In 2023, OSINT will continue to quickly evolve as investigators across a myriad of industries seek to disrupt crime, fraud, and threats. To help OSINT practitioners understand what to expect for 2023 and beyond, two respected leaders in the industry will share their predictions about what’s on the horizon for open-source intelligence.
In this webinar, originally held March 14, Rob Douglas, Co-Founder & CEO of Skopenow, and Mark Turnage, Co-Founder & CEO of DarkOwl, will share their insights on emerging threats and the latest OSINT tools and techniques to detect and prevent them.
Mark Turnage, CEO and Co-Founder of DarkOwl, and Anusha Iyer, CTO and Co-Founder of Corsha, discuss how API Security professionals can benefit from darknet data in forming a more comprehensive understanding of malicious threat actor (TA) tactics, techniques, and procedures (TTPs) and providing effective detailed security recommendations, remediations, and product solutions. API Security related topics, like “API hacking”, “stolen API tokens”, and “API MITM attacks” are regularly discussed in detail in darknet forums, tokens sold and traded in underground digital marketplaces, and API exploitation code shared amongst threat actors.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Hi, everybody. Thank you for joining today’s webinar.
Before we begin, I want to take a moment and introduce our speakers. Anusha Iyer, President, CTO, and Co-Founder of Corsha, and Mark Turnage, CEO and Co-Founder of DarkOwl, both of whom have many years of experience working in the cybersecurity industry. Anusha is a Carnegie Mellon alum. She started in the Washington, DC area at the Naval Research Lab. At NRL her focus was on reverse engineering and tactical edge networking. She started Corsha with a friend a few years ago and is passionate about helping organizations get API security right, and making security accessible, easy to adopt, and even self-assuring. Mark is a graduate of Yale Law School, Oxford University, and the University of Colorado, Boulder. He serves on numerous corporate and nonprofit boards, and is a private investor in technology, software, and manufacturing startup companies. He is also a senior advisor to the Colorado Impact Fund and a technology advisor to the Blackstone Entrepreneurs Network. And now I’d like to turn it over to Anusha to begin our webinar.
Anusha: Thank you Kathy and thanks to everyone for joining. We have an exciting agenda today. We’re going to look at API security and specifically API credentials and what an API security related incident looks like. We’ll tell you a little bit about Corsha as well as DarkOwl. We’ll go into why API security is so critical, some mechanisms to combat some of the threats and the attacks that we’re seeing, how the darknet can provide insights on this problem. Then [I’ll] turn it over to Mark to talk about DarkOwl and what is the darknet, how DarkOwl can deliver darknet data and give you more insights and analytics into where information is showing up on the darknet. And particularly with respect to APIs, what are threat actors saying about APIs on the darknet? And then we look forward to your questions and final thoughts.
DarkOwl and Corsha actually met a few months ago at Black Hat and had an interesting conversation around the proliferation of API credentials and how they are increasingly being used to gain unauthorized access to systems and services.
Increasingly we are seeing these types of data showing up on the dark web and being leveraged to execute breaches against organizations, like Toyota. Recently Toyota was notified of a breach where they had an API access key for T connect system. That’s part of their connectivity app to give things like wireless access and so forth to vehicles, and apparently, they had inadvertently checked in a hard-coded API secret into a repo about five years ago. It’s been available for five years in a public repo. And then they just released that over 2,900 records were exposed since then, giving access to customer names, customer information, and so forth. This is one example of what the threat landscape looks like and what the implication can be of API credentials getting into the wrong hands.
Similarly, recently FTX and 3Commas revealed that an API exploit was used to actually make illegitimate transactions, to FTX transactions. And this was done using API keys that were obtained from essentially users and phishing attacks actually accessing other systems. Right, so 3Commas, the platform came out and said that the API keys were obtained from outside of the platform, but certainly still pose the risk of being able to then be used off-environment, unauthorized, to then make financial transactions. These trades were basically from keys that were gained from phishing and browser information stealers.
Kathy: We’ve had a questions come in on these first couple of slides. Someone would like to know, is the fact that APIs are being targeted – is that a relatively new phenomenon?
Anusha: That’s a great question. It is an increasingly leveraged phenomenon. I wouldn’t say that it is new necessarily, but it is increasingly leveraged. Because APIs tend to be an underserved element with respect to cybersecurity postures of most enterprises. Increasingly organizations are relying on APIs. As they look towards digitally transforming application ecosystems into microservices, APIs end up forming the backbone of communication and application ecosystems. And further, more and more organizations are moving towards cloud, moving towards ephemeral scale, and that just creates a proliferation of environments where these credentials are potentially obtainable.
