8 July 2015
Illuminating The Deep & Dark Web The Next Frontier in Comprehensive IT Security
Illuminating the Deep & Dark Web
Contents I. Executive Summary ............................................................................................................................
2
II. The Deep & Dark Web ....................................................................................................................... What is the Deep & Dark Web? ....................................................................................................... Malicious Actors Find Sanctuary .................................................................................................. Intelligence is the Solution ..............................................................................................................
3 4 5 6
III. Intelligence from the Deep & Dark Web Moves Beyond Traditional Threat Intelligence ................................................................................... Indicators of Context (IOCXs) .......................................................................................................
7 8
IV. Taking Action ...................................................................................................................................... Scaling Intelligence ............................................................................................................................ Barriers to Entry .................................................................................................................................. Applications .........................................................................................................................................
9 10 10 11
V. Use Cases
.........................................................................................................................................
12
VI. Conclusion .........................................................................................................................................
13
VII. Appendix
14
.........................................................................................................................................
Illuminating the Deep & Dark Web
I
Summary hether looking for threat actors targeting an organization or identifying the proliferation of leaked data after a successful attack, ignoring the rich trove of data generated within the Deep & Dark Web creates a critical blind spot for any security team. Actionable intelligence from the Deep & Dark Web can substantially reduce potential costs for an organization by protecting against threats while minimizing reputational damage following a breach. As the industry matures, threat intelligence must move from informing security teams of problems retrospectively (i.e., one that someone else has already identiďŹ ed, forensically analyzed, and shared with the broader community) toward a proactive model―oering immediate context and richness to a security program. This is undoubtedly the next step in the evolution of the industry and executives must begin asking critical questions of their teams and vendors. To this end, instead of reacting to the next public reporting of a breach, security teams must utilize data and intelligence from the Deep & Dark Web to gain substantial insight into the minds of malicious actors themselves and observe the activities within these illicit communities to gain an enhanced awareness of both current and potential threats.
2
Illuminating the Deep & Dark Web
II
The Deep & Dark Web The mainstream World Wide Web, often called the Surface Web, is comprised of traditional websites indexed by popular search engines with which most users of the Internet are intimately familiar and comprise an everyday part of their lives. But beyond the Surface Web exists an opaque region of the Internet called the Deep & Dark Web.
3
Illuminating the Deep & Dark Web
What is the Deep & Dark Web? The Deep Web refers to the broad swath of the Internet that traditional search engines are unable to access, including password-protected web forums, chat services like Internet Relay Chat (IRC), ďŹ le sharing and P2P technologies like BitTorrent.
The Dark Web is a subcomponent of the Deep Web that is not only inaccessible to mainstream search engines but only visible to users who have installed specialized software, such as Tor or I2P, enabling access to these regions of the Internet. Many forums, websites, and market-
places on the Dark Web oer highly anonymized environments to conduct malicious activities and purchase illicit goods and services.
Surface Web
Deep Web Unindexed by traditional search engines
Dark Web
Technological barrier to entry, requiring software for access
PASSWORD PROTECTED
FORUMS
4
Illuminating the Deep & Dark Web
Malicious Actors Find Sanctuary While certainly not all users of the Deep & Dark Web harbor ill intent, malicious actors regularly congregate in these dark portions of the Internet to plan, execute and profit from a range of illicit activity―from hacking, financial fraud, and intellectual property theft to terrorism and other violent acts. As these
relatively clandestine areas of the Internet swell with prohibited activity, small sanctuaries quickly grow into vibrant black markets, attracting the most active buyers and sellers of stolen company data, personally identifiable information, bank and credit card numbers, weapons, and malware. Once available in the Deep & Dark
Web, illicit content may be advertised to a broader audience via social media platforms and other indexed areas of the Surface Web if the actors decide that mass appeal or recognition from the media may drive demand.
5
Illuminating the Deep & Dark Web
Intelligence is the Solution Like war correspondents providing behind-the-scenes developments from typically inaccessible conflict zones, the right intelligence solution can keep individuals and organizations prepared for the latest threats developing in the Deep & Dark Web’s criminal underground. Identifying illicit actor sanctuaries in the Deep & Dark Web requires considerable subject matter expertise―not only a diverse set of foreign language skills but also familiarity with the content and cultures of these communities. The gatekeepers of illicit forums and marketplaces devote considerable resources to
Executives should “ be asking their
teams and vendors detailed questions about their capabilities in the Deep & Dark Web
”
vetting potential visitors; gaining and maintaining access to even a single source can often require extended effort over weeks, months, or even years in order to gain sufficient credibility. To combat information overload and false positives, subject matter experts with the necessary language and domain expertise must then guide automated engineering solutions to gather only the most immediately relevant data and intelligence. When done effectively, the result is a vast archive of historical and real-time content from previously uncharted areas of the Internet. 6
Illuminating the Deep & Dark Web
III
Intelligence from the Deep & Dark Web Moves Beyond Traditional Threat Intelligence Contrast this notion of a rich, primary source intelligence stream taken directly from within malicious actor communities to the current state of threat intelligence offerings. The richness of intelligence tends to be whittled down into binary answers to a few questions of limited scope and utility: Is it bad? Is it in my network? Who else has seen it? During what timeframe was it witnessed by someone else? This approach results in unmanageable reams of blacklists and flagged executables―known as Indicators of Compromise (IOCs)―that contain a discouraging percentage of false positives. Ultimately, taking action with this type of threat intelligence―while necessary―nonetheless equates to placing a band-aid on a complex problem. As an industry, we must move from temporary fixes toward a proactive, context-rich intelligence solution.
