One of the more curious aspects about the dark web is that it didn’t start out as such a dark place: it began with bulletin boards in the 80s and 90s – the markets of that day – and continued in the early 2000s, when Freenet launched as a private peer-to-peer network for sharing content. At about the same time, the United States Naval Research Laboratory came up with what would be called The Onion Routing project, or Tor, with the intention of shielding US intelligence communications online.
In fact, “dark” simply refers to the need to acquire specific software to access this part of the web. To gain access to actual dark web markets, you typically have to get “cleared” by an insider, who will usually vet you by checking references and your online footprint.
Yes, the whole thing comes across as somewhat of a cyber speakeasy. But, in its earlier days, it was a relatively benign speakeasy, a place where users gathered to trade tech tools and techniques. Once it caught on, however, child pornographers, drug dealers and other crooks flocked to the dark web to conduct their illicit business transactions.
And, of course, it’s a haven for hackers, who have turned the dark web into the Internet equivalent of a shopping bazaar for cyber thugs. There’s lots of money to be made there – to the point where the dark web is more about commerce than it is about information exchange. Federal authorities may succeed from time to time in shutting down a particular black market. But, once they do, there will be multiple players who are eager – and capable – of quickly setting up another market which sells the same products. Therefore, CISOs have to stay ahead of what’s likely to come. With this in mind, here are three things you need to know about the dark web.
It’s becoming a prime source for exploit kit “parts”
There has always been a healthy demand for exploit kits on the dark web. But the kits are expensive, selling for thousands of dollars, so they don’t move fast enough. To boost sales, “exploit entrepreneurs” are breaking the kits down into parts and selling them à la carte. They take a kit for a RAT, for example, and sell off its camera, microphone recorder, keylogger, etc. at comparatively affordable prices and, thus, energize the market.
That’s bad news for cybersecurity teams, because it’s going to make their job harder. Instead of acquiring the tools and techniques to recognize and thwart entire kits that are well known, they will have to watch out for a much larger onslaught of new and highly varied parts assemblies. Even worse, potentially thousands of individual attackers will seek to customize their assemblies to suit their specific purposes, adding immense layers of complexity to the task of matching network patterns/activity to possible threats.
To ensure their systems are sufficiently defended, CISOs should go to the market and buy the tools being sold off and reverse engineer them. They can no longer focus solely on kits – they must get to the process level (the “how” behind the “what”) to understand and better recognize indicators of functionality. It’s a finely detailed approach, and it will require more time, expense and effort. But this is where the dark web is going, and acquiring the kit parts being deployed is the first step in building an effective monitoring and mitigation strategy.
The NSA leaks have made a great place for crooked collaboration even better
It’s safe to say that, for many years, the dark web has served as one of the best information-sharing spots in the world – especially for cyber criminals who go there to exchange intelligence about pending plots and new tools/resources. But the leaking of NSA cybersecurity tools on the dark web has only made it a more productive, collaborative space. The publication of the NSA tools on the part of a group of hackers known as the Shadow Brokers led to the notorious WannaCry ransomware attack earlier this year. Most recently, it’s led to Brutal Kangaroo, which infects Windows machines on air-gapped networks.
What’s next? Who knows? The NSA tools are the equivalent of a big bundle of birthday presents that landed in the collective lap of the hacking community. They can “open up” each gift one-by-one, examine it, share observations and then devise their next line of havoc-wreaking attacks. To counter these moves, cybersecurity teams should immerse themselves into the leaked NSA tools. Find out what your potential adversaries may want to use against you, and patch and prepare accordingly.
Bad guys love Tor
The Onion Routing Project started out with good intentions as a government project. But, like everything else on the dark web, cyber adversaries are taking advantage of Tor to more effectively launch exploits. To neatly summarize the technology involved here, Tor directs Internet traffic through a massive routing system with thousands of “relays,” making it virtually impossible to trace activity to the original user. For each relay, the data in question is encrypted and sent to a randomly selected IP address, and the receiving address can only decrypt enough information to know where the data goes next. This process repeats itself over and over until it reaches the last relay, which sends the data to its originally targeted destination, with the last relay point never knowing what the source IP address is.
Given its vast layers of intricate, surreptitious steps, Tor presents obvious appeal to hackers, who are increasingly sending exploits using the system. This creates headaches for IT security teams – especially those without an understanding of Tor and access to its vast array or serialized .onion web addresses they use for websites whose specific IPs cannot be tracked down reliably like the clear web or the World Wide Web. IPs in the dark web are constantly shifting making it difficult to block specific attackers who use Tor exit nodes as IPs.
While a concrete solution remains elusive, private organizations can start by working with the FBI and other law enforcement agencies that are investigating these matters. Through an environment in which insights and observations are readily exchanged between industry and government, valuable information will emerge about, say, what the threat community is posting in both public and underground forums. Another option would be to retrieve a list of Tor exit nodes and block their access to any of your resources. This will block the bulk of tor traffic, but unfortunately, new Tor IPs are added and old ones removed daily so one has to stay on top of this.
As the saying goes, it’s better to light a candle than curse the darkness. By examining the dark web in-depth to get to what attack methods and resources represent the biggest threats, you can develop preemptive defenses against what’s ahead. By working with authorities to help monitor and/or report underground activity, you build a sense of vigilance and awareness that fosters a universal state of protection.