In 2017, before the illicit darknet marketplace, AlphaBay was taken down. It had over 100,000 listings which included malware, hacking tools, and stolen identity documents. Unfortunately, the takedown of AlphaBay did not stop cybercrime. Instead, it just opened a gap in a very buoyant marketplace.
The darknet holds a deep pool of stolen data, threat plots, and the tools of cybercrime. This forms a well of intelligence that we can apply to our own threat prevention needs. But, this most hidden part of the wider Internet needs the right tools to explore its murky depths.
In our previous article about the darknet, we described what it is and how stolen data ends up there. Personal data, including health information, ID documents, and login credentials, in their multiple millions, are up for sale to cybercriminals. Once purchased, they are used to carry out fraud and other cybercriminal activity.
But the war is not lost. This article will move into the realms of how darknet intelligence can help us in the war on cybercrime by letting us peer into the hidden depths of the darknet.
Francis Bacon is attributed as saying that “Knowledge is Power”.
If you understand something well enough, you can create actionable insights using that knowledge. Darknet intelligence works in the same way.
What we know is that the darknet contains difficult-to-locate hacker websites and tools which are the basis of cybersecurity threats. To understand how to counter these cyber-threats, we need to develop intelligence about the details of those threats.
Before we start looking at how that intelligence is gathered, let’s look first at what sort of things we are looking for.
The darknet is the platform for pretty much any criminal activity you can think of.
A recent case where a contract killer was hired via a darknet site is an example of the things we often think of when we talk of the darknet. However, the darknet also hosts various items more related to cybercriminal than traditional criminal activity.
You don’t need to be able to write software code any longer to become a hacker.
Malware-as-as-Service and other cybercrime tools, like phishing and exploit kits, are available to buy on the darknet from as little as a few dollars for a keylogger or a phishing page. In a report by Cisco “Under the Hood of Cybercrime” they state that “Malware-as-a-Service offered on the darknet, vastly increases the number of individual threats”.
Related Post: Tips for Protecting Yourself From Phishing Attacks
Data, including personal, health and financial are available for sale on the darknet. In a recent study, darknet bank data sales were up 135% in 2018.
The darknet is a place for selling exploits and particularly the lucrative ‘zero-day’ exploits. These can then be used to create malware to exploit the vulnerability.
However, exploits for sale via the darknet may be declining. Recent research shows this may be due to legitimate security companies offering bug bounty programs. These programs offer financial rewards to anyone discovering a security flaw in a product.
Kaspersky has found that cybercriminals are reaping rewards of up to 95% profit by selling DDoS-as-a-service. Cybercriminals offer a sophisticated pricing plan for customers wanting to attack websites. Cheap and dangerous darknet botnets, for sale from $20, can cause havoc.
On the darknet are where the cybercriminals come together to share details to make their jobs easier. It is where the deeds and tools of the cybercriminal can be openly exchanged.
Now we know the type of information and tools behind darknet initiated cyber threats, we can begin to formulate a plan to detect threats and prevent incidents.
The darknet is a treasure trove of information that can help us in threat mitigation. How you do a deep dive into the deep well of darknet activity is another matter. Basically, there are two main ways you can capture darknet intelligence - manually or using an automated service.
Security analysts can spend time building up a knowledge base around darknet-based threats. However, there are key issues with this approach:
The alternative to using valuable security analyst time to trawl through darknet data is to apply an automated approach.
Fortunately, for Security Analysts, there are darknet intelligence gathering tools that do the job of mining into the darknet. These tools generally work by performing a crawl of darknet sites, including hacker forums. The crawl is usually filtered to find certain keywords or phrases, for example a company name or URL. This data is then analyzed and output to generate actionable alerts - the Security Analyst is able to then make a decision about how to deal with the threat.
Some automation suites will look at the types of tools and data being sold. A 2018 study by 4IQ found a total of over 3 billion breached identity records on the darknet in 2017. They also found that exposed Personally Identifiable Information (PII) available on the darknet had increased by 69%.
Related Post: Privacy Resources - Cybersecurity and Privacy
One very interesting approach is offered by darknet intelligence specialist firm, DarkOwl. The company provides a suite of automation tools that continually monitor the darknet. They focus their intelligence on the footprint of a given company on the darknet: this includes company mentions in hacking forums, exploits, leaked data, and so on.
DarkOwl provides the world’s largest commercially-available database of DARKINT™ (darknet, deep web and high-risk surface websites) content and the tools and services to efficiently find leaked or otherwise compromised sensitive data on the darknet.
This intelligence is crystallized in the form of the DarkINT Score. The score reflects data from up to 20 million darknet sites and gives an organization an at-a-glance view of how vulnerable they are to darknet initiated attacks.
Example of DarkOwl's DARKINT Score
Hitachi Systems Security has recently partnered with the firm and will now use DarkOwl’s darknet intelligence services. The objective of this partnership is to leverage darknet intelligence to augment’s managed security service offering to empower organizations to continually improve their cybersecurity defenses against threats, breaches and intrusions.
By embedding darknet intelligence into its managed security service offering, will be able to gather critical and timely intelligence from darknet sites, such as Tor, I2p, IRC, ZeroNet, insecure FTP sites and Pastebin, as well as from authenticated forums. The new darknet intelligence capability will be available for integration to all managed security service customers across all sizes, geographies and verticals.
The darknet is a treasure trove of cybersecurity data.
Applying automation to the collection of meaningful data means we can ‘listen in’ on cybercriminals and their plans. The data generated by these tools builds up our levels of cybersecurity intelligence which can be used to help mitigate threats to our organization.
This data, in turn, can help form our security policies and threat prevention measures. Using the darknet as a tool in its own right is a way to counterbalance cyber-threats; darknet intelligence allows an organization to level the playing field and play cybercriminals at their own game - giving ourselves a chance in a war that is complex.
Want to learn more about how can leverage darknet intelligence to help secure your organization? Read our full press release by clicking down below or contact us.