The Dark Web Boundaries Are Not Always Clear, and Many Sites Fall in a Gray Area
Cyber security always had a thing with terminology. Back in the day, its very name was the subject of many articles that tried to explain how “Cyber” is different than traditional infosec. The term “Advanced Persistent Threats” was also under scrutiny when it became popularized, with many experts claiming that certain nation-state attacks were not really APTs, as their attacks had nothing “advanced” about them on a technical standpoint. As I have mentioned in my previous column, “Threat Intelligence” is also a term that encompasses a wide variety of offerings, causing confusion in the market.
Despite being around in its current form for almost 15 years, and a household name with references in television shows and even Disney cartoons, the Dark Web as a term is no different. Speak with security professionals who are involved in monitoring the Dark Web and you will probably end up getting varied responses as to what it is and what it is comprised of. Some claim that the Dark Web is another definition of the anonymizing network TOR, while others claim that the Dark Web is mainly comprised of dissident sites, with illegal activity only being a small part of it. Such claims are contested by others, meaning that there is no consensus of what this term exactly refers to.
Since the Dark Web is more than just popular culture, but its monitoring is a major offering in the security industry, it is important to have an accurate definition for it. Lack of clarity leads to misconceptions which consequentially cause gaps between customer expectations and vendor offerings. As a community, we have quite a few discussions on the topic, yet different members seem to have varied and even conflicting opinions as to what it is. This difference of opinions is not for a lack of reason – the Dark Web boundaries are not always clear, and many sites fall in a gray area. Despite this, I thought it may be worthwhile to try and define, once and for all, what the Dark Web IS. Please note that the following are solely my personal opinions.
Considering the fact that in the security industry, the Dark Web is mainly referenced in the context of intelligence work, to best define the scope of the Dark Web we need to look at it from that perspective – with the eyes of an intelligence operation. This can help us understand what the Dark Web is, but also, just as importantly – what it isn’t.
The Dark Web is not a synonym for TOR. If an intelligence operation identifies an automated site selling stolen credit cards, should it consider the site relevant only if it has a dot-onion address? (domains of TOR sites have an “onion” TLD) If a site is hosted on the clearweb, with a regular dot-com domain, does it automatically stop being relevant? What about the many sites on the Dark Web that offer both clearweb and TOR domains? Is only the TOR version relevant? That answer to all of these questions is, of course, no.
TOR is a technology designed to provide anonymity on the internet. Many Dark Web sites are not on TOR simply because they do not need this anonymity or use other technologies. Sites hosted on “bulletproof hosting” services, hosting services operated by criminals for criminals, who ignore takedown requests from law enforcement, do not need anonymity. As they can’t be taken down, it doesn’t matter if their location is known. Other sites obfuscate their location through other means, such as legitimate anti-DDoS services that conceal the server’s IP address as they route all traffic through their servers first. Just because one technology is being used and not another does not define whether it is or isn’t relevant in the eyes of a Dark Web intelligence operation.
Another often-used way to define the Dark Web is through categorizing the different “webs” that exist – the visible web, the deep web and the dark. According to this classification, the visible web is all the sites that have been indexed by search engines and therefore can be found. The invisible web, which is many times larger than the visible web, are all the resources that cannot be found – internal companies’ intranet, pages that have specified for search engines crawlers not to index them, as well as pages that are not linked to anything. The Dark Web, according to this classification, is the part of the invisible web that is does not want to be found due to illegitimate activity.
While this definition is closer to what the Dark Web really is, it’s still inaccurate. There are plenty of carding forums and automated credit card vendors that can be found on Google and other search engines if you know what to search for. Even more so, not only can you the login page of certain Dark Web forums, but search engines were also able to index their content. By this classification, they should be part of the visible web, but their content is clearly dark. Does such a site become irrelevant to an intelligence operation just because it was indexed by a search engine?
The reality is that the Dark Web is comprised of many individuals with varying technical capabilities. This is also true to the members of these circles who operate sites. Some may not have the technical prowess to properly prevent search engines from indexing their sites. Some may not even care. Taking this a step further – there’s plenty of carding, hacking and other nefarious activities on legitimate sites, such as social media. For an intelligence operation, does the relevance of the content change just based on where it was posted? again the answer is no, and by process of elimination – we can understand what the Dark Web is.
From an intelligence point of view, the only thing that is relevant in determining whether a source is relevant is the content. If the content is illegal, or problematic, and is the type of data that the Dark Web intelligence operation cares about – then it can be classified as “Dark Web”. The “Dark Web” isn’t necessarily a place, it’s an activity.
This activity is varied – there’s carding, pedophilia, Jihadism, hacking and other types of illegal content that can all be classified as Dark Web. In a sense, there are many “Dark Webs” – with their own resources, code of conduct, threat actors, terminology and characteristics. If you must view the “Dark Web” as a place, then it is the sites that are dedicated to those activities, as well as the “enclaves” in legitimate sites such as Facebook and Telegram where such activity takes place in specific groups. It doesn’t matter where the site or enclave are hosted, which methods or tools are applied to ensure that this content remains online, or how the hosting was technically set up. It’s the content.