Navigating Dark Web Cybersecurity: A Hitchhiker's Guide
Is the dark web scary?
Short answer: It depends, but generally, maybe.
Long answer? It can be scarier than the popular parts of the surface (indexed) web. (The surface web, by the way, only accounts for about 10 percent of the internet.)
But not everything on the dark web is dangerous or even illegal. Scary people do operate there, but it also provides a safe harbor to privacy advocates, curious dilettantes, and political, ethnic, or sexual minorities.
“Generally, I wouldn’t recommend your average individual participate in unfamiliar dark web criminal forums,” says Adam Darrah, Director of Threat Intelligence Services at ZeroFox, “But the majority of activity that impacts enterprises takes place in the underground economy ecosystem of the deep and dark web—and in many ways, this ecosystem mirrors what we see in the aboveground economy.”
So what makes the deep and dark web different? And how can organizations navigate underground forums and prepare for potential attacks?
Here—and in more detail, in our Hitchhiker’s Guide to the Dark Web ebook—we shed light on the environments most likely to target enterprises, organizations, and their people.
You’ll learn:
- How the dark web economy functions
- Underground economy ecosystems and how they differ
- Why relationships matter for dark web cybersecurity
- How underground economy covert operations function
- True(ish) tales from dark web cybersecurity covert operatives
How the dark web economy functions
First you have to understand the basics. How does the dark web function? How does it work, and who does it serve?
Operational functions of the dark web
The dark web is a collection of online forums and communities that internet users cannot access via traditional web browsers. It requires a TOR (The Onion Router) browser to access, which allows users to obfuscate their identities, hide their locations, and protect and secure data transfers.
Think of the underground economy as a robust marketplace, selling information, tools, services, and more. The same volatile economic constraints we experience in the aboveground economy are also present in the underground. It also has its own language and identity, its own geographies, and within each, very distinct cultures.
Economic functions of the dark web
There are two currencies used in underground deals: reputation and cryptocurrency.
Reputation is currency on the dark web
Reputation matters because that’s how you distinguish yourself from the overwhelming noise. Not only are threat actors vying for attention—some are also intentionally adding to the noise as a distraction, to force the uninitiated down a different path. To cut through that noise, you have to take the time to establish yourself as someone reputable.
Cryptocurrency on the dark web
The benefit of cryptocurrency is it’s decentralized, but the problem with that is it’s decentralized. Underground communities are moving to cryptocurrencies less traceable than Bitcoin but that still retain enough value to be cashed out for fiat currency. In addition, market instability is leading threat actors to engage in riskier transactions with less reputable exchanges.
KEY TERM: Fiat currency
Fiat currency is any type of currency that is declared legal tender by a government but that has no intrinsic value and is not backed by tangible assets.
Marketing and misdirection
The environments are also intentionally noisy. You have to stand out with your quality of goods and the way you interact with people. You’ll find contemporary marketing tactics and advertising campaigns. Satisfaction guarantees and customer service support are all part of the business models. But to maintain operations, dark web vendors and brokers don’t want to attract the attention of security researchers or law enforcement. So while running and promoting their businesses, they use misdirection and distraction to feed the chaotic nature of the ecosystem.
Enforcement functions of the dark web
There are enforcement mechanisms, but they differ from the aboveground economy in that there’s no judicial body that penalizes you. It’s effectively mob rule.
How dark web forums get shut down
Forums regularly appear and disappear, contributing to the dark web’s transient nature. When forums shut down, this typically happens in at least one of two ways. First is via law enforcement. If law enforcement agencies track illegal activity to the underground source, they may seize the infrastructure and shut it down.
The second way is for the forum admin to run an exit scam. An exit scam is when a forum admin sees all the money sitting in escrow—the account holding the cryptocurrency that is transferred between buyers and sellers—then shuts down the forum, takes the money, and runs. If there are signs law enforcement has discovered the forum, an admin may run an exit scam. If the forum is populated with inexperienced users, they may run an exit scam.
KEY TERM: Exit scam
When a forum admin shuts down the forum and steals any funds currently in the escrow account.
Exit scams aren’t common since once executed, the user loses all credibility in the underground economy. Still, they do happen, so it’s important to have a dark web cybersecurity expert who knows how to spot one.