7
Illuminating the Deep & Dark Web
Indicators of Context (IOCXs)
Identifying IOCs is only the beginning. Security teams and threat intelligence providers must start asking more complex investigative questions of the IOCs. The IOCX is essentially the missing half that answers contextual questions about the associated indicator.
WHO
is associated with the IOC? Is the actor an individual or a network of individuals?
WHAT
WHEN
capabilities does the actor(s) have? What is the level of credibility of this actor(s) within his community? Do I have the level of visibility I need to assess the capabilities and credibility of this actor(s)?
did the IOC become an IOC? Is it still an IOC? When was it last seen in use as an IOC?
WHY
WHERE
were the targets selected by the actor(s)? Is the motivation financial, geopolitical, anarchic?
does the actor(s) associated with the IOC reside? Where is the equipment (e.g., servers, services, accounts) used by the actor(s) hosted?
HOW
has the actor(s) taken action, both today and in the past, and using which specific tactics? How has the actor(s) chosen to communicate and in what languages?
In order to answer these questions―to produce the necessary IOCXs on top of standard threat intelligence IOCs― security teams must have broad, near real-time visibility into malicious actor communities in the Deep & Dark Web. The robust stream of intelligence this type of visibility provides has a wide range of applications for both cyber and physical security, as well as for other teams focused on risk assessment, brand protection, and cyber insurance. 8
Illuminating the Deep & Dark Web
IV
Taking Action It is possible to obtain data and intelligence (and thus a risk signal) directly from within malicious actor communities in the Deep & Dark Web. Executives should therefore be asking their teams and vendors detailed questions about their capabilities in the Deep & Dark Web framed as a need to take the following actions:
Discover compromised data before it reaches the Surface Web
Evaluate Third Party Vendor risk based on discussions/illicit activity in the Deep & Dark Web
Determine the general “climate” of underground forums and marketplaces
Find your corporate footprint in order to mitigate risk associated with poor OPSEC
Identify indications of insider threats visible in the Deep & Dark Web
Learn about actors targeting your assets and considering exploits against your products
Create threat actor profiles and digital patterns of life based on Deep & Dark Web activity
The only means to answer these questions as accurately as possible is to produce the necessary IOCXs on top of standard threat intelligence IOCs. Security teams must have broad, near real-time visibility into malicious actor communities in the Deep & Dark Web. This robust stream of intelligence has a wide range of applications for both cyber and physical security, as well as for other teams focused on risk assessment, brand protection, and cyber insurance.
9
Illuminating the Deep & Dark Web
Scaling Intelligence Today, many security and risk functions are missing critical data from the Deep & Dark Web. Access to content from inside select password-protected web forums is not new per se; however, broad visibility at scale across the Deep & Dark Web along with the ability to search and run analytics on top of that data is just beginning in the commercial space.
In the pursuit of actionable intelligence, there is a significant gulf between the capabilities of one analyst inside one illicit forum or marketplace and one analyst looking to identify threats and assess risk while searching across scores of forums and marketplaces. An effective commercial product offering data and intelligence from the Deep &
English
Dark Web need not involve honeypots, nor should it soley rely on paste sites, social media, or other Surface Web sources. Indeed, assessing risk based on data collected only from Surface Web sources can result in uninformed decision-making.
кириллица
普通話
español
Portugueses
日本語
One Analyst, One Site
One Analyst, Many Sites
Barriers to Entry The challenge for security teams is that building in-house Deep & Dark Web data collection capabilities is expensive, resource-intensive, and risk-laden. Specialized personnel with critical foreign language skills, namely Chinese, Russian, Arabic, and Farsi, are required to develop the requisite tradecraft, subject matter expertise, and operations security procedures. To mitigate risk, as well as to avoid costly efforts that do not scale, security teams can use a vendor to offer insight into the Deep & Dark Web through a centralized, sanitized database―an offline search engine for the areas of the Internet unindexed by mainstream search engines. Vendors should be asked to take on the risk of gaining and maintaining access to illicit communities in the Deep & Dark Web while gathering and structuring the data for clients.
