Darknet Done Right

Darknet Done Right

There has been a lot of buzz around the concepts of the criminal underground marketplace and “Darknet” over the past few years, but few individuals or organizations truly understand it nor how to apply research and response related to Darknet to actionably impact risk management.  High level, the more you dive into the true Darknet of the criminal underground, the more human hours it requires, lowering your ROI.  Finding the sweet spot of ROI for Darknet, done right, is the key to any future strategy of an organization dedicating staff to intelligence operations.


Components of the Darknet


To craft a strategy towards ROI related to Darknet research and response context and relevant value must be created for an organization.  You must understand the differences between the normal web, deep, and Darknet as discussed in a former blog.  Within these various layers of the Darknet exists the criminal marketplace, where buying and selling, advertising, and soliciting takes place.  Monitoring specific actors, activity related to vulnerabilities and exploitation, and tools or tactics that impact your organization provide value in ROI for Darknet collections, monitoring, and investigative work. 


Deep Darknet is Challenging and Expensive


Deep Darknet research and response involves heavy Human Intelligence (HUMINT) components that are expensive.  With more advanced marketplace venues illegal acts must be confirmed in order to gain invite-only access, meaning the majority of Darknet resources purchased as a service today are likely not this premium intelligence source.  Managing various identities, or monikers, and all that goes with each persona is not a trivial matter.  Checks and balances also exist in the criminal marketplace where a specific language, cultural customs, and affiliations may be used to challenge and validate any newcomer wishing to join the marketplace.  Darknet operations are a major time commitment! With a major shortage of talented and experienced security staff, most organizations will start to learn towards primary collections and monitoring through a third party service, with a part-time or full-time analyst within the company assigned to consume and act upon the intelligence.


Marketplace Monitoring


Marketplace interactions and meta-data exist at all levels of the Darknet and Deep web and can provide important telemetry towards predictive, real-time, and reactive monitoring for research and response.  For example, a “dump” of stolen emails can easily be automated for collections and sorted by domains associated with each email to then notify clients or entities impacted.  This may then lend itself to additional investigative research and response into the intel lead of the dump to understand peer-to-peer relationships, the veracity of the original disclosing source/moniker, and monitoring of any related malware or other nefarious activities related to the threat.  This type of monitoring, on all levels of the Darknet, does provide real value for an organization desiring visibility into possible breaches or unauthorized disclosures or information leaks but is time consuming and therefore expensive to conduct.


Infrastructure Monitoring


Focused, targeted infrastructure monitoring is another element of Darknet operations that has high ROI for an organization.  Attempting to perform infrastructure tracking and monitoring of ‘everything’ is not feasible.  However, if an organization has a strategy such as lowering the number of incidents, metrics towards top threats and mitigating those threats lends itself to this type of Darknet targeted research and response.  For example, an exploit kit of interest may be regularly resulting in compromise or risk exposure to an organization tied to phishing emails.  An organization may then target this specific campaign to map out the architecture of attacks and tools, tactics, and procedures (TTPs). This enables an organization to then identify common indicators of compromise for the entire campaign, instead of just those seen by the organization, and to target and monitor this information from Darknet resources and internal events and incidents, to provide telemetry and visibility as well as defensive components against the threat. 


In the example provided an organization may map out proxy servers, domain construction components, and malware loaders utilized within a campaign that impacts their organization to then monitor and respond to any activity updates found within the Darknet and Deep web related to the threat.  Information from this monitoring is then used to populate security tools and update security teams so that when a new wave of attacks is attempted against an organization, they have true predictive and proactive IOCs and defensive measures in place for the known activity of that threat. 


This approach is much more involved and expensive to perform compared to traditional IT and Security efforts but does offer high ROI IF there is a pain point on risk exposure and incidents from a notable threat.  Do you have solid metrics in place to identify risks, cost of exposure and incident, and so forth?  This is key to then building out an ROI to justify maturity and readiness for Darknet operations internally. For example, an organization that is large may experience risk exposure to 3,000 email threats with a link to an exploit kit on an annual basis, with 100 having an incident after clicking on the link.  Looking at the average risk exposure, the success of the attack, and more importantly the cost per incident annualized, an ROI is evident for dedicated staff to mitigate the threat with infrastructure and Darknet monitoring coupled with threat research and response.


Intel Collections of the Future


Let’s face it, do you want that superstar in your organization to have mature monikers and online personas performing Darknet research and response, only to leave to work for another company taking all his Darknet identities with him or her?  In the wild, wild west of Darknet, this is how the space emerged.  Today we have a migration and maturation of intelligence as a service through emergent companies that provide such research and response through automated systems, with their own global collections and human language translation components, all coupled into their service.  This means an organization that is focused on that higher-level intel research and response component to manage risk no longer needs to find an expert in say, malware, and also a specific language, such as Russian, to perform research and response – they can buy it as a service through emergent services.  This is far more efficient and also creates a cloud component of threat research and response that can be invaluable for an organization working with a provider when compared to doing it on their own. 


Another form of infrastructure monitoring is that of malware, where various monitoring with YARA signatures and honeypot type solutions are implemented to discover new codes in real-time as threats emerge in the wild.  This type of technical pursuit can be automated but requires deep reverse engineering and attribution work to avoid false positives and integration challenges that exist otherwise.  This is an expensive endeavor for any individual company, meaning any emergent intel solution provider providing high ROI for a company must have such services incorporated into their offering so that the expense of such specialty staff is concentrated in the third party provider instead of individual organizations.


Infrastructure, from an attack framework, can also be applied to vectors of attack such as common vulnerabilities and exposure (CVE’s) related to exploit kits and activity utilized by the adversary.  Having a Darknet view and visibility into all threats that utilize or leverage a specific CVE and/or impact a specific technology (e.g., Java) can be a game changer regarding the governance and priorities of an organization.  For example, if 75% of all exploit frameworks exploit a specific CVE or target a specific technology, and exploit kits are a proven event and incident issue for an organization, ROI can very quickly be identified to help mitigate this threat.  This type of infrastructure view combines the threat actor aggregate risk with that of an organization risk, to identify true risk and ROI towards mitigation of a threat.


In a buy versus build world, buying access to a Darknet intelligence as a service solution is far more cost effective than attempting to do it on your own.  That doesn’t mean your top dog on staff can’t be in online forums and nested in the marketplace – but it does mean your core Darknet research and response components of risk management rely upon the intelligence as a service instead of your talented individual on staff at that moment in time.


Closing Comments


Telemetry and visibility into services and infrastructure is an effective ROI for most organizations.  This is especially true when an organization is mature enough to provide metrics on their own personal threat landscape, identifying the highest risk vector, highest likelihood of threat attack or incident, and areas of opportunity in their defensive posture as an organization.  The marriage of a well-managed risk program and targeted Darknet operations towards mitigation of risk is an ROI most mature companies have actualized.  As the majority of other organizations mature towards readiness of this level of risk management over the coming years, intelligence as a service, focused upon marketplace and infrastructure, will likely become a greater focus of service support and integration.  When integrating a Darknet intelligence arm of a solution be sure to properly staff your own internal HUMINT resources to strategically and tactically act upon the intelligence that matters most to your organization.

Ken Dunham
Senior Director, Technical Cyber Threat Intelligence
Ken Dunham has spent 30 years in cybersecurity, consulting in adversarial counterintelligence, forensics, Darknet Special Ops, phishing and hacking schemes, AI/BI, machine learning and threat identification.