Many ransomware attacks are comprised of key stages that, when viewed on a larger scale, form a picture that represents a cyclical ransomware ecosystem that feeds various industries in the darknet. DarkOwl analysts outline ransomware attack key stages.
Of the numerous quantitative models that attempt to define and quantify the cybersecurity risk to organizations, very few consider risk indicators from the deep and dark web. Using ransomware as a case study, this presentation reviewed the content that exists on these hidden networks, and explored how data from the dark web can serve as an important data point for more comprehensive risk models. Further, Ramesh Elaiyavalli, CTO of DarkOwl, discussed the unique challenges and considerations that must be made when examining dark web data.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you, everybody, for joining us today for our webinar: Deep and Dark Web Data and Its Impact on Modeling Cybersecurity Risk. My name is Kathy, and I will be the host for today…And now I’d like to turn it over to our speaker today, Ramesh Elaiyavalli, our Chief Technology Officer here at DarkOwl, to introduce himself and to begin.
Ramesh: Alright! Thank you, Kathy. Appreciate the intro. Hi. Hello. My name is Ramesh. I go by Ramesh Elaiyavalli. I’m the Chief Technology Officer and am responsible for product and technology groups to set the strategic technical vision of DarkOwl, as well as kind of the day to day workings and implementation of our platform, our processes and our people.
So with that, today’s webinar, as Kathy mentioned, is to go over at a high level: what is the darknet and the deep web and how risk modeling is relevant to the current web dates. I will talk a little bit about ransomware as a darknet data multiplier. We’ll also review the security risk frameworks, and some of the stakeholders that need to be engaged as you look at risk modeling and the application of darknet and deep web as it relates to modeling and any future quantification efforts of darknet data.
We believe that the deep web and the darknet data have a significant impact in any type of cybersecurity risk modeling.
If you look at the dark web in general, think of it as an iceberg where the tip of the iceberg is the surface web, that we all know and use every day. It was originated back in the nineties. It was basically browser based and we all know that a ton of content which is publicly available is available via the surface web, and there are many content or many types of content ranging from discussion boards to pay sites and so on.
The deep web is anything that is not indexed like Google, simply put, and that is typically behind some type of the authentication of the websites that you require authentication or any type of human intervention. So this is where things like IRCs, telegrams, criminal forums, marketplaces, they all reside in the deep web. And that kind of emerged in the mid-nineties.
[This takes us] all the way to darknet, which was founded as part of the Tor Project in 2006. So this is the intentional anonymizing of networks accessible only by a proxy or a specific peer to peer protocol. So the best example is Tor or called the Onion. And then we have I2p, ZeroNet, Freenet, Oxen, Yggdrasil, so the list goes on and on with a ton of such networks and protocols that only exist in the darknet. And they have become kind of a very important infrastructure for advanced threat intelligence and long defined risk.
When we talk about darknet data, the data is both diverse as well as dispersed all over the internet, The surface web as well as the dark web. So when you look at the diversity of data, data is available as email addresses or email breaches with passwords, which is really the authentication data. There is domain data, subdomains, the IP addresses that are tokens that are common vulnerabilities, exploits and so on. There are source code available. There is content and text available about a company, which is the chatter across the threat actors. There is critical corporate data, contract and financial information, intellectual property, executive insights, as well as employee activity, phone numbers, PII data, banking data and so on and so forth.
So, as you could see, the data is very diverse. Also, the data is spread and dispersed across various sites that could be transient in nature, there are darknet data places, there are forums that criminals use for discussions, there are image boards or chans, there are blogs on ransomware, there are marketplaces where data is being sold in classifieds, and last but not least, is Telegram and some of the IRC chatrooms.
Given the diversity and the dispersion of data, we also know that the data is really valuable when the data is at scale. And scale matters more so now than ever before. Why is this? Number one, there is a rapid digitization in our society overall. Everything that is paper and tribal knowledge is becoming a digital asset.
And, with COVID-19, the pandemic has changed the fundamental way in which we work. A lot of the hybrid and work from home exposes organizations to networks that are only as good as the weakest link. So, there is quite a lot of attacks surface that has been exposed with the work from home networks and the garden variety wifi protocols that are out there.
The third one is [that] the Ukrainian-Russian conflict has significantly shifted the threat landscape. If you think the Ukraine Russia war is far off from you, think again, because a ton of supply chain risk exists today from vendors that you work with and you partner with. And they are directly impacted because of the war or because of the supply chain issues.
