The reputation of the Dark Web perhaps exceeds its reality. Many think of it as a place where criminals operate. If used by security teams, however, the Dark Web can be ripe with threat intelligence just set for the picking.
Just a note: In this article, Dark Web refers to any collection of computers that create an internet which requires specific software, configuration, or authorization to access. For example Tor, Riffle, FreeNet, anoNet, and ZeroNet.
The Dark Web has many purposes, but it is indeed a place where criminals buy, sell, and trade goods and services. This is what makes it valuable to security researchers. By exploring the Dark Web, security teams have the potential to collect actionable intelligence. This includes malware capabilities, new tactics, compromised technology, and the direction of future attacks.
Recently, The Security Stronghold's team of researchers ventured into the Dark Web for over four months to survey ransomware capabilities for our clients. This allowed us to look at how ransomware is targeting different verticals and with what tactics. Much of what we found is already known, but some intelligence collected helped us to clearly see current capabilities and gave insight into the future direction of ransomware aimed at certain clients.
When looking at threat intelligence from a hunting perspective there are a few specific items to look for. Here we are going to look at the features of malware and underlying tactics. Keep in mind that scouring the Dark Web will give you insight to much more than mere malware.
Ransomware Intelligence Gathering
For this survey, we visited a variety of marketplaces and forums ranging from public to private. By interacting with developers we were able to gain insight into what the underground economy is demanding as well as capabilities of malware.
The first phase was investigating marketplaces. Our team wanted to see if there were any obvious disparities between what was being sold and what the security industry was planning to defend against. Activities in this phase of the survey included identifying marketplaces unknown to the public, creating accounts or procuring access, and interacting with sellers. Communicating with ransomware developers and sellers was essential because our team needed to ensure that the capabilities and features were legitimate.
The second phase was interacting with developers in forums. Here our team was able to interact with a developing-centered community and discover the direction of future work. Many of the developers had experience with all types of malware but it is clear that ransomware is providing the largest return on investment for these criminals at this time.
The final phase was breaking down all of the information we had gathered. We tested proof of concept, ease of use, availability, looked at how certain variations and families of ransomware would affect different industries, and much more. With this survey, we were able to advise multiple clients about threats that would not have been realized had we not taken the time to threat hunt on the Dark Web.
Keep This In Mind
First of all, keep in mind that spending time and money by sending your security team to gather threat intelligence from the Dark Web is not smart if your organization does not have the resources, risk, or need to deal with complex threats.