10
Illuminating the Deep & Dark Web
Applications
The visibility provided by an effective Deep & Dark Web intelligence solution has a range of applications for teams working on both cyber and physical security, as well as a variety of other key operational components:
Cyber Intelligence Teams
Physical Security Teams
Brand Protection Teams
Discover threat actor profiles, digital patterns of life, and retrieve sensitive information
Discover potential protests and flash mobs, executive and landmark targeting, and discussions about upcoming major events
Discover instances of your brand in the underground, rogue applications, and disgruntled customers
Fraud Teams
Insider Threat Teams
Discover previously unknown credit card markets, live card checkers, compromised account information, fraud actor profiles, and fraud TTP’s
Discover employees visiting illicit sites, employees leaking critical information, and poor tradecraft
Vendor Risk Management Teams
Incident Response Teams
Geopolitical Risk Teams
Counterterrorism Teams
Post-incident, identify and trace the proliferation of your leaked data, identify actors who have exposure to your data
Map information from the underground to current geopolitical events, gain insight into flashpoints and other potential conflicts before the bubble up to the surface
Research recruitment and propaganda networks, gain insight into foreign fighter travel routes and TTPs, and monitor nascent terrorist groups as they evolve from aspirational to operational
As several recent compromises occurred through third party relationships, assess risk rate vendor footprints, risk rate vendor IP & ASN, and supply inputs to cyber insurance
Data and intelligence from the Deep & Dark Web can also provide new insights for analyst teams across other verticals, such as those working on reputation scores, cyber insurance, or stock trading risk signals.
11
Illuminating the Deep & Dark Web
V
Use Cases
1
2
3
Know Criminal Techniques Before Rolling Out New Features
Learn Attacker TTPs and Disrupt the Cycle Before You Are Compromised
Identify Criminals Targeting Your Organization Earlier
In the context of the U.S. chip and pin EMV rollout scheduled for October 2015, Flashpoint observed message traffic on top-tier hacker forums indicating that cyber criminals have developed mechanisms to bypass Static Data Authentication (SDA) mechanisms that authenticate Chip and Pin transactions. Further analysis revealed that attackers have a low probability of success when trying to defraud systems implementing Dynamic Data Authentication (DDA).
Flashpoint frequently observes cyber criminals discussing the latest Tactics, Techniques, and Procedures (TTPs) for defrauding Financial Institutions. By monitoring this intelligence, security teams can learn attacker techniques as they are being developed and not need to wait until a breach to retrieve Indicators of Compromise. This data provides the opportunity to modify protective mechanisms in advance.
There is a lifecycle that occurs in the flow of exfiltrated information from private groups until it reaches the public internet. Usually, a small group first discusses their goals. At some point later, this group might place advertisements on the Deep & Dark Web looking for an asset to help them achieve their plan. Whether looking for a particular skill set or an insider with necessary internal access to the target, at some point cyber criminals will discuss the target within the Deep & Dark Web. And if the actor is successful in breaching the target and exifiltrating data, that information is oftentimes subsequently advertised for sale on the Deep & Dark Web. Thus, if the target is itself monitoring the Deep & Dark Web effectively, the security team can be much more proactive in mitigating a compromise due to earlier breach awareness.
With these techniques discovered in early 2015, financial institutions with access to this information gained a several month head start in order to modify their implementation of Chip and Pin Authentication mechanisms.
12
Illuminating the Deep & Dark Web
VI
Conclusion: Driving Maturity for Tomorrow Opportunities abound in the Deep & Dark Web for the intrepid security team to learn the who, what, where, when, why, and how around malicious actors targeting its organization― the Indicators of Context (IOCXs) that are currently in such short supply. Ignoring the Deep & Dark Web creates a critical blind spot. Executives must be proactive in driving their teams―or a trusted vendor who can shoulder the risk―toward a context-rich intelligence solution to confront threats before they surface. Opportunities today will become requirements tomorrow as the industry matures to develop context-rich intelligence solutions from the Deep & Dark Web.
13
Illuminating the Deep & Dark Web
Appendix Surface Web The mainstream World Wide Web comprised of traditional websites and social networks indexed by popular search engines with which most users of the Internet are intimately familiar and comprise an everyday part of their lives. Deep Web The broad swath of the Internet that traditional search engines are unable to access, including password-protected web forums, chat services like Internet Relay Chat (IRC), ďŹ le sharing and P2P technologies like BitTorrent. Dark Web A subcomponent of the Deep Web that is not only inaccessible to mainstream search engines but only visible to users who have installed specialized software, such as Tor or I2P, enabling access to these regions of the Internet. Many forums, websites, and marketplaces on the Dark Web oer highly anonymized environments to conduct malicious activities and purchase illicit goods and services. Indicators of Context (IOCXs) Indicators, such as an IP address or username, that can lead a security analyst to a rich vein of contextual intelligence on the malicious actor behind the indicator, information (both real-time and historical) that can help answer questions of who, what, where, when, why and how the actor operates. Tactics, Techniques, and Procedures (TTPs) Discernible patterns of behavior associated with a particular actor or group of actors.
14