Beware the Monsters Lurking in the Dark Web

The dark web is not dark anymore.

In the past, the subject of dark web and darknets piqued interest among law enforcement agencies, specialist researchers, and cybercriminals looking for fame. The layman and companies gave cursory notice.

Not anymore. Today, the dark web is changing the way hackers are attacking firms. CDOs and security leaders who disregard its increasing influence stand to lose their entire business.

What Really is Dark Web

The first lesson is that the “dark web” is a misnomer. There is no other web.

In reality, it is a collection of websites that do not show up on search engines—hence "dark." They are a subset of the Deep Web, a term for those websites that search engines have not indexed.

You cannot use a standard browser to access the dark web sites. You need Tor (The Onion Routing project) networks to access dark web sites anonymously. These networks, which often have a “.onion” suffix and catered for freedom of speech, are by far the most popular. But there are alternatives such as the I2P (Invisible Internet Project). 

The anonymity made the dark web a “black marketplace” from cybercriminals, said Chester Wisniewski, Principal Research Scientist, Office of the CTO, Sophos.

Here, anything of value trades, from weapons, drugs and stolen goods. It is not all illegal. Legitimate projects like the Blackbook (also called the Facebook of Tor) highlight the lighter side of the dark web.

Criminals have always populated the dark web. It offers an ideal platform to share secrets, swap "war stories," discuss new hacking techniques and even form hacking teams anonymously. Law enforcement and research scientists like Wisniewski monitor these sites to understand latest trends and technologies, and to learn about future web security.

In some cases, security vendors and law enforcement agencies work together to monitor the dark web.

"Verizon works with its DBIR contributors (some of which are law enforcement groups) by exchanging information in line with the ‘Traffic Light Protocol'," Ashish Thapar, Managing Principal, APJ, Verizon Enterprise Solutions said.

Rise of the Dark Web

Ransomware changed the landscape. It offered cybercriminals another means to make money by stealing credentials and demanding ransom. Activity exploded.   

“Now you have ransomware building kits where you do not have to know about programming or technical knowledge. You just need to give the parameters, and it builds you a malware. This has created tons of unskilled [hackers],” Wisniewski said. 

The dark web is also creating a marketplace for trading stolen data and procuring hacking as a service, allowing criminals to turn data into fiat currency quickly.  

“There’s no doubt that the modern hacker’s toolkit is expanding and becoming increasingly sophisticated, and the dark web offers a blanket of anonymity enabling criminals to act with relative impunity,” Sanjay Aurora, Managing Director, Asia Pacific, Darktrace added. 

Prices are constantly plummeting. Hackers steal others’ kits and sell them at lower prices.

“It means that you end up with reasonably sophisticated kits at very low prices. Basically, they are pirating other criminals’ tools, because there is no honor among thieves,” Wisniewski said.

Cheap access to kits, skills, and knowledge and an active market for trading stolen credentials is lighting up the dark web. Wisniewski noted that the sophisticated criminals are less active on the dark web sites, preferring to develop and sell hacking kits, and taking a cut from the ransom.

“The skilled people are now creating malware and have a backend where they take the payment. Sometimes they have tech support, return policies, and acceptable user policies for 'education' purposes,” he added.

Organized crimes and state-sponsored hacking groups have taken notice. They are now exploiting the dark web to their nefarious means, increasing the sophistication of attacks.  

“Businesses need to respond to this evolving threat landscape and understand that we cannot build our defenses around yesterday's attacks. Threat codes only have to be tweaked slightly for them to bypass firewalls, whilst new forms of malware, like ‘polymorphic malware,' can actually change its code mid-attack to silently slip into networks. No amount of historical data can prepare us against such novel attacks,” Aurora said.

Protecting Against the Dark

So how can CISOs and digital leaders, especially from resource-strapped firms, defend themselves?

“Dark web research is a complex and time-consuming affair. SME companies can lean on service providers like Verizon by utilizing global and specialized analysts along with best-in-class technology platforms and research capabilities,” Thapar said.

Regulatory initiatives like Hong Kong’s drive to create threat intelligence sharing platform for banks help. Wisniewski noted that such sharing could help to prepare companies from new forms of attack and learn from them.

AI is also helping to take the fight back to the cybercriminals. “Darktrace’s AI learns what is normal and ‘abnormal’ inside a network on an evolving basis, without the need for prior knowledge of threats,” Aurora said. 

His company’s Enterprise Immune System correlates “subtle deviations in behavior in real-time” to detect and respond to attacks.

Verizon is also taking the AI route.

“Recent acquisition of Niddel strengthens Verizon’s resolve to unlock the value of machine learning and AI for delivering timely and comprehensive visibility into known and unknown threats within our customer’s infrastructure. It is only when you know what you are up against is when you can put up a strong defense,” Thapur said.

Insurance firms are joining the fight, offering a layer of protection as firms respond to increased attacks. Insurance firms like QBE Insurance are going beyond third-party coverage by providing comprehensive first-party protection, including paying for the right expertise. 

Ronak Shah, Head of Financial and Professional Lines, Asia Pacific at QBE Insurance said that they would "pay all reasonable costs" for a forensic consultant to carry out the investigation, a security specialist to assess the security measures, for the firm to make recommended security improvements, and enable temporary storage of data at a third-party location. 

Time to Change the Mindset

While these measures can help firms to mitigate risks, it cannot help those who believe that they may be immune to new attacks or it is a matter of fate. 

“Instead, organizations must accept that they will be compromised and adopt technologies allowing them to detect threats within their walls as early as possible. Sharing what we know about threats is still useful but has limited benefit when we consider the unpredictable nature of today’s threats,” Aurora said.

It will matter even more as we embrace smart cities, smart grids and smart homes.

“Infrastructure hacking is scary. You do not even have to hack the infrastructure directly. For example, I only need to hack a popular thermostat brand, and then turn on all of them to a high setting at once. It can destroy the transformer, which will take months to replace. So, the smart grid must not only cater to it being hacked, but you being hacked as well. This is where redundancy and planning are going to become very important,” Wisniewski said.