Episode 10: Learning What Motivates Threat Actors Helps With Understanding How They Operate with Edan Cohen of Cybersixgill

March 31, 2022

Listen on SpotifyListen on Apple Podcasts

Episode Summary

Most people don’t know how the dark web and the organizations within it work. But, the truth is, they operate in almost the same manner as any other legitimate organization or company you know. 

Therefore, it is critical to familiarize ourselves with their modus operandi and mitigate the risks and the danger coming from the digital underground. 

In this episode of Dr. Dark Web, our host Chris Roberts chats with Edan Cohen, the Cyber Threat Intelligence Specialist at Cybersixgill. The two discuss an underground e-commerce market, the business strategies used, and motives that drive threat actors. 

Podcast Expert

  • Name: Edan Cohen
  • What he does: Edan is the Cyber Threat Intelligence Specialist at Cybersixgill. 
  • Company: Cybersixgill
  • Noteworthy: Prior to joining Cybersixgill, Edan was the Lead Global Intelligence Analyst, Corporate Security at the World Bank.
  • Where to find Edan: LinkedIn

Podcast Insights

🎙️ An underground e-commerce marketplace is similar to a legitimate e-commerce store.

It is critical to understand that organizations on the dark web operate like any other company we know today. It means their success depends on things such as customer satisfaction. ”You talk about reputation and feedback. An underground marketplace — let’s say you purchase physical goods, a person that purchased it is gonna say whether they liked it or didn’t. They’re going to provide feedback, which is viewable […] in the same way that you do this on Amazon. You look at items that are very similar and what has more ratings.”

🎙️ Outsourcing is also present on the dark web.

It is common for organizations operating on the dark web today to partner with experts who can help them achieve their goals. ”In some attacks, there are various steps along with that attack — whether reconnaissance, initial access, data encryption, or exfiltration. […] You can use the word affiliates or partners. But ultimately, different aspects of an attack cycle could be outsourced in the same way legitimate organizations outsource different parts of their company.”

🎙️ Different motives drive threat actors.

As Edan explains, threat actors can be ideologically or financially motivated, and these two motives often overlap. These are the expectations when money is in focus: ”You’ve purchased a hacking tool pulling all the logins from machines you’ve infected, but something isn’t working, or it’s not pulling everything. You’ve paid money for it, and you’re paying a monthly fee. You want to make sure it works. That vendor wants to make sure it works. So there’s that joint need to have success.”

Episode Highlights

Who’s Operating on the Dark Web? 

”You’ve got drug and weapons vendors, criminal syndicates, fraudsters, more organized groups, script kiddies, and people that are there to learn and maybe start a career in certain illicit activities.

But, on top of that, in a world where people are anonymous and don’t want to be exposed, there are also plenty of impersonators, and I don’t just mean the threat actors that are scam artists. I’m talking about law enforcement, security researchers, and cyber companies. So that’s something that I think a lot of these different underground vendors have to contend with.”

People Also Want to Develop Long-Term Business Relationships ​​on the Dark Web

”It’s important to view these relationships among anonymous people. A lot of people — maybe not the scammers — want to have long-term cooperation, whether it’s, ‘Okay, this is the vendor I buy drugs from. This is who I’m buying hacking tools from. I’ve purchased data from this person before.’

[…] I think we sometimes see this played out on the underground, especially relating to somebody selling data lakes, for example. They’ll provide some sample data either publicly or when they’re engaged with somebody that they view as a legitimate buyer. And sometimes, a legitimate buyer could be a known entity on the source [or] somebody else vouched for them before, [or] they’ve maybe done something to show, ‘Here’s my resume.”’

Every Cyber Attack Involves a Vulnerability Being Exploited

”A lot of times, when we look at different attack cycles, there’s a certain vulnerability being exploited that is utilized by certain groups. So focusing on that might end up putting a halt within that attack cycle. […] 

It’s always the human element. [It is] reminding people to not click on URLs to have good OPSEC. […] Sometimes, there are slips of the tongue, a certain sling utilized. Sometimes also, people could be sharing Gmail, WhatsApp numbers. There is certain contact information that might be shared, which can then lend to more human intelligence-driven operations.”