Dark Web Threat Intelligence: The Need for Access and Action
Anthony Meholic, CSO at Bancorp Bank, Adam Darrah, Director of Operative Intelligence Services at ZeroFox, and Jess Kydd, Senior Security Solutions Consultant at ZeroFox, led an insightful discussion on the challenges and solutions when it comes to dark web threat intelligence. In this post, we will recap highlights and key takeaways, be sure to watch the full discussion on-demand as well!
Redefining Our Understanding of the Dark Web
Cybercriminals leverage the dark web to conduct malicious activity including data leakage, credential theft, credit card fraud and phishing threats. According to our recent report “Fact vs. Fear: Dark Web Trends Security Teams Need to Focus On,” security risks are rapidly evolving within the underground economy. This economy includes forums, marketplaces, data leak sites, encrypted chat platforms, discussion boards and more. Security leaders that understand today’s threats on the dark web are better equipped to minimize their organization's vulnerability to an attack and increase their advantage over the adversary. However, there are many misconceptions about the dark web and how to manage security within it. Anthony described his journey into dark web threat intelligence and how it has evolved in three phases.
Phase 1: Awareness
When the dark web was first discussed amongst security professionals in earnest, it was thought about as a nebulous place where all sorts of information, data and hacks could be obtained. There was a rather nefarious undertone associated with it at that time - one that has remained to this day even among cybersecurity professionals.
Phase 2: Acknowledgment
This led to the next phase, the acknowledgment phase. At this time, there was a realization that the dark web was an active space that provided data, collaboration, technical code and skills to perform a wide variety of tasks. Some of these tasks were legitimate, others not so much. Regardless, it became apparent that some of your company data could possibly be discovered on these sites, forums and networks. In turn, this forced security professionals to determine the likelihood of associated risks. It elevated the dark web from being this ephemeral “bad place” to an actual location that could pose a threat and risk to corporate and customer information.
Phase 3: Integration
The final phase was integration. Once the threat and risk had been identified as genuine, the next logical step was integrating the dark web into an overall information security strategy. Having insight into the information, references and threats being promulgated on the dark web, security professionals could take proactive action to prevent data exposure. At the very least, this afforded an understanding of the scope of any potential actions resulting from the exposure of content on the dark web. This integration should play a central role as organizations develop an information security program to combat current threats. Over time, the dark web has evolved from something very vague into something very well defined, providing actionable information to leverage in securing your environment.
Access and Context: Two Critical Components for Effective Dark Web Intelligence
Coming from an intelligence analyst background with the CIA, Adam highlighted that when it comes to dark web threat intelligence, context is everything. The dark web is a place for everyone. It’s a gigantic ecosystem full of curious dilettantes and amateur hackers. However, it is also a safe haven for others, including minority or politically repressed groups. In a lot of instances, it is simply a place where those with privacy ethics or concerns go to use the internet.
You Don’t Know What You Can’t See
Against that backdrop, the criminal aspect within the underground community of the dark web ecosystem is relatively small. Even smaller is the actionable intelligence section of the dark web where there's a meaningful place to go to extract useful information. What tends to happen in our society is that we get worked up over a post: “A bad guy who lies a lot said something mean” or “a bad guy that we’ve never heard of before has made this claim, and it has to be true.” Context is everything! The access you have to the dark web, who you know and your reputation there all matter immensely.
Context is Key
Understanding context enables you to sift through the nonsense and noise. And even then, some of it sounds like meaningful noise, but it can be deceiving. Jess seconded the notion that context is everything. Working with customers to understand their threat profile on the dark web, the main thing she has seen across the board with both small and large companies is a lack of understanding or misconceptions about what the dark web is, why it exists and ways it can be useful for intelligence teams. Her efforts have been focused on educating people about the dark web, what it is and isn’t, from a security perspective. Once you build that foundational understanding, it's much easier to develop a strategy and path forward to manage risks associated with your company or your industry.
Where Security Teams Should Focus Dark Web Threat Intelligence Efforts
Mitigating threats on the deep and dark web requires a highly specialized skill set, but security teams can’t always allocate or obtain the resources they need to manage these threats effectively. So, where should they focus efforts and investments to gain intelligence in these underground spaces? What are the priorities when getting started?
Evaluate Your Resources and Budget
Anthony shared his experiences working within both small and large organizations. Regardless of size, it's best to start small and grow as resources, budget and risk exposure increase. For instance, a small manufacturing company with no international exposure does not have the same risk profile as a large multinational financial company. The small firm may not need to go to the same lengths and costs in order to gain a sufficient level of protection and security. The first step should be identifying available resources and budgets. Most small to midsize companies do not have the staffing to spin up a threat intelligence program. If this is the case, the use of a Managed Service Provider (MSP) should be considered. Bringing in companies like ZeroFox reduce internal resource allocation while also extending visibility and reach.
Leverage No-Cost Threat Feeds
If resources are minimal, subscribing to no-cost threat feeds or joining an Information Sharing and Analysis Organization (ISAOS) is another alternative. There are also feeds from various federal agencies and industry entities, such as FS-ISAC for financial sectors, that can be used to initiate a threat intelligence program that include dark web content analysis. Bear in mind, while this will provide global or industry-specific threat data, it will not be as targeted or as focused as a specific program would be. However, at the very least this will provide initial insight into general dark web chatter and trends.
Understand Your Risk Profile
Lastly, make sure you have a firm scope on the minimum functions that you want to implement. It's very easy to have “scope creep” as more items are discovered. As you start obtaining more content from the dark web, it's very easy to get distracted. Focus on what you want and what is most important for you, and stick with that until you have the capabilities to start chasing additional leads.
As part of this process, you must begin to understand your own risk profile. With Anthony’s experience in the financial sector, he referenced annual risk assessments for the corporate environment as an initial step. In doing these assessments, be sure to take a look at external exposure. To what degree are you externally exposed to risk? The other piece to consider is infrastructure exposure. What type of infrastructure are you working from? Is it an entirely Windows-based environment, or is it a heterogeneous environment with a mix of iOS, Windows and Linux? Each answer to these questions helps to define your risk profile. Anthony found working within a more heterogeneous environment to be rife with vulnerabilities and areas for exploitation. This was largely due to different pieces that “don’t always talk to each other nicely,” creating bridges or stopgaps for processes to flow. Depending on the risk assessment you've done and the level of exposure, this will play a large part in determining your risk profile.
Different organizations may be targeted with different types of attacks on different vectors. You have to put all of these pieces into context as well as what you offer as a target for malicious attacks. Always start within your resources and budget, then work up from there.
Best Practices and Next Steps
The discussion didn’t end there, and the panelists also took a deeper dive into dark web threat intelligence best practices as well as the evolving landscape of the dark web. Be sure to watch the full discussion on-demand. Understanding where to focus efforts is critical to finding and addressing threats at scale on the dark web and across the public attack surface.
Listen On-Demand: "Keep Your Enemies Close: Playing Offense on the Dark Web" Webinar.