Mark: And that’s echoed by what we’re seeing in the darknet where discussions around API exploits, API keys, stealing API keys, and selling them is a relatively new phenomenon in the darknet over the last couple of years. We’re seeing the same thing from the criminals’ perspective that Anusha is observing in real life.
Anusha: Absolutely. I would come at it from the perspective that we see the movement of organizations using more APIs, but you’re absolutely right from an exploit perspective. It is fairly new. And it makes a lot of sense, they tend to be large types of information. With the automation it’s easy to lose track of what’s legitimate and what’s not. Great question.
Another one, this one was actually a 2018 leak where it was the USPS API endpoint. And in this instance, it was more of an authorization vulnerability where if someone has a USPS account they could actually change search parameters and do a much more expansive search and essentially get records for an entire data set without being limited to exactly what they should be seeing. It’s both on the authentication side but also on the authorization side in terms of how these credentials are provisioned, leveraged, and so forth.
With that, let me hop into Corsha and tell you about our story and why we’re going after this problem space. Both myself and my co-founder come out of the DoD intelligence world. We’re focused on: how do we stop these breaches? How do we prevent unauthorized access to sensitive systems and services? And [we] decided to start course at the intersection of machine identity and API security. A lot of our early customers are out of the Department of Defense and we are working closely with Gartner to define this category and to define the space, if you will. What we’re finding increasingly is that API authentication, authorization, and security in general substantially lags behind all of the resources, effort, and human capital, put into human identity and access management. Now we need to think of these machines as entities, and as the same first-class type citizens as humans because they are accessing systems and services at a far greater rate and at a far greater impact even than just humans logging into accounts. So we started CORSHA and we’re very focused on how we can help with this API credential and API identity problem. I’m probably telling a lot of folks that are online something that they already know, which is that today API secrets are just glorified system passwords. They are largely static, often shared, rarely rotated, and don’t have a lot of good hygiene around them. They get leaked, sprayed, and sprawled across tons of environments. Mark, I’m sure you’re probably seeing this on the other end in terms of where they’re coming from, whether it’s CIC/D pipelines, whether it’s things like logs, deployment or cloud platforms, or even team collaboration sites. We already saw an instance with Toyota of GitHub. But I would venture to say that most organizations, just for the ease of sharing, probably inadvertently have leaked API keys, even internally, across systems. Because today the model of authentication is largely static, they’re ripe targets for adversaries.
Kathy: A question based off this slide: can’t secret managers like Vault or KeePass prevent these attacks from happening?
Anusha: It’s a great question. To some degree. They provide a secure mechanism to store the keys internally. But, oftentimes these APIs live in hybrid environments even in the control of hybrid parties. You may have an API that you expose to a partner, a vendor, or a customer. You would then have to rely on them properly leveraging a vault or a password manager or maintaining good hygiene around secrets to access your systems and services. So that’s part of the challenge here, is that vaults and password managers tend to be very environment or entity-controlled specific.
Because we’re using these static, essentially bearer model credentials, for authentication and even authorization, they are almost acting as proxies for machine identity. And the challenge is that they’re not very strong proxies because they are static and they’re difficult to maintain hygiene around. Whether it’s a key, or a token –like an O-auth token, a JSON web token, or even a PKI certificate –because they essentially prescribed that bearer model of authentication where “as long as I hold it, I can leverage it, it doesn’t matter where I’m coming from,” they turn into ripe targets for adversaries. I’ll stop here and say that when we talk about a machine, what are we really talking about? In our terminology we like to think of it from the zero-trust approach to it where it’s a non-person entity. Anything where you’re trying to access a system or service and there isn’t a human identity to back that access is where the API authentication approach breaks down a little bit. Whether that’s a Kubernetes pod, a docker container, VMs, even physical IoT devices –those tend to all be areas where static credentials end up getting leveraged in some way, shape, or form. Increasingly we’re seeing that these are the new attack sector vector that is increasingly in vogue.
