InfoSec Insider

Digging into the Dark Web: How Security Researchers Learn to Think Like the Bad Guys

Hacker forums are a rich source of threat intelligence.

The Dark Web/Darknet continues to be an environment for bad actors to share stolen credentials and discuss successful attacks. In fact, in recent weeks, personal information from places ranging from education organizations to voter databases in the U.S. have been found exposed. Although there have been big takedowns of cybercrime groups online, cybercriminals evolve to avoid detection.

But just as there’s a lot of bad on the Dark Web, there is also good – mostly in the form of intel that can be used to help protect organizations from attacks.

Because they are so focused on doing what’s right, researchers often overlook additional rich sources of cyber-threat intelligence that attackers essentially hand out as they interact online. In other words: To defend as a good guy, you have to think like a bad guy. Getting into an attacker’s head provides clues as to how and why they operate.

Understanding the Darknet/Dark Web

For general purposes, the terms “Dark Web” and “Darknet” are more or less interchangeable, but there are some nuanced differences. When people refer to the Dark Web, they’re usually talking about hacker sites on the internet that you can access from a regular web browser. When people talk about Darknet, it means you need special software. The most common one is the Tor browser, but there are others as well.

Diving into the Darkness

 To gain insight into how hackers operate, it helps to explore their stomping grounds. A common data source for threat intelligence are attacker-run and torrent/onion forums, usually on the Darknet, where hackers often discuss, purchase and sell malware, ransomware and denial-of-service offerings.

For obvious reasons, many of these forums require researchers to jump through a significant number of hoops to access  them. Some forums require payment of some kind; others require people to vouch for you as a real hacker. And sometimes, you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software.

Most attackers on these forums aren’t just motivated by monetary gain. They’re also looking for some glory. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. What they typically show off are frequent attacks targeting mass numbers of individuals and organizations rather than narrow, specific, targeted attacks. So, the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks.

Current Trends

Attack forums enable researchers to understand what attackers find interesting. Getting inside the mind of an attacker not only enables threat researchers to anticipate risks and the steps within an attack, but it also helps us to begin to profile certain cybercriminals. Threat behaviors are a lot like fingerprints and can be very useful in uncovering and defending against certain threats.

One trend in these attack forums that has been popular and churned up a lot of discussion over the past few months is security on various web meeting platforms. Most these discussions have no malicious intent and are probably people just wanting to understand or discuss a specific topic. In some rare cases, however, it is clear that when an application is getting enough chatter, it is because attackers are starting to research vulnerabilities or test code.

Threat researchers also make use of text dumps that contain usernames, names, passwords and other information. This is often what happens to data when cybercriminals, or even people in your organization, have intentionally or inadvertently leaked passwords or other personally identifiable information (PII). This data, of course, can put your entire organization at risk. At the very least, organizations should be checking to see if they’ve been caught up in these types of credential packages and data leaks.

Re-Stacking the Odds

Cyberattackers are notoriously opportunistic, and they also like to brag about their conquests. As threat researchers work hard to stay ahead of their adversaries, they often overlook key information within the Dark Web and Darknet that could help them. Examining hacker forums and text dumps are just two of the ways that researchers can glean valuable information that will help them protect the networks they are responsible for. For this reason, cybersecurity training for researchers needs to include methods of accessing the dark online world so the good guys can better understand how the bad guys operate and beat them at their own game.

Another key part of this ecosystem is the role of law enforcement. Threat researchers can and should work with law-enforcement agencies to share threat information in a way that’s easy and accessible. This has to be a two-way street. Tackling cybercrime can’t be resolved unilaterally by law enforcement alone; it’s a joint responsibility that requires trusted relationships to be fostered between the public and private sector.

Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.

Suggested articles

Discussion

  • Chris Ingram on

    Nice feel good article, but... I would like to know how the "Researchers" are dealing the the mountains of disgusting filth... I can't even say it, they must traverse to obtain this "data". Once even a single image appears, that researcher is in violation if hundreds of laws, laws that say he must go to prison. How are they handling that?
  • David Abgehort on

    There's a lot of filth on the internet without having to go to dark sites. Monetization by ads or cryptocurrency and data mining. As far as going to prison for viewing or being present... That's improbable.
  • Anonymous on

    Chris, you don't really know much of anything personally about the dark web, do you?

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.