True Tale from the Dark Web: How ZeroFox dark web cybersecurity experts helped a customer avoid an exit scam
Our team is often asked to procure an item in a deep and dark web (DDW) forum or marketplace on behalf of a client—intellectual property, compromised data, or tools that could be used to attack the client or the client’s users. DDW forums and marketplaces have a shelf life and are taken offline without notice regularly, leaving its users confused and robbed of their money. There have been several occasions where our team identified signals that an exit scam was coming. We advised our clients to hold off on procuring an item so as not to get scammed, and sure enough, within a week, our suspicions were confirmed. We were able to save our clients money and perhaps more importantly, provide peace of mind.
*Some details may be changed to protect identities
Why relationships matter on the dark web
To succeed in the dark web—whether it’s to remove your organization’s stolen assets or to acquire a tool that could be leveraged against your business—you must have solid, established relationships within these unique ecosystems.
ZeroFox operatives are embedded in dark web environments and have been building relationships for a decade. We know the adversaries—not just the actions they take. We know about their lives, their likes and dislikes, their families. Significant time on target leads to more efficient identification of situational nuances that fundamentally impact an engagement.
Questions to ask when evaluating dark web intelligence:
- How well can your researchers distinguish between legitimate threats and trolls?
- Do you know how to avoid traps adversaries set to root out researchers?
- How do you confirm whether or not a threat is legitimate?
- Do you know enough about the threat actors to recognize when an innocuous brand mention is cause for concern?
- How well does your dark web research team work together?
- Can your dark web researchers assist with asset recovery?
True Tale from the Dark Web: Contextualizing the adversary beyond the actions
While presenting to a client, our team noted that one of the most prolific and well-known English-speaking adversaries was advertising his interest in several IP addresses, one of which was connected to the client. They informed us that the IP address had been decommissioned so they believed no action was needed.
If we didn’t know this hacker—really know him—we wouldn’t have been able to add important context. We said, “We hear you, and we’re glad the IP address is locked down. The reason we highlighted this in our findings is because the most well regarded, scary, English-speaking hacker on the planet is thinking about your company. He has your company’s name on his lips.”
Because of the circumstances, our team recognized and because we focus on building strong, trust-based relationships with our customers—who know we never cry wolf—we were able to reassure, with a high degree of confidence, that this customer’s security team should reexamine their dark web cybersecurity and tighten things up around their networks.
*Some details may be changed to protect identities
Read more ‘True Tales from the Dark Web’
Find out how we distinguish real threats from posers and pranksters.
Covert operations on the dark web: how and when to act
Returning to our task at hand—there are advertisements on the dark web that claim to be selling your intellectual property. What do you do now?
What are your goals?
Before beginning an engagement, it’s important to define what insights and advantages you hope to uncover. Clarify the insights and advantages you seek to uncover, such as:
- Understanding how your brand is discussed
- Acquiring potential attack tools
- Gathering intelligence on specific underground communities
The dark web is not a homogenous collection of underground criminals. It’s a diverse group of ecosystems, each with its own culture, language, rules, and activities. It requires specialized expertise to develop the right plan for the right situation.
Is the threat legitimate?
DDW intelligence is just one piece of the dark web cybersecurity and decision-making puzzle aimed at filling intelligence gaps. To that end, context around the threat matters, including the reputation of the actor and the accompanying chatter. For example: who is advertising that data set or tool aimed at your brand? Is it from an established dealer or broker? On what forums are these ads posted? How are communities reacting to the claims?
Dark web cybersecurity researchers should be able to activate operatives using established personas to determine the legitimacy of the threat and advise on what actions would be most advantageous to protect your business.
How do you engage with cybercriminals?
Engage the experts. Dark web cybersecurity covert operations require experienced professionals. Acting without the necessary access, context, and reputation can lead to additional and unnecessary risks to your organization.
Engagements across the dark web economy are more successful with an experienced team who can not only navigate conditions as they are today but whose background is so robust, they can anticipate how it will adapt tomorrow.
Learn more about ZeroFox dark ops capabilities »
Ready to learn more?
Get the full ebook to take a tour of the dark web, guided by facts—not fear—with ZeroFox’s Sr. Director of Dark Ops, Adam Darrah.
See and secure critical external assets
The industry's leading digital risk protection, now with robust External Attack Surface Management. Complement ZeroFox’s industry-leading digital risk protection to discover, analyze, and prioritize remediation for vulnerabilities across your most critical internet-facing assets.
What is External Cybersecurity?
Expose, disrupt, and respond to threats outside your perimeter—the new attack surface that traditional security can't see or control, and where business, customers, and attackers all converge.