About a year ago, a ransomware attack locked up municipal systems for a small Arizona town, leaving the community with services unavailable for over a month, a steep incident response bill, and citizens concerned their sensitive information had been compromised. Weeks before news of the breach became public, information about the city’s VPN portal access was available for sale in a popular Russian hacker forum. The warnings were there, and it’s possible someone monitoring access brokers could have connected the dots and raised an alarm before it was too late.
Ransomware attacks like this incident hardly ever unfold in isolation. Every high-profile breach leaves a trail of bread crumbs that gives us vital information about how the attack unfolded — and when. The role of access brokers is one of the key pieces to solving this information puzzle.
Why Access Brokers Are Worth Monitoring
Access brokers often sit at the start of the eCrime value chain. They act as intermediaries specializing in gaining and selling access methods to victims' networks. This valuable merchandise of access credentials is then advertised to other cybercriminals on various underground forums or dark web marketplaces.
Understanding which forums or underground marketplaces access brokers visit to advertise their goods, and what to look for, is key to staying ahead of ransomware attacks. Genesis, Russian Market and Exploit Market are a few known forums where access brokers advertise. Typical attributes in a post might include location, industry vertical, IT infrastructure exploit details, number of employees, revenue and the access broker’s alias.
This handoff process, with the access brokers laying the groundwork and selling vital information to malware operators, has boosted cyberattacks. Individual attack components are now monetized more quickly, and the complexity of barriers for criminal actors to join various underground forums where these are sold have dropped substantially.
The prices that different access types command vary depending on the victim's willingness to negotiate as well as the potential impact of the breach. For example, based on our internal Falcon X Recon threat intelligence, a business financial account with email credentials starts at $1,200 USD, whereas IT infrastructure admin access starts at $20,000 USD.
Setting up a repeatable and optimized process for monitoring access brokers helps enterprises and government agencies receive relevant warnings about impending attacks or existing access exploitation.
Five Steps in an Optimized Monitoring Strategy
An optimized monitoring strategy rests on a foundation of threat intelligence about who the access brokers are and where they operate. Security defenders can patrol the dark web access broker network by following five iterative steps:
- Knowing your assets
- Identifying the bad actors
- Figuring out known markets
- Writing alerts to trawl these markets for clues
- Assigning team members to follow up on legitimate warnings
Here some starting points for these steps:
Step 1: Start with identifying what to protect. List your digital assets and characteristics like domain names, IP subnets, location details, ISP, vertical, exposed identities and anything that can help make your infrastructure identifiable.
Step 2: Identify access brokers that might target your industry sector or assets. Learn the aliases under which they operate and what access information they usually sell. Established vendors in this space can provide you with a starting point for these investigations.
Step 3: Make a laundry list of dark web forums and markets you will need to monitor. Learn which malware tools are most used to harvest access data. Knowing product names like “redline” or “mystery” stealers can help create the right funnels for monitoring processes.
Step 4: Threat intelligence is key in prioritizing and placing alerts in context. Codify the rules and create alerts using the information learned. Funnel alerts to an easily visualized format that can help sift through large volumes of alerts and help you focus on the most relevant ones.
Step 5: Assign responsibilities. Intelligence teams, identity and access managers, vulnerability risk managers, SOC analysts and incident responders can use the generated alerts to mitigate custom asset exploits, prioritize related incidents and fuel investigations. These team members can also help refine keywords over time so the process becomes more focused and relevant and can react to a changing access broker ecosystem.
A Promising Program
Monitoring access broker forums delivers information, but enterprises will need comprehensive mitigation strategies. The method can be very chatty, with hundreds of individual posts to be monitored. Access broker posts often contain a mix of structured and unstructured data, which can complicate the process. Translations might also be needed to monitor posts in other languages. These challenges might explain why fewer than a third of enterprises are monitoring access brokers. Our internal research presented at Fal.Con 2021 earlier this year, indicates that most programs are fewer than three years old.
Leaving warning signs from dark web forums unexplored is a mistake. Following the bread crumbs that access brokers leave is a vital tool in the cybersecurity arsenal. The fire, in terms of leaked access information, might have been lit, but the explosion has not yet taken place. Using an optimized monitoring strategy, security defenders can not only surface exposed organizational threat risks, they can also prioritize mitigation in access exploitation and blunt — if not completely prevent — ransomware intrusions.