
  • Stolen Intellectual Property, Designs and Counterfeits (everything from stolen electronics designs to shoes to fake pharmaceuticals)
  • Spam and Phishing Campaigns for Hire (Twitter targeting, malvertising and more)
  • Doxxing and Investigation for Hire (Is your competition snooping on you?)
  • Hacktivist (and other) Targeting Forums (Who’s about to get hit with a DDOS? The Dark Web is very good for gossip.)
  • Insider Threat for Hire (Who’s got a grudge for sale against whom?)

In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses. Start monitoring activities on Dark Web sites. Find out what may have been stolen or used against you and improve your overall security posture to close the infiltration hole.

When you go looking, the data found in the Dark Web is almost always highly relevant to you and your business. Because you (presumably) know you, your employees, your products, your customers, your IT, your supply chain, you have all the information you need to begin filtering through Dark Web data looking for things that really matter.

And the things you find do matter, quite a lot. 

Thousands of Dark Web index sites exist on the open web and, once you’re in, you’ll find thousands more. Because most of the sites are set up to do illicit e-commerce the black market way, they’re pretty easy to find and use. After searching, you’ll soon find information that can have significant impacts on your business concerns such as your finances, of course, but other areas, too – like your brand and reputation, customer loyalty, life’s blood intellectual property, product development, legal defenses, sales, software and hardware baselines, cybersecurity strategy and acquisition, and a litany of other very important - not just cyber – concerns.

If there is a silver lining in all of this, it’s that most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations within their own existing IT and cybersecurity teams. I have personally been a part of Dark Web data mining operations set-up, implementation and being productive in just a day’s time.

Setting up your own Dark Web mining environment using TOR, private browsing on air gapped terminals via sequestered virtual machine clusters (VMs), is something that’s well-understood among cybersecurity professionals already on your team. When you pair them with the security analysts and intelligence personnel you’re hiring to staff up your cyber intelligence initiatives, it becomes something you can start almost in complete logistic (and fiscal) parallel with these other efforts.

Further, once you’re up and running, collecting and storing this information in a standard way -- the same way you do other cyber event, incident and alert data  -- means it’s possible to begin creating a long-term data repository that can be mined and analyzed to perform forensics, predictive analysis, root-cause analysis, and other analytic activities that help you get better organized in your other, more traditional cyber defense operations. Those who don’t are losing out.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:45:43 PM
Bromide
As the saying goes, "Keep your friends close and your enemies closer."

Of course, even air gaps aren't foolproof... There was that instance of the malware that found its way onto a space station via a Flash drive.
Weaponizing IPv6 to Bypass IPv4 Security
John Anderson, Principal Security Consultant, Trustwave Spiderlabs,  6/12/2018
'Shift Left' & the Connected Car
Rohit Sethi, COO of Security Compass,  6/12/2018
Why CISOs Need a Security Reality Check
Joel Fulton, Chief Information Security Officer for Splunk,  6/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10617
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application t...
CVE-2018-10621
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application ...
CVE-2018-10623
PUBLISHED: 2018-06-18
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior performs read operations on a memory buffer where the position can be determined by a value read from a .dpa file. This may cause improper restriction of operations within the bounds of the memory buffer, allow remote co...
CVE-2015-4664
PUBLISHED: 2018-06-18
An improper input validation vulnerability in CA Privileged Access Manager 2.4.4.4 and earlier allows remote attackers to execute arbitrary commands.
CVE-2018-9021
PUBLISHED: 2018-06-18
An authentication bypass vulnerability in CA Privileged Access Manager 2.8.2 and earlier allows remote attackers to execute arbitrary commands with specially crafted requests.