To give you a very quick overview of what we are doing at Corsha, what we’ve done is we’ve come up with an API security platform where we can pull some lessons learned from the human identity and access management space. And we’ve come up with a way to not only do dynamic machine identity for API clients, but then leverage that to do fully automated MFA for machines. Think of a second dynamic factor where you can make sure that API calls are going with one time use MFA credentials. This gives you a lot of those nice benefits that we’ve seen on the human side with MFA where now you can pin access to only trusted machines. Even if a key inadvertently gets checked into a public GitHub repo, if MFA is enforced as a secondary factor, you’re okay there. That’s the idea: to elevate these API clients as first-class citizens, regardless of what their form factor in a way that is easy to adopt, easy to integrate, no code change, so that it doesn’t place burden on DevSecOps teams and make their day to day easier. So that they’re not having to worry about things like credential rotation as part of their workflows.
Just very high level, the essence of what we are trying to provide is security, visibility, control, even the ability on a fine-grained level to do things like start and stop access for a client. That’s a little bit of a difference with, say, this approach and say a vault. Because if you give an API key to a third party, you don’t necessarily have control over their vault. But with machine-driven or an identity-first approach to it, you can say, okay, from a control plane I’m going to dynamically start and stop API access for this collection of machines. And in that way have the expectation of access matching your threat surface. That’s a quick overview of CORSHA and the product and the problem space. I would love to turn it over to Mark and hear more about DarkOwl and what you’re seeing on the Darknet.
Mark: Thank you. The darknet is an interesting place and DarkOwl was set up specifically to allow organizations to monitor the darknet for threats to their core missions. As you can see in the lower right hand corner, our clients include many of the world’s largest cybersecurity companies who effectively use our platform and use our data to monitor on behalf of their clients. We also work, as does Corsha, with various agencies in the US Government. What we do is we go into the darknet at scale and we extract data at scale from tens of thousands of darknet sites on a daily basis. We index that data, we store that data, and we make that data available to our clients and make it searchable to our clients.
The question I get is what really is the darknet or the dark web? The two terms are conflated.
We all spend most of our time in the surface web. What you can search for off of your Google browser is effectively the search web. It represents a relatively small percentage of the data that is available by the internet, in spite of the fact that if I search for any term I’m going to find thousands, if not tens of thousands of results on my Google browser. It’s actually a relatively small percentage of the data that’s out there. Most of the data is fire-walled and it’s in what we call the deep web. My bank account information is available to me because it’s authenticated, I have the credentials, but it’s not available to Anusha and vice versa. By volume, most of the data that’s available via the internet is actually in the deep web. We specialize in the darknet, which is below the deep web. The darknet is dark for two reasons. It’s dark because you can’t get there from your Google browser. It usually requires a specialized browser or specialized access. What it does is it obfuscates user identity. Oftentimes the traffic is itself encrypted. And because of that, it is the perfect environment for criminals to operate in. Anusha and I can conduct a transaction, we can have a conversation, we can conduct a criminal transaction, buy or sell exploits with each other, drugs – there are any number of other things that we can do. A law enforcement agency could be sitting in the middle of that and see the transaction go through and see the discussion and never understand who I am and who Anusha is. And if you add in cryptocurrency on top of that, we could pay each other in an anonymous fashion. As a result, the darknet has become a haven for criminal elements.
At the bottom of that page, you’ll see Tor, I2P, Zeronet. Everything in red is data that we at DarkOwl collect from. We also collect from certain deep websites and some surface websites which enrich our darknet data. Increasingly, especially with the Ukraine-Russia war, these direct messaging platforms, such as Telegram and IRC are becoming destination points for criminals to operate in and we collect data from those as well.
Kathy: Mark, before you move on, an attendee would like to know, how big is the darknet?
Mark: I wish I had an answer to that question. We don’t know how big it is. We do know that Tor was the original darknet. It is now one of many darknets. The Tor project actually publishes data on users, number of users, numbers of connections to the Tor network, and number of sites.
Year on year, it continues to grow significantly. There are a number of sites like I2P, Zeronet, Freenet, and these other new sites that have grown. We don’t know how large it is. We have been told that DarkOwl has the largest commercially available archive of darknet data that’s available. I couldn’t prove that to you because I don’t know what the denominator is. But we know that the darknet is growing in terms of both customer usage and transactions that take place.
Very briefly, this is the kind of data that we collect. The data that most people are familiar with is at the bottom of this slide. We hold somewhere around 9 billion email addresses that we’ve collected over the years, 1.8 billion IP addresses. Those are oftentimes IP addresses or networks that are being targeted. A range of credit cards, crypto addresses, and so on. It’s a big database that we have, and it’s updated continuously and has been since we stood the company up five years ago. Then we make our data available by a number of APIs as well as a user interface for the analyst community as well. But to give you a sense, just in the last 24 hours we’ve indexed and put into our database 1.3 million documents. That gives you a sense of the scale of the type of documents that we’re dealing with.
