InfoSec Insider

Digging into the Dark Web: How Security Researchers Learn to Think Like the Bad Guys

Fortinet’s Aamir Lakhani discusses hacker forums as a rich source of threat intelligence.

The Dark Web/Darknet continues to be an environment for bad actors to share stolen credentials and discuss successful attacks. In fact, in recent weeks, personal information from places ranging from education organizations to voter databases in the U.S. have been found exposed. Although there have been big takedowns of cybercrime groups online, cybercriminals evolve to avoid detection.

But just as there’s a lot of bad on the Dark Web, there is also good – mostly in the form of intel that can be used to help protect organizations from attacks.

Because they are so focused on doing what’s right, researchers often overlook additional rich sources of cyber-threat intelligence that attackers essentially hand out as they interact online. In other words: To defend as a good guy, you have to think like a bad guy. Getting into an attacker’s head provides clues as to how and why they operate.

Understanding the Darknet/Dark Web

For general purposes, the terms “Dark Web” and “Darknet” are more or less interchangeable, but there are some nuanced differences. When people refer to the Dark Web, they’re usually talking about hacker sites on the internet that you can access from a regular web browser. When people talk about Darknet, it means you need special software. The most common one is the Tor browser, but there are others as well.

Diving into the Darkness

 To gain insight into how hackers operate, it helps to explore their stomping grounds. A common data source for threat intelligence are attacker-run and torrent/onion forums, usually on the Darknet, where hackers often discuss, purchase and sell malware, ransomware and denial-of-service offerings.

For obvious reasons, many of these forums require researchers to jump through a significant number of hoops to access  them. Some forums require payment of some kind; others require people to vouch for you as a real hacker. And sometimes, you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software.

Most attackers on these forums aren’t just motivated by monetary gain. They’re also looking for some glory. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. What they typically show off are frequent attacks targeting mass numbers of individuals and organizations rather than narrow, specific, targeted attacks. So, the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks.

Current Trends

Attack forums enable researchers to understand what attackers find interesting. Getting inside the mind of an attacker not only enables threat researchers to anticipate risks and the steps within an attack, but it also helps us to begin to profile certain cybercriminals. Threat behaviors are a lot like fingerprints and can be very useful in uncovering and defending against certain threats.

One trend in these attack forums that has been popular and churned up a lot of discussion over the past few months is security on various web meeting platforms. Most these discussions have no malicious intent and are probably people just wanting to understand or discuss a specific topic. In some rare cases, however, it is clear that when an application is getting enough chatter, it is because attackers are starting to research vulnerabilities or test code.

Threat researchers also make use of text dumps that contain usernames, names, passwords and other information. This is often what happens to data when cybercriminals, or even people in your organization, have intentionally or inadvertently leaked passwords or other personally identifiable information (PII). This data, of course, can put your entire organization at risk. At the very least, organizations should be checking to see if they’ve been caught up in these types of credential packages and data leaks.

Re-Stacking the Odds

Cyberattackers are notoriously opportunistic, and they also like to brag about their conquests. As threat researchers work hard to stay ahead of their adversaries, they often overlook key information within the Dark Web and Darknet that could help them. Examining hacker forums and text dumps are just two of the ways that researchers can glean valuable information that will help them protect the networks they are responsible for. For this reason, cybersecurity training for researchers needs to include methods of accessing the dark online world so the good guys can better understand how the bad guys operate and beat them at their own game.

Another key part of this ecosystem is the role of law enforcement. Threat researchers can and should work with law-enforcement agencies to share threat information in a way that’s easy and accessible. This has to be a two-way street. Tackling cybercrime can’t be resolved unilaterally by law enforcement alone; it’s a joint responsibility that requires trusted relationships to be fostered between the public and private sector.

Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs.

Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.

Suggested articles

Cyberattackers Put the Pedal to the Medal: Podcast

Fortinet’s Derek Manky discusses the exponential increase in the speed that attackers weaponize fresh vulnerabilities, where botnets and offensive automation fit in, and the ramifications for security teams.