And, number four, there is an unprecedented number of never before seen malware and critical zero-day issues in the wild. There is a significant increase in ransomware, ransomware attacks and all of this kind of has fundamentally changed the landscape in which we look at darknet. So it is taken in from a corner of the Internet to now center stage. So the dark web usage has really jumped over 80% in the last three years. 2 million active users, if not more in the Tor browser and the ransomware cost, just the sheer cost is over 20 billion in 2021.
Now, ransomware-as-a-service is a term [increasingly] in vogue. And the threat actors have become very sophisticated in not only attacking and penetrating your organization, but they have the maturity to go after these ransomware-as-a-service providers to make the transaction more professional. You can transact on the internet, on the darknet, and the deep web, where you leverage these initial acts as brokers and third parties wherever they are possible. And the consultants would help in the victim negotiations as well as target the qualification, meaning they would know how big your company is, how much can you pay, and what’s your propensity [to do so]? How badly do you want to be covering your exposures here? So based on that, they offer a service which is the ransomware-as-a-service, and these are paid insider threat partners that criminals and threat actors work with.
[Lastly], with the Ukraine conflict, like I mentioned, there’s a fluctuation between Ukraine conflict and the various international law enforcement operations. We’ve heard about Conti and Cooming and Stormous data which are available immediately after the invasion. The Happy Blog, for example, returned despite the arrests by the FSB. LockBit, AlphV, Snatch – they all have increased activity. Victim data leaks continue at a very high volume CONTI pretty much disbanded and dispersed into not just one group, but various splinter groups. And such threat actors are directly contacting our stakeholders for pressuring the victims.
The bottom line is this ransomware as a darknet ecosystem is extremely well-structured. It is operationally very efficient. And the biggest fear is they are running this at scale with ransomware as a service. So this kind of changes the entire threat posture of a lot of companies out there.
And, if you were to be a victim of a ransomware attack… from a customer standpoint, you are completely shut off from your access points. There are messages that prevent you from getting in unless you’re willing to talk to and pay the ransomware and the threat actors.
Now, [let’s talk about] ransomware as a threat signal and overall as a dataflow lifecycle. You start with a pre-cyber incident, and then there is an initial access where that campaign has been launched. There are then incident responses and negotiations as part of the public announcement over to the post cyber incident management and then the whole attack cycle restarts. So, that’s kind of a quick [overview of the] lifecycle of the entire ransomware threat signal and data flow.
And, 46% of the ransomware victims, unfortunately, have not been compromised once, but multiple times. Over 90% of the data leaks we observed in the last year were attributed in some way or the other to these ransomware actors.
Now in talking about ransomware, here’s another great example that we tell our customers about: Volvo.
As we all know, Volvo is a very large auto manufacturer. But interestingly, their ransomware attacks did not come from their own compromises, but it came from their supply chain. It started with November 2021, where snatch one of the Chinese Volvo corporations that had a breach. And then it went on to Denso and then it went on to the Volvo Corp update will work to back defense over to StrongCo and so on.
So, various subsidiaries of Volvo, such as the Mack, the Mack defense, the Mack trucks and so on, were exposed as part of this attack. And these impacts we are observing pretty much up and down the entire supply chain. And there are multiple, not just one threat actor, but there are multiple threat actors that are finding ways, finding vectors, finding threat surfaces to expose and bring down some of the largest companies that are out there, either directly or as part of their supply chain and their vendor relationships.
Now, when you look at the darknet and you look at security risks overall, we talked a little bit about ransomware, but there are other type of threats that you should be worried about. We all know about the phishing attacks and the malspam campaigns, the cyberattacks, all the way from the overt or covert malware, DNS hijacking, data exfiltration, cyber espionage, denial of service attacks, insider threats, and basically any type of information based reputation attacks. So the types of threats have multiple dimensions, and ransomware has kind of bubbled up to the top. However, there are other threats that you need to equally pay attention.
And, what are the consequences of these threats? It is data corruption, it is operational downtime, a huge and a tremendous amount of financial and revenue loss, regulatory issues and fines, damage to your virtual or physical infrastructure issues with your shareholders and society as a whole, and the loss of customer confidence and a significant dent in your brand reputation. The consequences of ignoring these threats are significant and threats continue to evolve and [be a] cost concern for various organizations.
Having said that, how do you do threat modeling is not [the exact same as] how you look at risk modeling. Threat modeling is a subset of what you have to think from an overall risk modeling standpoint. Now, are there standards? [What are] the best practices for risk modeling? The good news is that there are some, but the bad news is there are plenty of them. There is no one single overarching standard for risk modeling. So, depending on your use case, depending on your company, your business, your operations, and your exposure to various security and methodologies, you can adopt one or more of these frameworks for your risk modeling.
