Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/29/2016
01:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Decrypting The Dark Web: Patterns Inside Hacker Forum Activity

Data analysis to be presented at Black Hat Europe highlights trends in communication between bad actors who gather in underground forums across the Dark Web.

Data analysis can be used to expose patterns in cybercriminal communication and to detect illicit behavior in the Dark Web, says Christopher Ahlberg, co-founder and CEO at threat intelligence firm Recorded Future.

Ahlberg in November at Black Hat Europe 2016 in London will discuss how security pros can discover these patterns in forum and hacker behavior using techniques like natural language processing, temporal pattern analysis, and social network analysis.

Most companies conducting threat intelligence employ experts who navigate the Dark Web and untangle threats, he explains. However, it's possible to perform data analysis without requiring workers to analyze individual messages and posts.

Recorded Future has 500-700 servers it uses to collect data from about 800 forums across the Dark Web. Forums are organized by geography, language, and sectors like carding, hacking, and reverse engineering.

'Pattern Of Life'

Ahlberg describes the process of chasing bad actors as "pattern of life analysis." This involves tracking an individual, or class of individuals, to paint a picture of their activity and develop a profile on their behavior. 

Over the last six months, he has spearheaded research to analyze more than three years of forum posts from surface and deep web. Forums have originated in the US, Russia, Ukraine, China, Iran, and Palestine/Gaza, among other locations.

The research unveiled a series of cybercriminal behavioral patterns. These can be used to discover illicit behavior, create points for further branches of research, and figure out how hackers are focusing on different tech and vulnerabilities.

Recorded Future built a methodology for analysts to track user actors' handles as people jump across and within forums, he explains. Discovering patterns starts with attribution, or putting together a profile for one person. 

The problem is, bad actors often switch between handles to conceal their activity.

"Nobody puts in their real name," he continues. "The issue is, you might track someone and find half of what they're doing is on one handle, and the other half is on a different handle."

He addresses this complication through a process called mathematical clustering. By observing handle activity over time, researchers can determine if two handles belong to the same person without running into many complications.

Temporal patterns exemplify one trend Ahlberg has taken from his observations of hacker activity.

"Overall, hacker forums have lower activity on Saturday and Sunday, and peak on Tuesday and Thursday," he says. The times at which criminals are most active can shed some light on their lives and areas of focus. Some forums have a drop in activity around mid-day, a sign that participants could be full-time workers taking a lunch break. 

It's also interesting to watch how forum activity relates to industry news. "By looking at forums and how they react to outside events, we can learn more about what they're interested in," Ahlberg says, calling the process "smoking out rats with external events."

For example, a spike in Wednesday activity could be a sign the forum is reacting to patches and vulnerabilities published by Microsoft and Adobe a day prior. Patch Tuesday, he says, could be driving "Exploit Wednesday." 

Ahlberg plans to share more of these trends, and the techniques he used to uncover them, during this year's Black Hat Europe session entitled "Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JoeLevySophos
50%
50%
JoeLevySophos,
User Rank: Author
10/13/2016 | 12:18:32 AM
Forcing evolution
And now it's just a matter of time before forum extensions emerge to randomize post times, and to auto-transform posts from language1->language2->language3->language1 through translation APIs.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27254
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of NETGEAR R7800. Authentication is not required to exploit this vulnerability. The specific flaw exists within the apply_save.cgi endpoint. This issue results from the use of hard-coded encrypti...
CVE-2021-27255
PUBLISHED: 2021-03-05
This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the refresh_status.aspx endpoint. The issue results from a lack of...
CVE-2021-27256
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists wit...
CVE-2021-27257
PUBLISHED: 2021-03-05
This vulnerability allows network-adjacent attackers to compromise the integrity of downloaded information on affected installations of NETGEAR R7800 firmware version 1.0.2.76. Authentication is not required to exploit this vulnerability. The specific flaw exists within the downloading of files via...
CVE-2021-26705
PUBLISHED: 2021-03-05
An issue was discovered in SquareBox CatDV Server through 9.2. An attacker can invoke sensitive RMI methods such as getConnections without authentication, the results of which can be used to generate valid authentication tokens. These tokens can then be used to invoke administrative tasks within the...