Introduction: It seems a day doesn’t go by where we are not reading about data breaches, payment fraud, and organized retail crime. Access to the technology and know-how to conduct malicious activity has become more prevalent, and the result has been an exponential increase in the volume of cyber threat incidents. It is estimated that the average annual loss to companies worldwide exceeds $7.7M, and that in the U.S., average losses typically approach $15M annually. (Ponemon 2015 Cyber Crime Report)
Recently, we had an opportunity to discuss cybercrime, and threat intelligence with an organization that specializes in monitoring, detecting, and mitigating significant cyber threats. What struck us as interesting, was the fact that they were applying strategies and tactics normally reserved for defense and military operations, to the private sector. The results were disturbing and eye-opening, so we asked them to provide a primer on this topic.
Darknet Basics: Stolen data, hacked accounts, and counterfeit merchandise – this activity and the actors who conduct it are not using the “Internet” that we use when we’re online. This data is not going to be discovered on popular auction sites, and it’s not going to be broadcast over social media. This nefarious activity, and the commerce that ensues, occurs on the Darknet – a deep, anonymous layer of the internet. So, what exactly is the Darknet, and how is it different from the Internet?
First, it helps to change your perspective of what is commonly referred to as “the Internet”. More appropriately, think of the Internet as being comprised of three (3) layers: the Clearnet, the Deep Web, and the Darknet. (Picture an iceberg: The part of water level is the Clearnet; the part just below water level is the Deep Web; and the bottom of the iceberg is the Darknet.)
The top layer, sometimes called the Clearnet, it what most of us commonly refer to as “the Internet”. This layer is accessible with standard browsers, and is comprised of the popular news, social, and eCommerce sites we use daily: Google, Facebook, eBay all reside here.
The middle layer is referred to as the Deep Web. In this layer, sites are not typically indexed by search engines, and therefore require some knowledge of the sites and content that exists. Although visible within popular browsers (IE, Chrome, Firefox), it requires knowing the URL destination from some source other than Google, Bing, etc. Streaming sites are popular in the deep web.
Lastly, and hidden well below the surface, is the Darknet. This layer is not visible to your desktop browser, and the sites that comprise this network are unknown to search engines. These sites require an anonymous browser, such as Tor, in order to view them. Included in this layer are the marketplaces, forums, and chat rooms used to carry-out significant cyber threats.
Darknet Marketplaces: Armed with the perspective that the internet is composed of layers, we can now begin to understand why the Darknet has become an expansive landscape for conducting malicious activity. Given their high degree of anonymity provided by the Tor browser, Darknet marketplaces serve as exchanges for illicit/illegal goods and services without compromising identities. Anything can now be sold (and we do mean anything): from corporate data and online accounts, to intellectual property, counterfeits and the know-how to conduct this activity – is available.
As an example, assume a malicious actor found a vulnerability in your online site, and was able to acquire the credentials of your customers as they shop online. This actor may decide not to compromise the accounts directly, but offload them to others. The actor in effect, becomes a distributor of your organization’s digital assets.
This data is listed and made available for sale on Darknet marketplaces, typically at a price per customer account, attracting numerous buyers. Losses from these stolen, resold accounts could now be originating from hundreds of actors. Trying to piece this back together for investigative purposes is practically futile, due to the breadth of malicious parties involved. It was necessary to detect these assets (via technical capabilities) when they originally came up for sale.
Use of Crypto-Currencies: But what about the fact that in order to profit from the activity, the malicious actor needs to settle with buyers? Doesn’t that expose the actor in some way? In short, not at all. Darknet marketplaces employ the use of crypto-currencies such as Bitcoin, to preserve the anonymity of the parties. In effect, neither party knows anything about the other party other than an amount and an “address” to which they will send funds. Crypto-currency use guarantees that the buyer and seller never know more than this to complete a transaction.
Conclusion: The proliferation of Darknet marketplaces and the threats that are continuously emerging, require a significant change in the way online activity is monitored. No longer is it enough to simply monitor online auction and classified sites for fenced items, or take a reactive approach – not when your digital assets represent such a rich target for fraud.
Organizations need to make threat intelligence the highest priority in their online Loss Prevention efforts, and take a proactive approach by employing Situational Cyber Awareness technology, alerting them to threats as soon as they are detected. Knowing what threats exist, and mitigating them swiftly, is the only way organizations will maintain their financial and organizational health – especially as the targets continue to get richer.
(Note: This article was produced with the assistance of Zero Hour Intel, a threat intelligence company, after previewing their technology. If you’d like to learn more about how organizations are adopting threat intelligence in Loss Prevention, please visit their website at www.ZeroHourIntel.com.)