The stakeholders for such risk modeling would pretty much be everybody in the organization and beyond. It starts with your SOC, your incident response teams, executives, data protection officers, the governance folks, CISOs, IT leadership.
If you are in Insurtech space, it very much applies if you are a broker, you’re an engineer, you’re an underwriter, you’re a reinsurer. All aspects of insurance underwriting and cyber security assessments need to be worried about risk modeling. It also applies to investors, private equity, and venture capital firms who are looking to fund that startups or to do mergers and acquisitions type activity. So all of those decision makers need to be aware of this, including policy makers, security agencies, military decision makers and so on and so forth.
When it comes to risk modeling stakeholders, it is everybody who has some form of decision making capability and they are doing an assessment, they are underwriting the risk in a way. So the NIST really defines the cyber risk assessments as the ones that are used to identify and estimate and prioritize risk across your organization, your operations, your assets and the people that you have within the organization.
One of the things that we are interested in talking about, [and] is a question we get a lot, is how do you quantify risks? At DarkOwl, we spend a lot of time thinking about it, and we have come up with ways, strategies, and products and score models that would help us objectify and quantify risk at scale. It’s not an absolute risk metric, but we see a very strong correlation and influencers for their risk calculations and your business decisions based on the exposure of data about you and the company that you represent as it relates to the darknet. So we call these “entities” which are basically email credentials, it could be domain names, it could be IP addresses, the set of entities that are easy to take, tokenized, and quantified.
Like I mentioned, this model is not basically the threat modeling aspect, but much more. And, you know, you need to give a lot of considerations for all the external and influential factors, which is the who and the where and the when as it relates to getting your data exposed.
So here’s an example of Microsoft whose overall risk profile, or we call it the darknet score, their score has been trending upwards (pictured below). A lower score is better. So, when your score is going up, that is not a good thing. So it could be either as a result of the amount of leaks that they have or the documents that are being exposed, how much hackishness is in those documents. So risk quantification with scores is a very important way to measure and assess risk.
The next one I want to briefly touch on is an experimental basis. We have Scores 2.0 that we are actively building. We are very excited about these scores to point out where we have used our own data, which is data from our entities, from our e-mail breaches, credentials and so on, and we believe it has predicted 73% of the breaches overall and 100% of all the four ransomware cases that we analyzed in the past. So here’s an example of a company such as Okta, which is the largest security authentication company out there. And interestingly, their exposure on the darknet was partly due to their leaks and some of their breaches. But more importantly, their biggest supply chain vendor is Sitel, which is a call center company which had access to Okta data. And when Sitel got compromised, that bubbled up to Okta. So we we always advise our clients to say, look carefully with your company within your data set, but also make sure that you are monitoring your supply chain vendors. So this is a perfect example.
How do we see the future of quantifying darknet data? It is very important that a very critical time is right now where we need to see a dialog among multiple organizations on what are the best methods and the best practices for quantifying darknet data and how do you do the risk modeling. We would love to see folks getting rid of questionnaires and checklists and, you know, making decisions based on data that is available in the open net or OSINT data.
We advocate for education on darknet and darknet data and how important it is for overall cybersecurity. There is a clear need we see in establishing a common language and a common set of mathematical models, be it the darknet score, or it could be something else. But, we want to see more such quantified risk models that are available in the industry.
There is a need for better understanding on the relationships between not just the threat actors, but between the personal and corporate risks that every companies go through. And [as we showed earlier] – you got to take a closer look at the type of data that is being leaked by some of the ransomware groups and the threat actors. Some of it is because they may want money, but a lot of it is also, they’re trying to build reputation by leaking data.
[We advise that] you take a close look at what data types are being leaked and what the cohorts and the verticals in the industry are talking about. Also, the key question here is this: how do you measure the goodness or the effectiveness of your current cybersecurity risk model? Ask that question often, ask that question early, and ask that question constantly. Which is, is your risk model effective enough and is it good enough?
With that, if you want to know more about DarkOwl, please talk to us. Get in touch with us at [email protected]. Or you can follow us on various social media and you can also check out, check us on our blog or on our website. And if there are any other questions, I’m happy to address them. That’s the end of the presentation.
Kathy: Thank you, Ramesh. We have had a couple of questions come in. So let’s see if we can get to some of them. The first one we have is” Why do I need DarkOwl? Most of the darknet can be accessed by individuals.
