Clear Web vs. Deep Web vs. Dark Web
Threat intelligence specialists divide the Internet into three main components:
- Clear Web – Web resources that can be viewed through public search engines, including media, blogs and other pages and sites.
- Deep web – Websites and forums not indexed by search engines. For example, webmail, online banking, corporate intranets, walled gardens, etc. Some of the hacker forums exist in the Deep Web that require login credentials.
- Dark Web – Web resources that require special software to access. These sources are anonymous and private and include invitation-only Telegram groups and forums. The Dark Web contains Tor, P2P, hacking forums, criminal markets, etc.
According to Etai Maor, the company’s chief security strategist Cato Networks“We’re seeing a change in how criminals communicate and do business, moving from the top of the glacier to the bottom. The bottom provides greater security.”
Spotlight: What is Tor?
Tor is a free, open source network that allows anonymous communication. While Tor was originally developed by the US Naval Research Laboratory, it has become an increasingly popular solution for illegal activities.
Carrying out these actions on Clear Web can lead to monitoring by law enforcement agencies and allow the perpetrator to be found. But through Tor, communication is encrypted in three layers, which are peeled off each time a node transitions to leaving the network. Law enforcement agencies monitoring Tor will not see the IP address of the perpetrator, but rather the Tor exit node, making it more difficult to track down the original perpetrator.
Tor communication architecture:
Itei Maor adds: “During the 2000s, the sky-high leveling of digital capabilities fueled criminal activity. First came the Dark Web. Then hidden and secure services through Tor. Finally, cryptocurrency has enabled secure transactions.”
Criminal services available on the Dark Web
Here are some examples of services that have been available on the dark web in the past. Today, many of them have been removed. Instead, criminals are moving towards the Telegram messaging platform because of its privacy and security features.
Example includes –
Selling drugs:
False Identity Services:
Marketplace to find suppliers, including a phishing alert:
How are criminal forums managed? Building trust in an unreliable environment
Attackers try to exploit vulnerabilities and hack systems to make a profit. Like any other commercial ecosystem, they use online forums to buy and sell hacking services. However, these forums are supposed to build trust among participants, while they themselves are built on crime.
In general terms, such forums were originally conceived as follows:
- Admin – Moderates the forum
- Escrow – Simplification of payments between participants
- Black list – An arbitrator to settle matters such as payments and quality of service
- Forum support – Different forms of assistance to encourage social interaction
- Moderators – Leaders of groups on various topics
- Verified suppliers – Vouched for suppliers, unlike some suppliers who are scammers
- Permanent participants of the forum – Group members. They were vetted before they were allowed to enter the forum to filter out scammers, law enforcement and other inappropriate or risky participants.
The path from malware infection to corporate data leakage on the Dark Web
Let’s see how the different stages of an attack are represented in the Dark Web with an example malware used to steal information for ransomware purposes:
Phases before an incident:
1. Data collection – Threat actors operate global malware theft campaigns and steal logs of compromised credentials and device fingerprints.
2. Data Providers – Threat actors supply data to Dark Web marketplaces that specialize in device credentials and fingerprints from malware-infected computers.
3. Fresh supplies – Journals become available for purchase on the Dark Web market. The price of a log usually ranges from a few dollars to 20 dollars.
Active phases of the incident:
4. Purchase – A threat actor specializing in initial network access buys logs and infiltrates the network to increase access. Many times the acquired information contains more than credentials. This includes session cookies, device fingerprints, and more. This allows mimicking the victim’s behavior to bypass security mechanisms such as MFA, making attacks more difficult to detect.
5. Auction – Access is auctioned on a Dark Web forum and acquired by a skilled threat team.
Etai Maor points out: “Auctions can be run as a contest or as a ‘Flash’ auction, which means that a bidder can purchase immediately without competition. Serious threat groups, particularly those backed by nation states or major criminal groups, may use this opportunity to invest in their businesses.”
6. Extortion – The group executes the attack, placement ransomware in organization and extortion.
This pathway illuminates different areas of expertise within the criminal ecosystem. As a result, a multi-layered approach based on proactive processing of threat data can warn and possibly prevent future incidents.
The role of HUMINT
Automated solutions are indispensable for fighting cybercrime, but human intelligence (HUMINT) is also required to fully understand this field. These are cybercrime officers, law enforcement officials, who enter the forums and behave like traders. Engagement is an art that also needs to be an ART – effective, reliable and timely.
Let’s take a look at some examples of forums that cybercrime officers monitor and their response.
In this example, the attacker sells VPN logins:
A cybercriminal will try to engage and figure out which VPN or client it belongs to.
In another example, an attacker sells Citrix access to a provider of IT infrastructure solutions and services in the UK.
A cyber crime officer can approach as a potential buyer and ask for samples. Since the seller operates from an economic point of view and may not be in a good financial position (comes from the countries of the former USSR), he will be willing to send samples to promote the sale.
Protection against network attacks
The Dark Web operates as an economic ecosystem with buyers, sellers, supply and demand. Therefore, effective defense against network attacks requires a multi-layered approach to each stage of the attack, both before and throughout the incident. This approach includes the use of automated tools as well as HUMINT, the art of interacting with cybercriminals online to gather intelligence by simulating how they operate.
To see more interesting examples and learn more about the HUMINT and Dark Web forums, see the entire master class here.