More relevant to this conversation, though, is the next slide, which is, what are we seeing in the darknet that is relevant to the issue around API security? And the answer is a lot. We’re seeing that threat actors in the darknet are discussing stolen API secrets, keys, they’re trading the session tokens, and they’re openly discussed in these closed communities. This is a hot topic for the criminal elements in these communities. There are man in the middle attacks, there are injection methods being discussed and actually traded. Anusha and I would get into one of these forums, we’re both criminal actors, and we would discuss how I mounted a successful attack using this method. And she’ll say, can I buy that method from you or can I borrow it? Let me try it on a target that I’m thinking about. We see that ongoing. JWT authentication bypass methods are oftentimes discussed in detail. That’s been a real wake up call for me personally, seeing how creative criminals are being in these methods that they’re developing. Tools are shared.
Interestingly enough, and not particularly relevant, but the DDoS services are sold. API DDoS services are sold for cheap. One of the things we’re seeing broadly in the darknet across all sorts of threat actors is the migration of threat actors to actually selling out their services and renting them out on a monthly basis. This is just an example. We’ve seen Kubernetes targeted especially. It’s a distributed environment, so there are some vulnerabilities that the threat actors are using. Then hacking courses on and on and on.
These are some screenshots of some of the discussions that we have seen in the darknet. In the upper left you’ll see this discussion around leaking API keys. In the middle of the slide, you’ll see Russian threat actors describing API keys as well as the secret keys and making the secret keys available. I think those were stolen. In the lower right. I love this. You know, we figure out a way to withdraw funds using API keys without access to the account itself and on and on and on. If you get onto our platform and search for any of these terms, you’re going to find quite a lot of discussion among the threat actors and the criminal gangs around this. And you’ll see data brokers actually selling keys. Selling actual access to networks. The conclusion is that Darknet is rife with discussion around the very threats that Corsha is targeting and that was set up to respond to. Anytime you see this kind of activity, any time you kind of see this discussion going on in the darknet, you know you’re on to something. So your customers made some smart choices here in new shows.
Anusha: We appreciate that, Mark. I will say it is very interesting to see all of the discussion and the activity around Kubernetes. I think that might be even a fun double click into another session to do, because it is turning into a foundational layer of most organizations transforming their application ecosystems. It would be fantastic if we could get ahead of that.
Mark: I’d actually like to talk to the founders back at Google. It was right around 2014, if I’m correct, about Kubernetes, and ask them whether they ever had a conversation around security right at the outset. Because most people, most developers won’t. And it’s not a criticism. It’s that just most developers won’t do it. They’re thinking about how to build a scalable environment for whatever their mission is. They’re not thinking about how five or six or seven or eight years down the road, somebody’s going to be trying to attack that environment.
Kathy: We’ve actually had a few questions come in. One of our attendees would like to know: what specifically can be done from a security perspective to prevent an API attack?
Anusha: Some of it is obviously having good hygiene around primary credentials. Having policies in place for things like rotation. Certainly using a platform like Corsha as a layered defense so that you have a way to uniquely identify and control each API client. Is a very sound approach to a lot of this activity that we are seeing on the darknet. Other things like making sure that API access is least privileged, so having notions of authorization in there. Just like when you have a given user, you give them roles, and not all users have access to the same information and services on the system, APIs and API clients have to be dealt with the same way. And having ways to revoke secrets and revoke access are very important. It’s about drawing a lot of those parallels that we have with human identity and access management but into the world of APIs.
Kathy: Thank you. We also have a question of: how can security or engineering teams get better visibility into how their API secrets are being used?
Mark: One way to do that is to use a platform like DarkOwl’s platform to actually monitor the environment on an active basis. Oftentimes, you will see threat actors discussing targets by name or by IP range or by other things. Look in the upper left hand side of this slide, right there is a discussion around a very specific key from a very specific
My point is, any time you’re thinking about security more broadly, there are a number of hygiene elements that have to go into place. One of those hygiene elements is monitoring this environment where criminals are actually plotting attacks in a wide variety of different contexts, not only in the API environment. We see active threats, active exploits under way. We see targets being identified and threat actors saying, all right, that’s great, I’m going to hit them. You have to have some eyes on that environment.