Ramesh: It’s a it’s a great question. Darknet data can be accessed by any individual or any company for that matter, but I would not recommend doing this at home. The reason being that you’re dealing with data that is extremely sensitive in nature and you are potentially interfacing with criminals and threat actors and it is a very dangerous place. So there is very likely challenges that you would run into is you may get attacked yourself when you expose yourself and your network, if you tried to do it without much expertise.
At DarkOwl, we take great lengths to make sure that our access to the darknet and our ways of ethically gathering data is serving you as a customer so that you can access data through our platform and the safety and security that comes with our platform, as opposed to interfacing directly with the threat actors and the criminals. So I would always recommend go through a provider and sort of avoiding direct.
Kathy: Great. Thank you. Another question that came in is: I want to access your data. What is the best way for me to do so?
Ramesh: Okay. The best way to access our data. The short answer is it depends. If the use case is you are a cyber security analyst or you’re looking for a very specific thing. You want to search on the dark web on a limited basis. The best bet would be to leverage our Vision platform. The next step is if you’re a developer and let’s say you want to build an API because you have a platform already built out, or you’re thinking of building a platform or you’re in cybersecurity and insurance business and you want to leverage darknet data for those type of use cases. We would recommend to our API. And by the way, our API, we offer a Search API, we offer Entity API for lookups on email credentials or crypto and so on. We also offer source via API and we offer entities and searches also via API.
So, there’s a variety of APIs that you can leverage, assuming that you want to be building code and develop and integrate dark data into your platform. And then all the way, if you’re a data science person, you are looking at large amounts of data and big data, right? And you have a data science team that is available. We would do what we call DataFeeds, which is snapshots in time that you can have either our entire dataset or filter based on criteria that you provide as well as we can do these historic data dumps and we can take snapshots in time and send it over in a in a secure transmission over to you and your data science team. So it really depends on the use case. The bottom line is you can leverage our Vision UI, platform or you can leverage our API platform or you can consume our big data, be our data feeds.
Kathy: Great. Thank you so much…Ramesh, thank you so much for this insightful presentation to our attendees. If you’re interested in learning more about how darknet data applies to your use case, please feel free to request time with us using the link in the chat. We look forward to seeing you at another one of our webinars in the future. Thank you.
Ramesh: Thank you.
OnRamp Insurance is a yearly conference that brings leaders in the insurance, tech, and insuretech space together to accelerate innovation across the insurance industry. This year’s conference was held in Minneapolis at the Allianz Stadium, which was an incredible venue. The event was well represented by various insurers – ranging from large corporations to startups to investors and industry experts.
As a first time attendee, I was pleased with the turnout and quality of lasting connections made. Since one of the primary aims of the event is to provide a platform for integrations and partnerships showcasing various technology and data providers, I was invited to speak on the panel “Cybersecurity within Insurance.” I was so pleased to be able to attend and represent DarkOwl, introducing why the darknet data is an essential part to any sort of risk modeling in the cyber insurance or underwriting space.
The insurance industry is going through a tremendous shift. Insurers are subject to increased risk, given a variety of geo-political factors. COVID-19 has exposed an increased attack surface for many companies, due to employees working remotely and exposing sensitive corporate data on unsecured home networks.
In addition to this we have seen a tremendous growth in cyberattacks, data breaches and ransomware compromises. The Ukraine conflict has significantly increased supply chain risk to various markets and insurance space is especially at the receiving end to this heightened risk. All these factors lead to a perfect storm.
It was a great to see that cybersecurity is starting to become a repeated theme amongst the insurance industry. I was glad to represent DarkOwl and participated in the panel: “Cybersecurity within Insurance,” alongside representatives from Trust Stamp and Paladin Cyber.
In our discussion, I defined DarkOwl’s approach to risk modeling and loss mitigation specifically for Insurtech. Every entity in the value chain of the insurance space is being disrupted – from brokers to underwriters to carriers – all the way to reinsurers. Each of these is finding ways to apply technology and data sciences to mitigate risk and improve outcomes. Automated underwriting and straight-through processing is taking center stage as companies innovate in the insurtech space.
Insurance carriers, underwriters and reinsurers are forced to find new ways to write policies, factoring in such risks and update policy-writers. There is a clear and present need to get rid of the check list-based underwriting to an automated and risk-based underwriting. We see a need for darknet data and a quantitative and risk-based underwriting at scale for insurers to thrive in this new world order. Similarly to how the FICO score transformed the mortgage industry to underwrite loans, the insurtech space needs a comprehensive risk score to underwrite. And, such a risk score needs to assess darknet exposure to measure risk at scale – not just as a snapshot in time score but a score that is constantly and continuously updated based on the dynamic nature of exposure and threat actors.
