With more than three billion individuals interacting across social media, mobile and cloud services, digital footprints are increasing. The age of digital business has, for the most part, been a positive thing. It has increased the ease and speed of communication at the same time as reducing the cost. However, some of this information can be inadvertently exposed and may be used maliciously.
A ‘digital shadow’ is a subset of a digital footprint and consists of exposed personal, technical or organizational information that is often highly confidential, sensitive or proprietary. Adversaries can exploit these digital shadows to reveal weak points in an organization and launch targeted attacks.
This is not necessarily a bad thing, though. Some digital shadows can prove advantageous to your organization; the digital shadows of your attackers.
The adversary also casts a shadow similar to that of private and public corporations. These ‘shadows’ can be used to better understand the threat you face. This includes attacker patterns, motives, attempted threat vectors, and activities. Armed with this enhanced understanding, organizations are better able to assess and align their security postures.
The chief aim of cyber criminals is to make money. The anonymity offered by the ‘dark web’ creates a safe-haven for these actors. By observing what is being sold on online marketplaces, you can gain a better understanding of the latest tools being used and which vulnerabilities are being exploited. You can then use this information to better position your security defenses.
You need not penetrate the dark web in order to exploit the shadows of adversaries, however. Hacktivist activity, for example, more typically uses social media such as Twitter and Facebook, and sharing sites such as Pastebin.
Hacktivists tend to be more visible and easy to track because a primary motivation is to be heard and cause disruption and embarrassment. Their activity can be broken down into three main parts:
1. Indication and warning - Social media is a useful tool for monitoring for hacktivist operational announcements. The use of operational hashtags, which are prevalent, aids this process. Groups will invariably provide operation names and specify target lists. If a hacking group name you on a target list, you are going to want to know.
2. Evidence of attack - You can also monitor for claims of defacements, DDoS attacks and breaches. This may occur on social media, often Twitter, but also on code-sharing sites such as Pastebin. Getting there first can help to reduce the reputational impact on your organization. But it also helps from a historical view; understanding what tactics, techniques and procedures (TTPs) have used in the past help you to gauge how to best prioritize defense spending.
3. Significant activity - Organizations can monitor social media and news sources for significant activity. While more mature organizations may use Activity Based Intelligence (ABI) to draw this information out, this approach need not be that complex. This approach may simply include observing arrests, reference to new techniques, declaration of links to other groups or actors.
The dark web can be a useful place to find out about the latest TTPs of cyber criminals, but do not underestimate the power of social media and sharing sites. These can provide a valuable insight into the activities, motivations and TTPs of attackers. Simply put, those who possess an understanding of these will be in a stronger position to defend themselves.