A WILD WALK ON THE DARK WEB – FROM BLACK MARKETS TO UNDERGROUND FORUMS AND THREAT ACTORS
@ the IERP® Global Conference, October 2022
Raoul Chiesa, Ethical Hacker, Independent Advisor of UNCRI and Co-Founder of Swascan presented this session on the Dark Web – that part of the Internet which is not indexed by search engines. On the Dark Web, malicious actors can buy credit card numbers, drugs, weapons, counterfeit money, stolen identities, and software that allows hackers to break into other people’s computers; hackers can also be hired to attack computers for you; and you can buy user names and passwords. The possibilities on the Dark Web are endless, so much so that hackers are no longer the ‘lone wolf’ types who are operating out of their own home basements. Even governments are getting in on the game.
Urging the audience to set aside the outdated image of the 15-year-old hacker, Chiesa pointed out that hacking today was worth billions, and has come under the purview of organised crime. Research has shown that many hacking incidents tend to happen during holidays, leading the authorities to believe that hackers were now working in groups, some of which were sanctioned by governments. Young hackers, he said, did not have the prerequisite skills, nor were hackers exclusively to be found in certain countries. They come from around the world, and are able to operate across borders with ease. In the course of these dangerous, illegal activities, they have learned to camouflage themselves.
Thus, a Russian hacker can appear as if he is operating out of Thailand. This makes it easier also for organised crime to run illegal businesses. Threats to digital assets, and commission of cross-border fraud are escalating by the day; it is imperative to be aware and up to date of developments in both the valid and illegal virtual spaces. But how do organisations even start, when everything about the Dark Web is virtually hidden? You have to know what you are looking for, advised Chiesa. “Understand how the bad guys can win,” he said, adding that mindsets needed to be changed when it came to tackling cybercrime. “People have no clue what is happening.”
He advocated applying appropriate analysis, to determine where the data was originating, and if it represented an active or inactive threat. What was important, he said, was to acquire data. “No matter if you are there to defend, to attack as offence, or just to run intelligence – you have to acquire the data,” he stressed. “This is the new currency.” Both attackers and analysts need data for the monitoring of digital assets, as this information gives insights into how digital assets are being monetised, and thus can pinpoint what exactly hackers or other malicious actors are targeting. “You need to monitor your digital assets and try to understand who the actors are,” he said.
Understanding the attackers means also understanding who their contacts probably are, and the motive behind the attacks. Protecting an organisation’s digital assets lowers its operational risk and possible loss of revenue. It also protects its reputation. “You don’t want to learn from another party like a journalist, or a customer who calls to tell you, that you have a security breach,” Chiesa cautioned. Noting that there were essentially four kinds of intelligence – tactical, technical, operational and strategic – he said that the key challenge was quantity vs quality. Quality data was needed for effectiveness. “You may have data all the time,” he said. “There is quantity but no quality.”
Timeliness of receipt of the data was also critical. Data may be delivered too late in the wake of an incident, which can affect a business badly, exposing its vulnerabilities and damaging its reputation. The data received must be analysed from different perspectives so that it can be meaningful, correlated and enriched. In instances where hacking is done by botnets, an organisation may end up becoming collateral damage although it may not be the actual target of the attack. It is important, therefore, to know why the organisation has appeared on the attacker’s radar, and what the context of the hacking is, because hacking can be attempted from anywhere in the world.
Hackers may also be from different professions. Citing the example of a hacker who was able to steal code that controlled high-speed trains, Chiesa said that putting something like that up on the Dark Web could be very profitable. His presentation included a demonstration of real-time hacking where he emphasised the need to filter data carefully to make it useful. Explaining the power of botnets, he said that these are capable of stealing detailed information about computer systems, even down to the size of the user’s screen, and the types of software installed. He also demonstrated how systems could be hacked using details of his own bank account.
With a vehicle identification number (VIN) provided by a member of the audience, he unearthed the complete history of the vehicle, including a list of previous owners and their details. Cautioning again that the Dark Web has the potential to immeasurably and irretrievably harm businesses, he suggested that organisations which suspect their systems are being breached should try to obtain the IP addresses of attackers and correlated data, to determine where the attacks are originating. He also red-flagged the fact that the number of Dark Web listings had risen by at least 20% in the past five years; the most effective means of mitigating this risk is to learn as much about it as possible.