Risk profiles for organizations have changed significantly. Assessing and modeling risk in 2022 is very different compared to 2019. Be aware of the changes in threat and attack surfaces.
Underwriting screams for automation. There is a clear need for automation, straight through processing and machine learning.
Specialty insurance space is evolving. Nontraditional insurance such as Medical Malpractice, Travel Insurance, embedded (eCommerce) insurance are in high demand.
Darknet data can contribute to risk modeling and assessment at every phase. This data is unique, differentiating, and external insight for various insurers to improve outcomes and mitigate risk.
OnRamp and gener8tor have seen significant growth. Attendees and interest for this insurance-focused event continue to rise. In person events provide the opportunity for significant connections and partnerships.
Overall, DarkOwl received very positive feedback on its business model, products, and platforms. Adding to the conversation around insurance and cybersecurity, led to an increased awareness of our roll as a leader in the darknet data market, as well as our position as thought leaders in the information security space.
DarkOwl’s robust darknet data enabled our customer, Blackpanda, to fully understand their customers’ risk profiles and assess threats after they experienced a breach.
The darknet (or “dark web”) is a thriving ecosystem within the global internet infrastructure that many organizations struggle to incorporate into security posture, but is becoming an increasingly vital component. In certain cases, that is because taking raw data and turning it into actionable security intelligence requires leveraging DARKINT – or data points sourced from the darknet and other OSINT sources that together form a risk and/or investigative portfolio.
In honor of World Password Day, our analysts have compiled some interesting statistics based on the email and password entities available in the DarkOwl Entity API.
The darknet is fundamentally changing the landscape on who, where and how cyber crimes are perpetrated. This infographic outlines stats around just how much the darknet is growing.
Learn how DarkOwl’s darknet intelligence platform plays a critical role in how Blackpanda supports customers bounce back from an attack, providing robust darknet data to fully understand customers’ risk profile and asses threats. Plus, dive into a case study and see the platform in action.
For those that would rather read the conversation between CEO of DarkOwl, Mark Turnage, and Director of Strategic Development at Blackpanda, Mika D., we have transcribed the presentation below.
NOTE: Some content has been edited for clarity.
Mika (Blackpanda): Thank you, everyone, for coming to this Blackpanda, DarkOwl information session. Very excited to be partnered with DarkOwl, Blackpanda being an incident response firm. We’re going to get into more of that. Today we really wanted to present the value to end users, customers, large companies, and organizations of this partnership that we’ve developed. So with that, we’ll jump into some introductions. Mark is the CEO and founder of DarkOwl with a very, very long list of credentials and much experience, I will hand it over to him to do a bit of introduction.
Mark (DarkOwl): Great, thank you for having us, Mika, and delighted to be here. My background is as an entrepreneur in the security space. All the companies that I’ve run have been security related companies, most recently DarkOwl, which we founded five years ago. My co-founder and I and are very pleased to be here and looking forward to this conversation.
Mika: Great, thank you, Mark. I’m representing Blackpanda, Director of Strategic Development. I was also the founding incident response member of the Blackpanda Group that’s based out of Singapore and Hong Kong. We address special risks from incident response malware, business email compromise, different kinds of cyber attacks all the way down the cycle to cyber insurance. So, risk transfer and mitigation ahead of time to try to prepare the environment in the event that something happens. My background is primarily in national security and a full range of cybersecurity services, products, and a little bit of time in the intelligence community. So excited to jump into this webinar and give you a better idea of how our incident response services and deep web threat intel work together a bit on the cyber incident response side of the house. We hyper focus on digital forensics, the investigation, and cyber crimes, and we are stationed in different cities across Southeast Asia so that we have a local presence in all of these markets if and when an incident occurs.
A bit about the incident response lifecycle because it’s confusing what happens exactly when an organization is hacked and how does that move forward? How do we work with our partners, especially when something happens?
Essentially, incident response starts with a call, an alert or an automated indicator that comes from one of our intelligence platforms, be it DarkOwl or an endpoint detection and response tool or our own proprietary software. Once we receive that alert or notification, we will then determine the validity and extent of the attack. So it’s kind of like scoping out what happened and what resources do we need to deploy in order to address it? We prepare the team and we proceed to a triage process where we’re gathering evidence. We’re looking for indicators of compromise, we’re collecting a plan of action, and we work with the client in order to basically stop the infection from spreading any further. Then we move into the containment phase. Within the first 48 hours, we’ve figured out roughly what’s going on, who is the threat actor, and question what assets could be at risk and what data is at risk.
