Indexing the Dark Web One Hacking Forum At A Time

Staffan Truve spoke Monday at the Kaspersky Analyst Summit about the efforts his company Recorded Future is taking to index the dark web, or what he called the underbelly.

CANCUN–There are only so many ways to tip-toe around some of the Internet’s darker, seedier corners. Sites offering illegal drugs, DDoS for hire and other questionable merchandise are often laden with malware, hazardous to visit, and in turn, can be hard to fully get a grip on.

But according to Staffan Truvé, the CTO and co-founder of Recorded Future, a firm based in both Cambridge, Mass., and Sweden, after you’ve gathered enough information on the sites, you can see just how it’s all connected.

Truvé spoke Monday at the Kaspersky Lab Security Analyst Summit about the efforts his company is taking to index the dark web, or what he called the underbelly. As opposed to the ‘classic web,’ which can be easily read and is indexed and has established toolsets, the underbelly is extremely volatile and is only partially indexed, making it a prime candidate for research.

Recorded Future’s analytics are temporal and gathered in real time, meaning there are vast swaths of information that it has to go through to formulate trend maps. The company indexes content in seven different languages, from more than 600,000 sources, parsing five million documents, seven million facts and 100 million entities a day.

Naturally there are some of what Truvé referred to as “golden nuggets” in there, including credentials, credit card information and specific attack plans. Truvé and his team are able to observe trending methods and anomalies they spot to conduct predictive modeling in specific domains.

The bulk of the sites Truvé claims Recorded Future mines are Russian paste sites, which contain “surprisingly little” information, and Russian forums, which he insists are a veritable treasure trove, partly because the sites, which are peddling CCVs, are getting indexed by the company like an RSS feed would index webpages.

But that information doesn’t hang around for long. Truvé said that because so many of the pastes contain improper data, 10 percent of them are gone within the first 48 hours, 25 percent of them within a month.

By searching through their databanks Recorded Future can hone in on how popular certain types of malware are. Truvé used Dark Comet, the remote administration tool (RAT) often seen targeting Syrian activists, as an example, pointing out that it enjoyed a very successful month in January.

Truvé claims the spike was mostly because of the #JeSuisCharlie movement as attackers were found attaching links to the malware onto tweets with the hashtag. After searching for any mentions of “DarkComet,” along with a link, in its system Truvé found about half of the malware’s mentions were on social media. Cybercriminals were redirecting unsuspecting users to the malware via storage sites like Mediafire and Dropbox.

Truvé also mentioned how the company is easily able to determine who, and how many services are offering DDoS-for-hire, including Lizard Squad, who boasted taking down both PlayStation Network and Xbox Live shortly after Christmas.

“The underbelly can be scratched,”Truvé said, “by harvesting relevant regions of the web and organizing it for analysis, you can see everything is connected, from pastes to forums.”

Suggested articles