What is Dark Web Threat Intelligence?
The dark web is a portion of the internet focused on privacy and anonymity, making it an ideal location for cybercriminals to share tools and information and offer their services for sale. This also makes dark web threat intelligence invaluable for companies as monitoring information posted on the dark web provides an uncensored view into the current cybercrime landscape and trends in cyberattacks.
Implementing a Dark Web Monitoring program allows organizations to integrate dark web intelligence into their cyber risk management process, enabling them to improve their security posture by taking advantage of relevant, timely, and actionable insights.
Finding Threats On The Dark Web
The dark web can be a valuable source of threat intelligence where analysts can learn about the ways that cyberattacks are performed, which attack tools are for sale and being purchased, and the success rates of current cybersecurity campaigns (based on the sales of stolen data). However, finding this intelligence and creating a complete picture of the threat landscape can be difficult and requires a thorough understanding of the dark web and how to conduct an investigation.
Threat Information to Look For
Cybercriminals use the dark web to exchange tools, share information, buy and sell data, and for other activities. This makes it a rich source of threat intelligence that organizations can use to predict, identify, and protect themselves against cyber threats. Some types of threat information that analysts can find on the dark web include:
- Vulnerabilities: Cybercriminals will commonly discuss software vulnerabilities, and proof of concept or exploit code may be discussed or available for sale on dark web marketplaces.
- Data Access: Data stolen as part of a cyberattack may be offered for sale or discussed in forums on the dark web.
- Exposed Credentials: User credentials exposed via data breaches, credential stuffing, and other attacks are frequently offered for sale in dark web marketplaces.
These and other types of information exposed on the dark web can enable analysts to assess both impact and probability of attacks, and then defend their organizations appropriately.
Scanning the Dark Web for Threat intelligence
The dark web can be a valuable source of threat intelligence, but useful data can be difficult to locate. The dark web’s focus on privacy and anonymity means that no directory of dark web sites exists, making it difficult to identify important sources of threat intelligence on the dark web.
A smart approach to dark web monitoring is to use a dark web monitoring service. These services have already performed the work of mapping out useful sections of the dark web and determining important sources of threat intelligence. With a dark web monitoring service, an organization can subscribe to a feed of threat intelligence regarding their company and industry without the need to employ in-house analysts to seek out, aggregate, and analyze it manually.
Finding Hidden Websites Using Tor
Websites on the dark web are only accessible using the Tor dark web browser and have a .onion domain. Unlike the surface web, the dark web does not have DNS, which can be queried to build a list of all of the accessible websites on the Internet.
Dark web search engines (like Google on the surface web) do exist, but these do not index all dark web sites. In general, to access a webpage on the dark web, you usually need to know the page’s URL.
Dark Sites To Start FromWhen exploring the dark web, it is usually necessary to start with a known dark web URL and branch out from there. Dark web forums, marketplaces, and other sites may include references to other dark web pages. By continually following these links and references, it is possible to build an index of a portion of the dark web. However, any pages that are not referenced on publicly accessible pages are difficult or impossible to find. A good starting place for dark web exploration is Dark Web Links, which is accessible from the surface web and provides a long list of known dark web sites. Other useful sites that are only accessible via the Tor browser include:
- Ahima: A search engine for the dark web
- Dread: The dark web version of Reddit
- Hackerplace: A dark web page focused on hacking
- The Hidden Wiki: The dark web version of Wikipedia
Who Is Active On The Dark Web And Why?
Dark web actors vary in sophistication from complete novices to nation-state-sponsored hackers. Some of the main categories of hackers on the dark web include:
- Script Kiddies: Script kiddies have little or no hacking knowledge and experience. They commonly use the dark web to find hacking tools and information on how to perform different types of attacks.
- Proficient Hackers: Proficient hackers work solo or in small groups and have at least some level of hacking knowledge. In addition to seeking out tools and information on the dark web, they may also buy or sell information about compromised organizations or user accounts for use in attacks.
- Crime Syndicates: Organized crime is increasingly moving into the cybercrime space due to its profitability and the difficulty of attributing cyberattacks. They are often more sophisticated and operate at a larger scale than other hacking groups.