The customer always wants to know, has data been leaked? What kinds of emails or passwords or proprietary files might be out and be in the dark web? And at that point, we will then turn to some of our partners, such as DarkOwl, in order to enhance that information. So, as we’re containing the malware, we’re also providing the suite of the environment to look for extended attacks. This could be second stage payloads, which would be if the attacker first gets in and spreads more malware, or they’re looking to steal credentials or steal certain files. So, we’re really examining both inside the organization as well as from outside what might have left the organization.
And then, finally, once everything’s been contained, we feel comfortable that the organization can get back online, we prepare a report and present lessons learned. We also try to assemble any and all information that could have been leaked because that’s where regulation and compliance comes into play. So that’s essentially the incident response lifecycle and is one of Blackpanda’s areas of expertise.
Now onto DarkOwl.
Mark: Thank you, Mika. And as Mika mentioned, we are involved in both the frontend and the backend of the incident response cycle with Blackpanda. Just a bit about DarkOwl and what we do. Darkowl has built a platform that actively and continuously monitors the darknets, many darknets, and makes that data searchable by our clients. Among the darknets that we monitor are ToR, I2P, Zeronet, a range of other darknets. And I should say, that we call it the darknet, because in most of these forums and most of these darknets, user identity is obfuscated and traffic is encrypted. So, it’s a very difficult environment to monitor, and we have built a platform that does that across 25 to 30,000 darknet sites a day and it archives that data so that not only will you look and see what was happening today and on a continuous go forward basis, but you also have an archive to see what has happened in the past.You’ll see some of the some of the numbers of records that we have available in our database today.
Records available in DarkOwl database as of April, 2022
Just to talk a little bit about what is in the darknet, why is it important for both an incident response team and then more broadly. Among the types of data that are found in the darknet are very large quantities of personally identifiable information credentials, compromised accounts, malware, ransomware. There’s a lot of chatter among a variety of different forums between threat actors. There are lots of vendor and supply risk indicators as well. Most recently, in the context of the Ukraine Russia war, we are finding significant indicators of risk among vendors, supply chain vendors and supply chains that have presence in Ukraine, Belarus, and Russia. A lot of that chatter, a lot of those indicators show up in the darknet and in our platform. A lot of our platform is very intuitive to use. We can deliver data a number of ways what you’re looking at here is our vision platform search UI.
Screenshot of DarkOwl Vision UI platform
And actually, later in this webinar, I’ll do a quick tour. But you can see from looking at the top of this, it’s a very simple search bar. We can look for whatever you’re looking for in the darknet, at any given time. You can see there’s a search loaded on this slide for Conti, one of the threat actors out of Russia, and there are 52,000 results. We see 52,000 pages in the darknet at the time this search was run talking about Conti or mentioning Conti, or where Conti is participating in it in a forum. So, it’s a comprehensive platform to monitor the darknet and in the context of an incident response team, it can both alert you to a breach or to an incident and then it can provide you with the intelligence, as Mika said, to assess that breach and then really remediate it.
Mika: And I was just going to jump in exactly on that point. We’ve dealt with several Conti breaches, and once we see indicators that that might be the malware in use the threat actor in use, not only are we on the hard drive examining the forensic artifacts of the system to pull out what time they got in, what they’ve taken and basically any signs of lateral movement or their actions on objectives, we’re also coming over here and plugging in the exact threat actors names. They have handles, they have email addresses, they have IP addresses, so whatever we find in the environment, this search platform is kind of where we go to see what’s happening on the outside as opposed to just on the inside of the organization across the systems.
Mark: And connecting those dots is critical. If you don’t connect those dots, you’re only looking at one particular piece of relevant information. And we are delighted to be able to offer that level of intelligence to teams like your own.
Mika: Absolutely, and sometimes the crawl date will show a date that much precedes the actual incident. So, the event might have happened even before, and that also helps our forensics because it gives us pivot points in time so we might go back further to the first sign of chatter on a certain target.
