Analytics
6/23/2015
10:30 AM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

The Dark Web: An Untapped Source For Threat Intelligence

Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here's how.

Blind spots are everywhere in cybersecurity. To make it worse, the threats are increasing in both form and frequency and it’s a daily struggle to defend against threats you can’t see coming. From traditional malware infections and active network attacks to new kinds of social engineering spear-phishing and novel hardware exploits, attack vectors evolve right along with your company’s risk surfaces. You evolve, they evolve – it’s a continuous cycle.

Finding information on these threats is a dynamic, moving target and there isn’t any one-stop source or service that gives you all you need to know. Worse, the details are full of irrelevant, noisy information, nearly impossible to decipher.

For most companies, shedding light on these areas of cyber defense is increasingly being accomplished by standing up expensive cyber intelligence initiatives such as threat intelligence (at varying low-to-high levels), risk intelligence and traditional human (HUMINT) activities. Companies are buying data, acquiring tools, and hiring pricey investigators and cyber analysts to build up their own miniature intelligence agencies. This is an expensive operation. Plus, both the field and approach is so immature in the private sector, it’s hard to know which activities will provide any real return on what is becoming a very significant investment even for individual parts of an "intelligence program."

Surprisingly, for what is perhaps the  "darkest" of the blind spots, the Dark Web, can be one of the easiest to overcome.

The Dark Web is veritably tiny in comparison to the more familiar public Web and miniscule when compared to the larger Deep Web that is not searchable by search engines. When most people think of the Dark Web, they immediately think of trade in drugs and pornography. While those are indeed the predominate commodities in a space built for illicit commerce and trade, the Dark Web offers other things too, including:

  • Hacking for Hire (along with resumes of prior conquests and targets)
  • General and Specific Cyber Exploits for Sale (malware aimed at particular tech targets, businesses or industries)
  • Vulnerabilities for Sale (hacked accounts, back-doors and many more)
  • Stolen Intellectual Property, Designs and Counterfeits (everything from stolen electronics designs to shoes to fake pharmaceuticals)
  • Spam and Phishing Campaigns for Hire (Twitter targeting, malvertising and more)
  • Doxxing and Investigation for Hire (Is your competition snooping on you?)
  • Hacktivist (and other) Targeting Forums (Who’s about to get hit with a DDOS? The Dark Web is very good for gossip.)
  • Insider Threat for Hire (Who’s got a grudge for sale against whom?)

In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses. Start monitoring activities on Dark Web sites. Find out what may have been stolen or used against you and improve your overall security posture to close the infiltration hole.

When you go looking, the data found in the Dark Web is almost always highly relevant to you and your business. Because you (presumably) know you, your employees, your products, your customers, your IT, your supply chain, you have all the information you need to begin filtering through Dark Web data looking for things that really matter.

And the things you find do matter, quite a lot. 

Thousands of Dark Web index sites exist on the open web and, once you’re in, you’ll find thousands more. Because most of the sites are set up to do illicit e-commerce the black market way, they’re pretty easy to find and use. After searching, you’ll soon find information that can have significant impacts on your business concerns such as your finances, of course, but other areas, too – like your brand and reputation, customer loyalty, life’s blood intellectual property, product development, legal defenses, sales, software and hardware baselines, cybersecurity strategy and acquisition, and a litany of other very important - not just cyber – concerns.

If there is a silver lining in all of this, it’s that most businesses already have all the tools on hand for starting a low-cost, high-return Dark Web intelligence operations within their own existing IT and cybersecurity teams. I have personally been a part of Dark Web data mining operations set-up, implementation and being productive in just a day’s time.

Setting up your own Dark Web mining environment using TOR, private browsing on air gapped terminals via sequestered virtual machine clusters (VMs), is something that’s well-understood among cybersecurity professionals already on your team. When you pair them with the security analysts and intelligence personnel you’re hiring to staff up your cyber intelligence initiatives, it becomes something you can start almost in complete logistic (and fiscal) parallel with these other efforts.

Further, once you’re up and running, collecting and storing this information in a standard way -- the same way you do other cyber event, incident and alert data  -- means it’s possible to begin creating a long-term data repository that can be mined and analyzed to perform forensics, predictive analysis, root-cause analysis, and other analytic activities that help you get better organized in your other, more traditional cyber defense operations. Those who don’t are losing out.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:45:43 PM
Bromide
As the saying goes, "Keep your friends close and your enemies closer."

Of course, even air gaps aren't foolproof... There was that instance of the malware that found its way onto a space station via a Flash drive.
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Mobile Malware Incidents Hit 100% of Businesses
Dawn Kawamoto, Associate Editor, Dark Reading,  11/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.