SoS Musings - Dark Web Threat Intelligence

By grigby1 

Threat intelligence gathered from the dark web can help organizations identify, understand, prepare for, and mitigate cyber threats. The dark web could serve as a valuable source of threat intelligence for organizations looking to take a comprehensive approach to risk management. It is a section of the Internet that is not indexed by traditional search engines and must be accessed using special software. It is home to some of the most dangerous aspects of the online world, such as cybercrime. The dark web partly serves as a meeting place for cybercriminals who engage in identity theft, credit card fraud, malware distribution, and other illegal activities. It is known for its anonymity and secrecy. On it, cybercriminals sell massive amounts of stolen data, including login credentials, proprietary code, and intellectual property. For example, according to a report from the Digital Shadows Photon Research team, titled "Account Takeover in 2022," about 24.6 billion sets of usernames and passwords were circulating on the dark web. The dark web can provide greater insight into emerging cyber threats, offering rich intelligence sources relevant to a wide range of potential targets.   

According to Searchlight Cyber, 93 percent of Chief Information Security Officers (CISOs) are concerned about dark web threats, and around 72 percent say that intelligence on cybercriminals is "critical" to defending their company and enhancing cybersecurity. Seventy-nine percent are currently collecting data from the dark web. Yet, research indicates that even among those already gathering dark web data, more work needs to be done to overcome some of the most significant cybersecurity challenges. For example, although 71 percent of CISOs wanted to determine whether their suppliers are being targeted on the dark web, just 32 percent of those who collect dark web data use it to monitor supply chain attacks. Searchlight Cyber researchers also found that 27 percent of CISOs at oil and gas companies believe that dark web activity has no impact on their business, even though it is common for threat actors to hold auctions on the dark web to sell access to compromised Virtual Private Networks (VPNs) at energy companies. Seventy-two percent of oil and gas companies are already gathering dark web intelligence to defend their organizations from cyberattacks. Energy companies may not have viewed themselves as the primary target of financially-motivated attacks from the dark web in the past, but the cybersecurity landscape has changed dramatically. According to the researchers, these trends make dark web intelligence more important than ever.  
   
The Verizon 2023 Data Breach Investigations Report found that malicious employees contribute to 20 percent of security incidents. According to the report, attacks executed by insiders are, on average, ten times larger than those carried out by external actors. Verizon urges organizations to monitor marketplaces, forums, and social media channels for conversations about their company to reduce insider threats. This monitoring must also include the dark web, a gold mine for cybercriminals doing reconnaissance on companies. Monitoring this section of the Internet enables organizations to detect early signs of an impending attack, such as cybercriminals seeking insider information or disgruntled employees making derogatory remarks. Companies that use a threat model for malicious insiders must understand where their infrastructure is the most vulnerable, what assets they have that are the most valuable, and which techniques threat actors commonly use. Insight into the dark web can help organizations determine how criminals conduct reconnaissance and use malicious insiders, which can help bolster their defense strategies.  
   
Language models specific to the dark web can provide valuable insights to researchers. As time passes, Large Language Models (LLMs) similar to ChatGPT will only increase, with each one specializing in its own domain and trained on carefully curated data for a particular purpose. DarkBERT, as named by its South Korean creators, is one such application trained on data from the dark web itself, that provides an introduction to this dark side of the Internet. DarkBERT is based on the RoBERTa architecture, which was created in 2019. Researchers discovered it had more performance to offer than could be extracted in 2019. To train the model, the researchers crawled the dark web through the Tor network's anonymizing firewall and then filtered the raw data to create a database of the dark web. DarkBERT stems from this database being used to feed the RoBERTa LLM, a model that can analyze and extract useful information from new dark web content. Researchers demonstrated that DarkBERT outperformed other LLMs, which should enable security researchers and law enforcement to delve deeper into the web's darkest corners.  
   
A team of researchers from the Universities of Arizona, Georgia, and South Florida developed a Machine Learning (ML)-based CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) solver capable of overcoming over 90 percent of real challenges on dark web platforms. The goal of this study was to develop a system that can streamline cyber threat intelligence, which currently requires humans to manually solve dark web CAPTCHA challenges. Large-scale dark web data collection is often hindered by anti-crawling measures, such as text-based CAPTCHA. This measure in the dark web identifies and blocks automated crawlers by forcing the user to enter a combination of hard-to-recognize alphanumeric characters, thus decreasing the transparency of the dark web for security researchers looking to prevent cyberattacks and data breaches.  
   
Other technological advances can result in a nearly impenetrable version of the dark web, which calls for further efforts. In the coming years, as the metaverse takes shape, many security issues plaguing cyberspace will also begin to affect virtual space. One of the threats will be the emergence of a new "darkverse," where criminals will be able to operate with greater impunity and danger than they can on the dark web today, according to Trend Micro researchers. The metaverse is a term used to describe a virtual space where individuals and organizations can interact in a computer-generated version of the physical world. A full-fledged metaverse will enable users to shop, work, socialize, and engage in other activities in a virtual replica of the physical world, similar to how multiplayer online games allow users to create digital avatars of themselves and interact with other gamers in fantasy worlds. According to the researchers, the same phenomenon will occur in the cybercriminal underworld. They noted that, just as the dark web exists on an unindexed deep web, the darkverse will operate within an unindexed "deepverse" that will be difficult for law enforcement to penetrate.  
   
Dark web threat intelligence could assist organizations in identifying, understanding, and mitigating cyber threats from the far reaches of the Internet. This type of threat intelligence can serve as an important tool in reducing the likelihood of cyber threats succeeding. As the dark web grows, especially in regards to emerging versions, it is also important for the security community to further explore novel intelligence collection techniques. 

To see previous articles, please visit the Science of Security Musings Archive.