Well, I guess this comes back around to how we work together. The reconnaissance phase is what we just mentioned, where a threat actor is mentioning a potential target, the threat actor has scoped out where they’re looking to go and what they’re looking to do, actions on objectives. During that reconnaissance phase, we might see chatter in the dark web. The cyber kill chain is a Lockheed Martin concept that helps explain the chronology of an attack. So, they’re scoping out the target, they’re preparing an exploit that could be used against a vulnerability at the organization, and then delivery exploitation installation is typically where the customer would pick up on the fact that something is happening. Command and Control is quite noisy and usually limited to just forensics and network analysis. But that’s where they are continuing to operate within the environment, using remote access to the organization. And, like we said, actions on objectives. This is where data is leaked or sold on the dark web. This is where they’re actually putting ransomware across systems and trying to extort the organization. All of this can either be incident response based, so in the event of an attack or a proactive service called compromise assessments, which is where we would continuously perform these darknet searches with DarkOwl and we would have software on the endpoints that allow us to perform advanced threat hunting. So, anything we’re seeing, like Mark said, there’s chatter and there’s also indicators across the internet of potential events that could be happening. We can sweep the environment and look for signs of that before something actually happens. So even though antivirus and anti-malware were just some percent of the time, there are advanced threats that don’t yet have signatures that nobody’s tracking yet across the board and these allow us this advanced threat hunting skills and darknet searches allow us to find signs of that much earlier.
We can jump into a case study a little bit before Mark demos. But essentially, Blackpanda had a great success tracing down data leaks following a case in Southeast Asia. We were tasked to discover, analyze, and report stolen or misappropriated data related to client domains or keywords. This essentially means they thought they might have been breached. They hadn’t yet signed on for a compromise assessment, which is basically like a sanity check. Is there something going on? My antivirus didn’t check, and they came to us with the suspicion that something had happened. Over the course of this project, partnering with DarkOwl, and performing very targeted searches for their keywords we then pivoted to compare how this attack was similar to another found threat actor groups and different sites in the deep web that held their records. After about two months, we had 13,500,000 records related to this one company. That allowed them to report and take precautions, and follow on measures to contain the attack and also try to remediate the damage of that data leak. It was very important for them to know the extent and just how much data was actually released. And then we walked them through how to actually patch and repair the systems that led to that attack. So, what happens? How do we find 13,000,000 sum records, Mark?
Mark: Well, that’s a that’s a very good question, and we’ll show you a couple of searches to show you how we do that. It is not unusual for sizable companies to have that level of exposure in the darknet. They are usually the result of multiple leaks, multiple breaches that have occurred over the years. The risk, by the way, to this company and to other companies is that a substantial portion or even a small portion of those records are still alive. So many people will remember the Colonial Pipeline breach that occurred last summer here in the United States, shut down a saline supply to a large portion of the east coast for about a week. It has been publicly reported that the way the hackers got into the Colonial Pipeline network was in fact, via a credential that had been formerly used by an intern that was available widely in the darknet. In other words, there was no phishing that occurred. They just went into the darknet, pulled down a credential, discovered that it was live and walked right into the network into the Colonial Pipeline network. That is one of the risks that occurs. That’s exactly where Blackpanda can add significant value to any client.
Mika: Excellent. So we’ve already been through this kind of wave as to how we could either proactively identify those leaked credentials after a compromised assessment and prevent a lot of these from happening. There’s also the incident response where we get indicators and intelligence that we need to enrich and also check externally whether there’s any additional signs. So these are just more kind of snapshots of how this could work proactively. But, you know, in our reporting, we’re very thorough, this is sort of inside the organization. We’ve deployed a certain endpoint detection and response tool where we’re looking for signs of malware, signs of threats. These are all technical threats that would only be available given a view into the organization. These are all the kinds the strains of malware and hash values that might be in a report. And again, signs of these things can also be thrown into DarkOwl, or a platform that helps us enrich that intelligence. So what else do we know about a file with this hash values of the hash that is the unique signature of a single piece of digital information? Whether it’s a single document or a giant binary file, everything can be hashed to a unique value. So these are great ways to leverage DarkOwl as well. Has anyone else been talking about or posting about malware by this name or with this hash value? Are these websites places that this backdoor Trojan might be still sitting? Has anyone else talked about these particular indicators of compromise? IOCs across the deep web. So these are just a few of the ways that we would really get into DarkOwl and use it not only during an investigation, but proactively as well.
Mark: One of the strengths of the DarkOwl platform is that any of these terms can be inserted in and searched for on the platform. It’s a search tool. It has a fundamental search capability. And as Mika said, we can then identify the threat actors who are discussing it, whether there are future targets, whether there was there were discussions in the past about targeting this particular client’s environment. It’s a wealth of information that opens up once you have the ability to search across the entire dark web for any of these terms or any of these hash values.