- APTs: Advanced Persistent Threats (APTs) are the most sophisticated type of hacker present on the dark web. They are also often the most subtle, making their presence difficult or impossible to detect.
The various levels of hackers also seek out different types of malware on the dark web. For example, script kiddies are more likely to have or be looking for a password cracker, while APTs are generally the only ones with access to many zero-day exploits. In most cases, high-reward malware, such as ransomware, is in the hands of organized crime or APTs.
Types Of Threats On The Dark Web
Dark web threats come in a variety of forms. When searching for threat intelligence on the dark web, it’s important to look for the various types of data and services that cybercriminals offer for sale.
Credentials exposed as part of data breaches, credential stuffing attacks, and similar cyberattacks are commonly for sale on dark web marketplaces. Exposed credentials may be used to gain access to the named account or as part of a spear-phishing campaign where the attacker claims that the credentials were collected by malware that they installed on the target’s computer. Alternatively, exposed credentials can be used for credential stuffing attacks, where cybercriminals test to see if breached credentials are reused across multiple accounts.
Information on compromised credentials can be invaluable for corporate cybersecurity. Data on breached passwords can help to improve password policies, and, if the credentials of an organization’s employee(s) are breached, this is a red flag to change the account password and investigate for potential use of the compromised credentials.
Cybercriminals are increasingly moving toward a service-based economy where specialists offer their services for sale. In many cases, these services are sold on dark web marketplaces.
For example, a botnet operator may be selling distributed denial of service (DDoS) attacks where the buyer can select the timing, duration, and intensity of the attack against a target of their choice for varying prices. Alternatively, a buyer on a dark web marketplace may be able to purchase a very tailored attack, such as hacking a social media account of their significant other.
Information about targeted attacks for sale can help an organization to identify unknown and upcoming threats to its security. If an attacker is offering access to an organization’s software or online accounts or a buyer is seeking a DDoS attack against corporate assets, this requires further investigation and response.
Software vulnerabilities are common and can allow an attacker access to enterprise systems or vulnerable devices. If a vulnerability is ethically reported by the discoverer, a complete report of how the vulnerability works is typically not published until after a patch has been released. However, there is often a window between initial discovery and widespread application of the patch.
The dark web provides a forum for cybercriminals to discuss vulnerabilities that have not been ethically reported or for which patches are not widely available or used. Discussions can include information on how a vulnerability works, potential exploits, and the use of the vulnerability in various cyberattack campaigns.
Cybercriminals may be discussing vulnerabilities on the dark web before information about them is publicly available. Monitoring these channels enables an organization to protect vulnerable software until a patch is available and applied and may reveal previously unknown vulnerabilities in a company’s products.
Insider threats pose a significant risk to an organization’s IT assets, intellectual property, and other sensitive data. Insider threats may include current or former employees, partners, vendors, resellers, and other parties with access to sensitive information. Additionally, insider threats may put the organization at risk either intentionally or via negligence.
Information on insider threats may be available on the dark web. Malicious insiders may offer sensitive data or access for sale on dark web marketplaces, and discussions on dark web forums may reveal the identities of other security risks within an organization. Additionally, sensitive internal information may be included in uploads to paste sites, where users can upload software or other data collected from an organization. By monitoring these venues, an organization can identify potential insider risks and compromised sensitive data.
Hacked accounts are commonly for sale on dark web marketplaces. Hacked personal accounts include access to financial accounts, email, social media, e-commerce sites, and other online accounts. Additionally, cybercriminals may offer access to corporate accounts for sale, allowing other attackers to purchase a foothold within an organization’s environment.
Monitoring dark web marketplaces for sales of hacked accounts is essential to protecting an organization’s data and network security. Sales of access to corporate networks or data indicate a current threat to the enterprise. Additionally, hacked email and other personal accounts may impact the company if password reset emails are sent to those accounts or the attacker expands their access from personal emails to corporate resources.
Botnets for Sale
Botnets are collections of compromised machines that a cybercriminal controls and uses in automated attacks. For example, an attacker may exploit a vulnerability in an Internet of Things (IoT) device to gain control over a set of vulnerable devices. These IoT devices can then be used for distributed denial of service (DDoS), credential stuffing, and other automated attacks.
