14.05.2020
Using the Dark Web for Threat Intelligence
The Dark Web is a mysterious and controversial place. Due to frequent negative news, it is primarily perceived as a criminals’ paradise where hackers, drug dealers and fraudsters get a clear run at exchanging illicit content, goods and services. At the same time, there are many who view the Dark Web as a means for censor-free communication and privacy protection.
Although there may be some exaggeration in the estimates regarding the Dark Web’s size, number of users and essentially criminogenic nature, one thing is certain: Dark websites are attractive meeting places for criminals, and Dark markets hold enormous pools of stolen data, attack tools and threat plots. The dark corners of the web facilitate crime by connecting adversaries. Paradoxically, they also give security professionals insight into the enemy’s mind, allowing them to anticipate threats and strengthen their defences.
This article explores how organisations can use the Darknet as a threat intelligence resource in order to achieve and maintain an effective and proactive security posture.
What to look for?–Threat information on the Dark Web
Accessing the Dark Web and finding hidden websites is relatively easy. The more challenging part of the job is narrowing your search down to find meaningful and actionable threat intelligence that will enable you to improve your organisation’s security posture. Threat information you can find on the Dark Web and use for security includes:
Vulnerabilities and exploits
As you probably know, all software has vulnerabilities. Of course, more and more vendors and security researchers publish software vulnerabilities to shield users from the resulting risks. Sadly, cyber criminals sometimes get ahead of vendors and security communities. The Darknet is abundant with so-called zero-day or zero-hour vulnerabilities–security flaws that are not yet known to the vendor and for which no security patch exists (yet). Finding information on the zero-day vulnerabilities and exploits hackers discuss and trade on Dark markets enables security professionals to identify and implement effective mitigating controls before the patch is released and fix the vulnerability as soon as the patch becomes available.
Access
Besides vulnerabilities and exploits, adversaries often sell active access to systems and devices on Dark marketplaces. Many of today’s hacker(group)s specialise in a specific phase of the hacking process. Time and again, hackers who excel at scanning and gaining access to networks decide not to exploit the target themselves. Instead, they sell the access to other hackers who specialise in further exploration and exploitation. In their turn, exploitation ‘experts’ sell the data they have gathered to attackers who focus on extortion.
Passwords or accounts
Access to accounts such as online banking, social media and e-mail, is also a popular Dark merchandise. Passwords are valuable items, since the attackers know that people tend to reuse their passwords across multiple accounts.
Insider threats
Organisations should be aware of insiders and suppliers looking to sell credentials, intellectual property, or important corporate data on Dark marketplaces. Monitoring whether your organisation’s name appears in Dark Web forums and pastes can help you detect potential insider threats, enabling you to prevent data leaks and other incidents that may damage your brand’s reputation.
Want to learn more? Check out our Dark Web Foundation training
How to find useful information? – Scanning the Dark Web for threat intelligence
There are two main ways you can find Dark Web sources for threat intelligence. You can either buy a Dark Web monitoring service, or you can set up your own monitoring capability.
Buying a monitoring service
There are several vendors that allow you to integrate their Dark Web intelligence feeds into your threat intelligence process or tools. Of course, these services cost money. More importantly, the quality of the information differs from vendor to vendor. Some may even be ‘vaporware’.
Among widely popular Dark Web monitoring tools and services are:
- Dark Web Solutions (https://dws.pm/tools/monitor/)
- AlienVault’s Alien App for Dark Web Monitoring (https://cybersecurity.att.com/app/dark-web-monitoring)
- Digital Shadows Dark Web Monitoring (https://www.digitalshadows.com/dark-web-monitoring/)
Monitoring the Dark Web manually
The advantage in setting up your own monitoring capability is that you can tailor the search to your organisation’s needs. The downside is that finding relevant information on Darknet sites is a complex and laborious task even for trained personnel. First, you need to find starting points for your search and build a list of the sites you think may be of interest. Sadly, there is no structured way to do this, but we will give you a few starting tips below.
Large enterprises, law enforcement agencies and government institutions are increasingly adding Dark Web monitoring to their security policies. Since navigating the ‘underbelly of the internet’ is never risk-free, trainings focusing on the security precautions one should take to stay safe on the Dark Web are becoming particularly relevant for information security professionals, police officers and public sector investigators.
Finding hidden websites using Tor
One of the basic principles of the Dark Web is anonymity. The technology not only hides the identity of users, but also the identity of websites. Dark sites use generated URLs (http://3g2upl4pq6kufc4m.onion/) or vanity URLs that contain relevant keywords (http://acidvalleyt3kkva.onion/).
You may realise that guessing dark URLs is nearly impossible. Of course, you could try to crawl through the Dark Web or use a Darknet search engine. However, this would not work for all the websites out there. Unlike the Clear Web, the Dark Web does not provide DNS services. Looking for Dark sites, your best chances are to find references on other platforms, such as directories, boards or chans. Theoretically, it is also possible to brute-force URLs by trying all possibilities, but that would take an insanely long time.
Again, the key to finding relevant sites is to look at Dark web pages that include posts or discussions on Dark markets or Dark forums. Remember to be careful while navigating the Dark Web. Eventually, you may stumble upon content you do not want to see. It is wise to stick to your purpose and look solely for sites relevant to threat intelligence.
Dark sites to start from
If you are ready to access and search the Dark Web, these sites will help you along your way. Note that URLs can change over time. You may need to find new URLs to be able to access these sources.
- Onionscan (https://onionscan.org/): a tool that can help you find and/or track hidden websites
- Hackerplace (http://hackerw6dcplg3ej.onion/): a dark page devoted to hacking
- Dread (http://dreadditevelidot.onion/): the Dark Web Reddit
- Ahmia (http://msydqstlz2kzerdg.onion/): a Darknet crawler / search engine
- The Hidden Wiki (http://jh32yv5zgayyyts3.onion): the Dark Wikipedia
- Onion Past (http://past6njzfp3hnsux.onion/lists): contains ‘pastes’ with information on other Dark sites
- PwDB (http://pwndb2am4tzkvold.onion/): a searchable database for uncovered passwords. It is similar to Have I Been Pwned, but it gives you passwords linked to accounts or email addresses.
- Finally, a useful Clear Web page that provides links to Dark pages is https://www.thedarkweblinks.com/
Using these sources, you can start discovering the threats your organisation is facing this very moment. Remember that you will have to sift through scams and lots of useless information. But this is a small price to pay for the benefit of increased security and reputation protection.