Mika: Absolutely, and that’s exactly how we enrich our intelligence and report on what really happened and what could be happening even outside the organization. With that again, DarkOwl traces and brings into their intelligence ecosystem a number of different breaches. So although this was particular to a certain client, you know, these breaches hold passwords of thousands and millions of users. They could be huge. They could be massive databases that are even sometimes an amalgamation of different breaches over time. So DarkOwl keeps us current on what else is happening. And with that, again, we’ve kind of been over the flow in a sense, but we extract indicators of compromise from the evidence we received by going through the forensic intake and triage process. Then we enrich across dark web intelligence sources and perform forensic analysis on the actual system itself. So getting timestamps, trying to bring it back to the root cause. So when did this happen? Why did this happen? And then our reporting can be very robust as a result of us having this level of intelligence. So I guess it’s time to see it in action.
Mark: Well, thank you. If you could let me share my screen, I will switch over. What you see in front of you is the landing page for DarkOwl Vision, our user interface. It’s quite intuitive. There’s a search bar and you can search for any term. As mentioned, they can be hash terms, they can be nicknames, they can be user handles, they can be combinations of all of the above. I’m going to do a quick search and I’m going to pick on AT&T for no good reason. I apologize if anyone from AT&T is going to see this. I’m going to do a search for AT&T .com, and I am going to search for any mentions of AT&T .com in the darknet, meaning any page that has a credential or mention of AT&T .com domain on it. And as you can see, there are almost half a million pages in our database in the darknet mentioning AT&T .com. The results are presented here. If you scroll down, you’ll notice that M.J. Matthews of AT&T .com has, as mentioned, a range of email addresses that are mentioned here, and the results are can be sorted and presented in a number of different ways. If I search, if I sought these results, these half million results by crawl date, for example, and there are a lot of results, so this will take a second. You’ll see that the most recent of these results was extracted from the darknet about an hour and a half ago. So this is a very recent result, and I can then sort them by relevance and hackishness, is a term we use to date to determine how dangerous those results are. So, for example, I won’t click on it, but down here, my guess is this is 100 percent hackishness because there’s a password associated with that particular domain. So it’s very intuitive, it’s very easy to use. As Mika mentioned, a team that is looking for a specific term or an actor in the darknet can very easily and very intuitively jump onto this platform and see what’s happening and then say, what were they doing most recently? And you can sort by crawl date. I want to show one other feature that is relevant to what Mika has been talking about, which is our dark and exposure scores. I can create a score for any domain, any domain in the world, and I’ve just randomly selected. You can see even there’s a dark score here if I click on this AT&T score. This is a score of how exposed AT&T, since I just did the search, is in the darknet and you’ll see the score changes and you’ll see as I move my cursor, the score changes in proportion to how much data is available in the darknet at any given point in time around AT&T. And I’ll take the example of BlackBerry here. BlackBerry on the 5th on the 14th of May of last year had a score just above 10, and overnight their score jumped to just under 14. That’s a massive jump in our scoring metric and in our scoring algorithm. And the reason is somebody released a bunch of data around BlackBerry. In fact, a terrific amount of data around BlackBerry. If you’re a user of the platform or a partner like Blackpanda, this is an indicator that something’s gone wrong. There has been a major compromise. We need to investigate this very quickly. So this provides a very quick back of the envelope way to monitor clients, to monitor your own environment, to see what’s going on and to compare how you are doing relative to, say, your competitors or other peoples, other people who are in your sector. The platform comes with a range of other ways that you could pass data, search data, and make use of data, including an alerting platform, so that if, for example, AT&T is a client or you are AT&T and you’re monitoring your own environment, you can be alerted by email to any critical elements that show up in the darknet at any given time. So that a very quick demo, Mika, and thank you for allowing me to do that. But you can see it’s a very intuitive platform. It has direct usage in the incident response phase, and we’re delighted, as I said earlier, to partner with Blackpanda.
Mika: I think that’s our last topic, just on that again, it’s been very powerful for us to be able to show again every, every organization that’s been hacked. It’s the worst day. It’s a terrible event. But in the event that we get those early indicators and we’re able to stop something before something even worse happens, you know, at the sign of chatter or proactively by finding initial indicators of an intrusion and correlate that with deep web intelligence and then stop this thing before it happens. It’s just a very powerful solution. So we’ve been thrilled to partner with DarkOwl. And if there are any questions after the webinar by all means, we’ll provide contact details in posting this this recording.
In recent months, DarkOwl has observed a significant increase in instances of malware developers mentioning or discussing direct attacks to the international software supply chain. In many cases, this chatter was centered around plans that involved targeting popular open-source software developer repositories like Github and Bitbucket, as well as associated software digital support infrastructure.
Research from DarkOwl analysts continues to indicate that software development and engineering tools are a viable exploitation vector.
Timeline highlighting key Software Supply Chain and Version Control Systems vulnerabilities.
