Security Experts:

Behind the Buzz - What Intel Can You Gather from Dark Web Markets?

Searching Dark Web for Threat Intelligence

The terms “Dark Web” and “Black Markets” are attention getters, but what’s all the buzz about? Is there anything of real interest or value for cybersecurity and risk professionals? 

Black markets are good indicators of current cyber crime trends. Cyber criminals would not be selling stolen identities, credit card numbers, how-to hacker manuals, and vulnerability exploits if there wasn’t demand. The technologies they are compromising, the methods by which they execute, and the outcomes are all sources of valuable information that can be transformed into intelligence. 

By having visibility into the latest technology-based exploits and threat vectors, you can proactively adjust operational procedures such as security patching or inventory replacement. This operational intelligence is one step above the reactionary, alert-driven approach that has been the norm for the last decade.

The value of identifying your organization’s information out on the Dark Web can serve as a first-line indicator of a new breach that otherwise may go undetected for long periods of time.  This information can also illustrate weaknesses in existing security controls and serve as a catalyst to take corrective measures.

Dark web intelligence is just one source in a much larger series of information that a mature enterprise must use in order to effectively realign tactical defenses and reduce organizational risk. 

As organizations mature in their cyber threat intelligence capabilities, black markets can provide us with a unique data source where we can leverage data science and perform analytics to gain new insights into the emerging threat landscape.

In a sense, the Dark Web gives us a pulse on the intentions of cyber criminals and confirms the attack vectors that are currently working. Intelligence is about reducing uncertainty and by gaining new insights we can make proactive and informed risk-based decisions.

Analysis of Black Market Activity Over the Last 90 Days

Where is most cybercriminal activity occurring?

The three most active black markets over the last 90 days were AlphaBay, Nucleus, and HANSA respectively. Intelligence collection at SurfWatch Labs revealed that AlphaBay had nearly twice the number of confirmed transactions as Nucleus and three times more than HANSA. 

This information alone could serve as a focal point for cyber threat intelligence teams to explore and quantify the happenings on the AlphaBay Market specific to their organization.  The amount of value extracted from this type of exercise is linear to the amount of effort and time invested by trained analysts. This is important to point out because many business-focused conversations aim to improve efficiencies and scale based on automation. The hard truth is that valuable cyber threat intelligence is a human-based process that can be enhanced by technology and the ability to scale is related to the number of trained analysts and the time allotted to focus on specific priorities. 

What information is most targeted?

Payment card data was the top target by a 3 to 1 margin over harvested employee email accounts and PayPal accounts came in third at 13% of volume when compared to payment cards. The resulting effects from the compromised payment cards, employee emails and PayPal accounts were primarily fraudulent charges and loss of revenues.

We will continue to see payment card data be a top producer on black markets in spite of EMV or any future fraud-based countermeasures because there is a proven market for the information and it is very easy for cyber criminals to acquire it.  An aspiring cyber criminal can rent the tools and malware to harvest this information at incredibly low prices or simply just go to one of the black markets and buy it on demand. 

The caliber of customer service and guarantees in black markets rival most traditional markets. For example, if you buy some stolen credit cards and they don’t work because fraud prevention has already shored up the breach, don’t worry, the seller will just give you some new ones free of charge. Like mainstream retailers, black market sellers are literally pushed out of markets for poor customer service or not providing a quality product or service. 

The Future – Shift from Deterministic to Probability-Driven Model

A common definition for insanity is if we keep doing the same thing and expect different results. This is based on a deterministic approach, which is flawed for cyber security and risk professionals. Outcomes are usually not deterministic – they are probabilistic, but humans are not inherently wired to think this way and this is how we have collectively been approaching cyber security to date.  For example, using linear thinking and a deterministic approach we are inclined to think if we apply a security patch for a vulnerability that this asset is “safe or secure” for some period of time. This is flawed thinking and results prove this is not true. 

We must constantly strive to broaden our views by thinking in probabilities. In a probabilistic model, it is acceptable to repeat the same thing and expect different results. This is more in alignment with how cyber threats/events occur in real life.

Cyber security can and must evolve and mature to a place in the near future where we can truly use intelligence as a foundational pillar in our programs to help make proactive risk-based decisions. We should have hope because there are other examples in the financial and medical community where they have matured and been able to adapt to the threat landscape and make positive strides to managing risk and predicting outcomes with a reasonable degree of accuracy.

The dark web and black market data along with internal network telemetry can be brought together to give us a more complete picture of the current threat landscape.  Any single view such as internal network telemetry, or external strategic intelligence is only part of the larger body of information needed to transform the source into intelligence that can be operationalized. Operationalizing this intel will enable you to shift from a defensive mindset to a proactive, adversary-centric approach.

view counter
Tim Layton is Chief Intelligence Officer at SurfWatch Labs. Before joining the company, he held senior leadership roles with Cisco, EMC, and Wells Fargo. At Cisco, he was a Principal for Cisco’s Global Enterprise Cybersecurity Theatre. Mr. Layton was a Principal for EMC’s Security & Risk Management practice and before that served as Vice President for Wells Fargo where he specialized in enterprise cyber risk across all business units and third-party risk management. He received an MBA and BA from Lindenwold University, and has earned several security-related certifications including CISSP, SANS GSEC, GCIH, GCFW, GREM, ECNE, CCNA, SCO ACE, MCSE.