Botnet operators can have thousands of bots under their control and the ability to break their botnets up into smaller groups. On dark web marketplaces, these operators may sell control over bots or sets of bots to other cybercriminals looking to use them in their attacks.
Bots are useful to cybercriminals because they make it more difficult to trace cyberattacks back to the person behind them. When investigating a security incident, it can be useful to monitor for botnet sales to help with attribution of the attack.
Types Of Intelligence On The Dark Web
Dark web intelligence enables the collection of different types of threat intelligence, including:
- News Updates: Like any forum, news is a common topic of discussion on the dark web. These discussions can range from current events (which are useful for phishing pretexts) to more targeted information (such as updates on technology, gaming, and cybercrime). Monitoring these discussions provides insight into the current state and areas of focus of the dark web community.
- Shop Talk: Cybercriminals commonly discuss tactics, techniques, and procedures (TTPs) for performing cyberattacks and defensive measures on the dark web. These discussions can help with attributing an attack to a particular group and ensuring that an organization’s defenses can stand up to the latest threats.
- Service Offerings: Cybercrime is increasingly moving to a service-based economy, where cybercriminals offer tools, malware, or bespoke attacks for sale. By monitoring current product offerings, an organization can get advance warning of potential upcoming threats.
- Data Sales: Data stolen as part of a cyberattack commonly ends up for sale on the dark web. This includes user credentials, financial data, and access to compromised systems. Information about goods offered for sale can help to detect successful attacks and determine the scope of cybercrime campaigns.
- Underground Identities: The dark web is designed to be anonymous, but information about various users leaks out, such as their language, aliases, contact data, and more. Aggregating this data makes it possible to build a profile of dark web users.
Surface Web, Deep Web And Dark Web
Not all content on the internet is created equal. Internet-based content can be classified into three main categories: surface web, dark web, and deep web.
The surface web is the part of the Internet that is indexed by search engines like Google. This content is designed to be easily discoverable and accessible to the general public. Examples include corporate webpages, video streaming sites (YouTube, Netflix, etc.), and other public-facing content.
The dark web is a section of the internet that can only be accessed using the Tor browser, and that is certainly intentional. The purpose of Tor is to make it difficult or impossible to link an internet user with the dark web content that they are viewing. This focus on privacy means that the dark web is a popular forum for criminal content.
The deep web includes content that is accessible via normal web browsers (Firefox, Chrome, Safari, etc.) but is not designed for unlimited public distribution. This includes any content that is protected by an authentication portal such as university libraries and corporate networks.
The deep web also includes personal content accessible via the internet such as personal email, messages on platforms such as WhatsApp or Signal, and social media private messages. Cybercriminals commonly use deep web messaging platforms for collaboration, making it an important potential source of threat intelligence data.
How To Protect Yourself From The Dark Web
Dark web protection should be a core component of both personal and business data security strategies. Take the following steps to help protect your sensitive information from being exposed on the dark web.
Browsing the Dark Web Cautiously
Dark web sites commonly contain malware or malicious code designed to exploit vulnerable computers. Always browse the dark web with a fully-patched computer with nothing else running on it. Ideally, this should be a dedicated system or virtual machine that can be discarded after use.
Use Unique and Updated Passwords
Compromised credentials are commonly sold on dark web marketplaces for use in credential stuffing attacks, where they test to see if the same password is used elsewhere as well. Always use unique and strong passwords to ensure that you aren’t providing cybercriminals with passwords to your other online accounts.
Use a Dark Web Monitoring Service
Searching the dark web for useful information can be challenging and dangerous. An effective way to get useful threat intelligence is to use a dark web monitoring service that provides information collected and curated by experts without the risks of manually collecting data from the dark web.
Lock or Freeze your Credit Reports
Cybercriminals often aggregate the data needed to open financial accounts and sell these profiles on dark web marketplaces. Locking or freezing your credit report makes it impossible to open an account in your name even if a cybercriminal has the information that they need to do so.