Using the dark web for threat intelligence

“Let’s imagine a nondescript entrance to a bar in a dark alley. A place which you will not find in the yellow pages. If you know the secret knock and password, they’ll let you in. Otherwise, good luck next time.”

No, it’s not from a noir movie, though it does read like it should be accompanied by rain, the blues, and Humphrey Bogart pouring himself a whiskey. The quote’s actually from Recorded Future’s Director of Advanced Collection, Andrei Barysevich, in a white paper on using the dark web for threat intelligence.

The primary points the white paper covers are:

  • Who knows the knock? Are the people you rub shoulders with in this cyber-speakeasy really state-sponsored spies and the criminal elite? According to the report (and common sense) – no. The vast majority will be script kiddies and part timers looking to make some pocket money or avoid paying for Spotify.
  • What is the dark web? Not being in the yellow pages doesn’t mean you’re in the mob. Most non-indexed pages are entirely legitimate, such as articles behind a paywall, or databases. What’s the difference, in real terms, between the surface web, the deep web, and the dark web?
  • What goes on on the dark web? The report features extracts from several dark web forum posts, with user “tony.stark” playing a prominent role in these (presumably the Iron Man thing didn’t work out). These give an interesting insight into the methods and targets discussed – a common topic of discussion is collaboration on fake login pages for banking sites, including Bank of Montreal and Bank of Nova Scotia, to be used in phishing scams.
  • Vulnerability management: Insights on the timeline of vulnerability disclosure, from its first discovery to the stages of the researcher vs. hacker race to patch or exploit it. The analysis includes details on the timeline of CVE-2017-8759 (a Microsoft vulnerability exploited to deliver ‘Finspy’ malware, and used in association with phishing emails claiming to be from an Argentine government agency), and CVE-2017-5638 (an Apache Struts vulnerability used in the Equifax breach).
  • Finding insider threats: Another common ‘service’ advertised on the dark web is connecting hackers with insider contacts. The report gives examples of users claiming to have malicious insiders at companies such as Western Union, Xoom and Tesco Bank. Many others do not name specific organisations, but keywords such as ‘UK bank’ can still be tracked to detect risks.
  • Potential barriers: Though the examples of threat intelligence discussed in the report are undeniably useful if found in time to prevent an attack, that’s easier said than done. The dark web is vast, and manually monitoring for relevant information is unlikely to yield results worth the time spent. The report also points out that language barriers may be an issue, making it more difficult to identify potential threats.

The report concludes that “the most valuable insights can come by combining information across references from the surface and deep web, including technical feeds and indicators”, but that doing this manually is “next to impossible”.

Researcher, writer, recovering medievalist. Currently particularly interested in the cybersecurity solutions market, cyber insurance/risk modelling, and IoT security.

Related posts

Your thoughts