Kathy: Thank you. We did have one more question come in, and that is, what should a team do today if an API secret is compromised?
Anusha: That is where having a good platform for observability in place is really important because you want to know where that API secret could have been leveraged right and have the ability to quickly revoke and rotate it. It’s both understanding impact of the leakage or the stolen credential and then mitigation strategy of how to revoke it, how to rotate it, with obviously a little downtime as possible. I think for observability using a platform like DarkOwl is really helpful because you can see the extent to which it may have been leaked or compromised as well.
Mark: Thank you, Anusha. It’s a pleasure doing this. Let’s do another one in the future once we find more threats.
Anusha: Absolutely. That would be fun. Thanks so much for the time. And thanks to everyone for listening in.
About Corsha: Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design. Contact Corsha.
About DarkOwl: DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
David Alley of DarkOwl FZE and Ivan Kravstov of Social Links dive into the topic of harnessing OSINT to expose illegal trade on the darknet. They outline the black-market landscape of the darknet and showcase a range of methods for fighting illegal trade and approach the topic of darknet marketplaces from different angles. In this webinar, they cover:
The nature of the dark web and how it is accessed by users
The functional make-up of darknet marketplaces
User deanonymization methods
Advanced darknet data extraction and analysis techniques
Attendees learn how to break through the perceived anonymity of the dark web and crypto transactions to identify criminal actors and track illegal trade and illicit activity.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity
Ivan: Greetings everyone, today we will be hosting a joint webinar with David Alley of DarkOwl FZE and the topic will be countering illegal trade on darknet marketplaces or more broadly dark web research in general.
David could you tell us a bit about DarkOwl?
David Alley: Absolutely. It’s really great to be here and thank you to everyone for joining from all around the world. I know that we always fight the various time zones to get everyone here, so a special thanks to the Social Links team for hosting this webinar. They’ve been super helpful in getting this excellent presentation together for us.
A little bit about DarkOwl – we are American company, and our headquarters is in Denver, Colorado also known as the Mile High City. We originally started off as a cybersecurity company with a focus on penetration testing. And at that time we would do research on the darknet to see if we could find credentials to help with our pentesting work. We were really successful at that, we had a very high rate of penetrations for the pentests. We said, “why don’t we change this and actually go into being just a pure darknet company only?” That was really the birth of DarkOwl. Since then we’ve had a lot of great team members with us at DarkOwl and we’ve built a very good collection capability for us to go onto the darknet and pull out that data that is really difficult to get to.
We have a great collections team that does all of this hard work and makes it much easier for our partners like Social Links to do the next part. Which is, that once they’ve looked at that data, to make sense of it and decide what does is it mean? And how do we use it? And how do we fight crime that is emanating from the darknet?
We have a couple of claims to fame. The one we use the most is that we have the largest commercially available darknet data lake in the world. And that’s just because we have been doing it for longer than everyone else. We’ve had some very special team members over the years that have had a very unique access and understanding of the Tor Network. At one point we actually had the co-founder of Tor on our team and so it’s a really unique company. We are highly niche and highly skilled and that’s why great companies like Social Links and ours like to work together because we are complimentary. We work a lot with OSINT analysts as well, but we also provide APIs and Datafeeds for partners and that’s how we work with Social Links. I think you’re going to be pretty amazed at what the team has to show you today. I’m always impressed with what they’re able to come up with; they have a superior team. Leveraging great data from DarkOwl with great analysts from Social Links you’ll always be happy with the results. I’ll turn it back over to you Ivan.
Ivan: Thank you very much for the introduction David. A bit about us: the company was founded in 2015 we have 80 + employees at the moment with HQ in the US and EU offices in the Netherlands and the R&D office in Riga, Latvia. What we do is provide software for data-driven investigations. You can see that we have a good rating on Gartner Peer Insights and that we have received a number of industrial awards in the past years.
Here we have a very brief slide about the average pricing of various goods on the dark web. Ranging from stolen credit cards to out of the box ransomware Trojans.
A concept that I’m sure everybody is familiar with is that there is a division into what is known as the clear web or the surface web, something which is indexed by conventional search engines, then there is the deep web which can include many different things that are not [indexed by conventional search engines] and that it takes a bit more effort to find and then there is a space commonly known as the dark web which include the Tor Network but also additional ones such as I2P, Freenet, and Zeronet.
The general principal of Tor browser network is that the traffic goes from the user through several nodes and then reaches a specific server at the end. The current total Tor network bandwidth is 400 gigabytes per second.
