By Olivia Rowley, Flashpoint Analyst.
Beyond the accessible surface of the open web, anonymous users exchange illegal goods and plan criminal activities away from prying eyes. Known as the Deep & Dark Web, these covert regions of the Internet are unindexed by search engines and far greater in volume than the open web.
Here, among the forum chatter of cybercriminals and other adversaries, emerging threats and business risks frequently take shape. Shedding light on these secretive communities and the topics discussed within them offers a significant advantage to corporations seeking to combat threats and get one step ahead of adversaries.
An undiscovered country
Before we delve into the murky world of cybercrime, it's worth distinguishing between the Deep Web and the Dark Web. The Deep Web simply refers to areas of the Internet that are not indexed by search engines. This includes perfectly legal sites protected by passwords, firewalls, and/or paywalls. Online banking systems and private social media profiles are example of sites where user privacy is protected for entirely legitimate reasons. For authorized users, accessing these sections of the Deep Web requires nothing more than a standard Internet browser and the ability to enter the requisite login credentials.
In contrast, the Dark Web refers to a subcomponent of the Deep Web. Accessing it requires the use of specific encrypted browsers -- such as Tor or I2P -- that conceal the identity and location of the user. While the Dark Web is often tied to illegal activity, legitimate uses do exist under certain circumstances. For example, individuals located in regions governed by oppressive regimes where Internet usage and freedom of speech are restricted may have few options, if any, for accessing the Internet aside from the Dark Web.
However, wherever anonymity is possible, those to whom it is useful for illegitimate purposes are quick to take advantage. Collectively, the Deep & Dark Web has long served as a safe haven for cybercriminals, state-sponsored actors, and other adversaries with varying motivations for engaging in illegal activities. Most of these adversaries are motivated by monetary gain, which they seek to accomplish in a variety of ways.
Typical uses of the Deep & Dark Web include buying and selling illegal goods such as drugs, stolen information, weapons, and malware, among others. These online communities also facilitate collaboration and information sharing, providing adversaries with access to a wealth of expertise in a broad range of illicit subject matters ranging from physical and online theft to advanced hacking skills. By serving as a platform for recruiting, training, and advising new members, the Deep & Dark Web helps adversaries grow their sphere of influence and increase their potential for success.
In fact, community members are expected to actively contribute to the collective wealth of information and ideas that enable other members to advance their skills and develop new schemes. For example, one cybercriminal involved in various gift card fraud schemes was known to solicit old or empty gift card codes from their fellow cybercriminal peers so they could use them to improve their tactics and help their schemes become more lucrative. Understandably, Deep & Dark Web communities and their members are insular, secretive, and wary of scrutiny, making said communities difficult for outsiders to penetrate.
Danger, lies and empty threats
Aside from monetary gain, many adversaries are also motivated by the pursuit of power and validation. While the Deep & Dark Web is home to many unlawful activities that can give rise to tangible dangers, it is also fraught with exaggerations, lies, and empty threats. Specifically, attention-seeking individuals may try to appear more sophisticated and capable than they actually are in order to build up their reputations and earn the respect of accomplished criminals. Some may even wish to gain invitations to more exclusive, invite-only communities.
For defenders seeking to glean actionable insights from the Deep & Dark Web, distinguishing the genuine threats from the background noise is an ongoing endeavour. Indeed, this is one of the main reasons why Deep & Dark Web intelligence is best gleaned by analysts with the right tools, expertise, and experience. Such analysts have honed their tradecraft over years spent observing Deep & Dark Web forums to track emerging threats, become familiar with adversaries' capabilities, and develop ever-evolving profiles of key individuals.
As you might expect, Deep & Dark Web forums are international communities, so linguistic skills are very valuable. Adversaries understandably go to sophisticated lengths to conceal their identities, meaning that in-depth knowledge and fluency in multiple languages can help analysts identify when a threat purports to come from one community but actually originates in another. And as with any community, adversaries on the Deep & Dark Web communicate with one another using their own slang and a wide variety of social and cultural nuances. Naturally, the most effective analysts possess a comprehensive understanding of and ability to effectively communicate using these linguistic complexities.
From intelligence to action
Gaining proactive visibility into the Deep & Dark Web can indeed enhance an organisation's security and risk posture. A recent example of this occurred prior to the implementation of Europay MasterCard Visa (EMV) in the U.S., when intelligence from the Deep & Dark Web enabled Flashpoint's team of analysts to uncover a plot to exploit the EMV rollout. While monitoring certain underground communities, analysts discovered that a group of threat actors had developed an EMV-chip recording software, as well as the manufacturing techniques needed to fabricate chip-enabled credit cards that were allegedly capable of bypassing even the most robust anti-fraud controls. Upon being made aware of these findings, financial services institutions were able to adjust their EMV implementation strategy and security measures to prevent the threat becoming reality.
It's important to recognize, however, that accessing and collecting data from the Deep & Dark Web is not only difficult, it presents significant security risks. As such, organizations are encouraged to partner with analysts who have the proper tools, experience, and expertise to safely glean insights from these regions of the Internet. While organisations across all sectors will always be of interest to adversaries seeking monetary and/or personal gain, obtaining proactive visibility into where these adversaries interact and their malicious schemes are developed can enable defenders to bolster security, inform critical decisions, and ultimately mitigate a broad spectrum of cyber and physical risks.