Clear Web vs. Deep Web vs. Dark Web
Threat intelligence professionals categorize the internet into three distinct components:
Clear Web – This encompasses web assets that are readily accessible and indexed by public search engines. It includes a vast array of media, blogs, and various websites that anyone can view without restrictions.
Deep Web – This segment consists of websites and forums that are not indexed by search engines, making them less visible to the general public. Examples include webmail services, online banking platforms, corporate intranets, and walled gardens. Additionally, some hacker forums operate within the Deep Web, requiring specific credentials for access.
Dark Web – This is a specialized area of the internet that necessitates specific software for access, such as Tor. The Dark Web is characterized by its anonymity and exclusivity, featuring sources like Telegram groups and invite-only forums. It includes a range of illicit activities, such as P2P networks, hacker forums, and criminal marketplaces, making it a hub for underground operations.
Understanding the Shift in Criminal Communication: Insights from Etay Maor
According to Etay Maor, Chief Security Strategist at Cato Networks, “We’ve observed a significant shift in the way criminals communicate and conduct their operations, transitioning from the visible parts of the internet to the more secure lower layers. These lower layers offer enhanced security and anonymity.”
Featured: What is Tor?
Tor, short for “The Onion Router,” is a free, open-source network designed for anonymous communication. Originally developed by the United States Naval Research Laboratory, Tor has gained notoriety as a popular tool for facilitating illegal activities while ensuring user privacy.
Engaging in illicit activities on the Clear Web exposes individuals to law enforcement surveillance and the risk of being traced back to their identities. In contrast, Tor provides a robust solution by encrypting communication in three layers, which are progressively removed at each node hop until the traffic exits the network. This multi-layered encryption ensures that law enforcement agencies monitoring Tor traffic will only see the IP address of the Tor exit node, significantly complicating efforts to trace back to the original criminal.
Tor Communication Architecture: A Closer Look
- Layered Encryption: Each layer of encryption adds a level of security, making it difficult to intercept and decipher communications.
- Node Hops: Data is routed through multiple nodes, enhancing anonymity and obscuring the user’s original IP address.
- Exit Nodes: The final node in the Tor network where data exits, which is visible to external observers but does not reveal the user’s identity.
By leveraging Tor’s architecture, users can navigate the internet with a higher degree of anonymity, making it a critical tool for those seeking to evade detection.
Etay Maor explains, “In the 2000s, a perfect storm of digital advancements led to a surge in criminal activity. First, the Dark Web came into existence, providing a hidden space for illicit activities. Next, secure services emerged through Tor, allowing users to communicate anonymously. Finally, the rise of cryptocurrency enabled safe and untraceable transactions.”
Criminal Services Available on the Dark Web
While many criminal services that once thrived on the Dark Web have since been shut down, criminals are now increasingly turning to the messaging platform Telegram due to its strong privacy and security features.
Here are some examples of services that were previously available on the Dark Web:
- Drug Sales: The Dark Web was known for facilitating the sale of various illegal drugs, allowing buyers and sellers to connect anonymously.
- Fake identity services: Fake identity services on the Dark Web offer individuals the ability to purchase counterfeit documents, such as passports, driver’s licenses, and social security cards. These services cater to those seeking anonymity for various purposes, including evading law enforcement or committing fraud. Users can find vendors who provide tailored packages, often including personal details that can be customized. Transactions are typically conducted using cryptocurrencies to ensure anonymity and reduce traceability. However, engaging with these services carries significant legal risks and potential consequences.
How Criminal Forums Are Managed: Building Trust in an Untrusted Environment
Criminal forums operate similarly to legitimate online marketplaces, where attackers exploit vulnerabilities to profit from hacking services. To foster trust among members in an inherently risky environment, these forums implement structured management systems.
Typically, such forums are organized as follows:
- Admin: The administrator oversees the forum, ensuring that rules are followed and the community remains functional.
- Escrow: This service facilitates secure payments between members, acting as a neutral party to protect both buyers and sellers.
- Black-list: An arbitration system that resolves disputes related to payments and service quality, helping to maintain accountability.
- Forum Support: Various support mechanisms are in place to assist members and encourage active participation within the community.
- Moderators: These individuals lead discussions on specific topics, ensuring that conversations remain relevant and productive.
- Verified Vendors: Trusted vendors who have been vouched for by other members, distinguishing them from potential scammers.
- Regular Forum Members: Members who have undergone a verification process to filter out scammers, law enforcement, and other unwanted participants, ensuring a safer environment for legitimate discussions.
This structured approach helps maintain a semblance of trust and order within the chaotic landscape of criminal activities.
The Path from Malware Infection to Corporate Data Leakage on the Dark Web
Let’s explore how the different stages of a cyber attack are represented on the Dark Web, using an example of malware used to steal information for ransomware purposes:
Pre-Incident Phases:
- Data Collection – Threat actors execute global infostealer malware campaigns, stealing records of compromised credentials and device fingerprints.
- Data Vendors – These threat actors provide stolen data to Dark Web marketplaces that specialize in selling credentials and device fingerprints from malware-infected computers.
- New Supply – Compromised records become available for purchase on the Dark Web marketplace, with prices typically ranging from a few dollars to $20.
Active Incident Phases:
- Purchase – A threat actor specializing in initial network access purchases the records and infiltrates the network to expand access. The information purchased often includes more than just credentials; it may also contain cookie sessions, device fingerprints, and more. This allows the attacker to mimic the victim’s behavior, bypassing security mechanisms like MFA (Multi-Factor Authentication) and making attacks harder to detect.
- Auction – Access is auctioned on a Dark Web forum and purchased by a skilled threat actor.
Etay Maor notes: “Auctions can be run as a competition or as a ‘Flash’, allowing a threat actor to buy immediately without competition. Serious threat actors, especially those backed by nation states or large criminal gangs, can leverage this option to invest in their operations.”
This path highlights the diverse areas of expertise within the criminal ecosystem. Consequently, a multi-layered approach powered by operationalizing threat data can alert and potentially prevent future incidents.
Automated Solutions and Human Intelligence
Automated solutions are indispensable in combating cybercrime, but to fully understand this field, human intelligence (HUMINT) is also necessary. This includes cybercrime actors and security agency agents who access forums and act as commercial agents. Engagement is an art and must be ART – Actionable, Trustworthy, and Timely.
Let’s examine some examples of forums monitored by cybercrime actors and their responses.
For instance, a cybercrime actor may try to interact and identify which VPN or client is being used. In another case, an attacker is selling Citrix access to an IT Infrastructure Solutions and Services Provider in the UK. A cybercrime actor might contact the potential buyer and request samples. Since the seller may be in a precarious financial position (often from former USSR countries), they may be willing to send samples to facilitate a sale.
Network Attack Protection
The Dark Web operates as an economic ecosystem, with buyers, sellers, and the dynamics of supply and demand. Therefore, effective protection against network attacks requires a multi-layered approach to each stage of the attack, both before and during the incident. This strategy includes the use of automated tools as well as HUMINT — the art of interacting with cybercriminals online to gather information by mimicking their operational methods.