Hacker forums are a rich source of threat intelligence.
The Dark Web/Darknet continues to be an environment for bad actors to share stolen credentials and discuss successful attacks. In fact, in recent weeks, personal information from places ranging from education organizations to voter databases in the U.S. have been found exposed. Although there have been big takedowns of cybercrime groups online, cybercriminals evolve to avoid detection.
But just as there’s a lot of bad on the Dark Web, there is also good – mostly in the form of intel that can be used to help protect organizations from attacks.
Because they are so focused on doing what’s right, researchers often overlook additional rich sources of cyber-threat intelligence that attackers essentially hand out as they interact online. In other words: To defend as a good guy, you have to think like a bad guy. Getting into an attacker’s head provides clues as to how and why they operate.
Understanding the Darknet/Dark Web
For general purposes, the terms “Dark Web” and “Darknet” are more or less interchangeable, but there are some nuanced differences. When people refer to the Dark Web, they’re usually talking about hacker sites on the internet that you can access from a regular web browser. When people talk about Darknet, it means you need special software. The most common one is the Tor browser, but there are others as well.
Diving into the Darkness
To gain insight into how hackers operate, it helps to explore their stomping grounds. A common data source for threat intelligence are attacker-run and torrent/onion forums, usually on the Darknet, where hackers often discuss, purchase and sell malware, ransomware and denial-of-service offerings.
For obvious reasons, many of these forums require researchers to jump through a significant number of hoops to access them. Some forums require payment of some kind; others require people to vouch for you as a real hacker. And sometimes, you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software.
Most attackers on these forums aren’t just motivated by monetary gain. They’re also looking for some glory. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. What they typically show off are frequent attacks targeting mass numbers of individuals and organizations rather than narrow, specific, targeted attacks. So, the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks.
Attack forums enable researchers to understand what attackers find interesting. Getting inside the mind of an attacker not only enables threat researchers to anticipate risks and the steps within an attack, but it also helps us to begin to profile certain cybercriminals. Threat behaviors are a lot like fingerprints and can be very useful in uncovering and defending against certain threats.
One trend in these attack forums that has been popular and churned up a lot of discussion over the past few months is security on various web meeting platforms. Most these discussions have no malicious intent and are probably people just wanting to understand or discuss a specific topic. In some rare cases, however, it is clear that when an application is getting enough chatter, it is because attackers are starting to research vulnerabilities or test code.
Threat researchers also make use of text dumps that contain usernames, names, passwords and other information. This is often what happens to data when cybercriminals, or even people in your organization, have intentionally or inadvertently leaked passwords or other personally identifiable information (PII). This data, of course, can put your entire organization at risk. At the very least, organizations should be checking to see if they’ve been caught up in these types of credential packages and data leaks.
Re-Stacking the Odds
Cyberattackers are notoriously opportunistic, and they also like to brag about their conquests. As threat researchers work hard to stay ahead of their adversaries, they often overlook key information within the Dark Web and Darknet that could help them. Examining hacker forums and text dumps are just two of the ways that researchers can glean valuable information that will help them protect the networks they are responsible for. For this reason, cybersecurity training for researchers needs to include methods of accessing the dark online world so the good guys can better understand how the bad guys operate and beat them at their own game.
Another key part of this ecosystem is the role of law enforcement. Threat researchers can and should work with law-enforcement agencies to share threat information in a way that’s easy and accessible. This has to be a two-way street. Tackling cybercrime can’t be resolved unilaterally by law enforcement alone; it’s a joint responsibility that requires trusted relationships to be fostered between the public and private sector.
Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.