One of the technologies that is also utilized quite often within the platforms of communication is PGP encryption. The basic concept being that the user sends an encrypted message that can only be accessed and read with the use of a private key held by the recipient.
Now here we can see the boost of darknet marketplaces revenue from 2011 with the first precedent being the Silk Road up to 2020 [revenue] which is quite substantial.
The products and services available on those marketplaces range from drugs to tutorials, forgery, various kinds of illicit services, malware hosting, and fraud. The majority of those being drugs.
The general principle of how a marketplace works is that a buyer exchanges currency for any kind of specific cryptocurrency accepted by the marketplace. Which is predominantly Bitcoin at this moment but there is a shift towards alternative ones such as Monero or Z cash. The buyer then transfers the Bitcoin into markets account and makes a purchase. The crypto is held in the market’s ESCROW account until the order is finalized with the market taking a commission. After the finalization of the deal the vendor is paid. Then the vendor may move the Bitcoin from the market account and potentially exchange it.
Here we see an infographic of types of entities receiving Bitcoin from dark web sources which can be KYC and for exchanges enforcing KYC or exchanges more liberal with their KYC processes. Those can also be mixing services and other entity types.
David, if you could tell us about DarkOwl’s differentiation?
David: Absolutely. As we’ve seen here we’re talking a lot about the crypto piece. And I want to talk about how DarkOwl differentiates itself and helps you with this. It is because we are able to go into these markets that we’re talking about today and were able to pull that data out for you. A lot of the Blockchain tools that you’ll be familiar with will allow you to see various wallets as they’re being tumbled and where they’ve been mixed or how they’re being exploited. But what they have difficulty doing is tying wallets to a very specific illegal activity. And that’s one of the main things that makes us different for these types of investigations. We are continuously out there crawling these darknet sites and these markets that we are in. Someone asked a question: how do we differ from our competitors? It’s just a real question of scale and scope. Many of them are in about 400 sites and we’re collecting from over 95,000 sites and about another 20,000 to 30,000 mirrors every day. It’s this massive amount of unmatched darknet content discovery that we’ve got and inside of that content is where all of these cryptocurrency wallets are which can be tied to illegal activity. You want to buy your MDMA in London? Here you go – use this bitcoin wallet or this Monero wallet.
I second the comments that we’re seeing a shift from Bitcoin into some of the other coins out there. We’ll even pick up coins in our collection that are not even on the chain yet. They’re brand-new wallets that are being used. We’re seeing that shift away from the traditional way of using the same wallet over and over to now criminals will create a new wallet put it up on the site for their drugs or their CSAM material or whatever it is they’re trying sell and have the payments into the air before the Blockchain tools can even detect them. You’ll see coins get recycled and because of our unique archival capability it goes back to almost 9 year’s worth of data. You can also do those deep investigations into darknet transactions that happened years ago. All of that together gives you the content that makes investigations very strong and that combined with the ability to do leak analysis as you can see from our Social Links partners is a very powerful tool. To give you an idea of what we actually have in the collection, it’s about the numbers.
It is a lot of Tor. Tor is the largest of the darknets. We also have a very large collection of from I2P and from ZeroNet. Those are the three major darknets that we collect on. And there’s some very technical reasons behind that. We also are having a lot of success picking up cryptocurrency transactions off of Telegram channels. As we know Telegram is very popular with a lot of different hacking groups and black hat hacking groups. It’s easier to use than a darknet channel. We see that a lot of hackers are also gamers, and they use Discord for communications. We see some in paste as well. What should really be focused on [in this slide] is the lower right-hand corner. That’s 347 million cryptocurrency wallets pulled out of our darknet collection. It’s a pretty big number, and every time I see a cryptocurrency wallet on a darknet site it’s always doing something bad. I’d say it’s a 99.9% probability that if you’re using Social Links and you pull out a cryptocurrency wallet from the darknet data, you’ve already done one of the hardest steps which is identifying some form of suspicious activity. I’ll turn it back over to our Social Links partners to take you through the rest of the demo.
Ivan: It may make sense to note that with Telegram and Discord channels there is indeed substantial overlap. Much more substantial obviously then with the traditional mainstream social media platforms. Telegram and Discord aren’t really called social media, but they have a significant social networking element. Telegram especially in the past few years. It is about cybercrime groups but also apart from that it could just be local, regional, or even macro-regional drug vendors. It could be people engaged with child grooming, especially on Discord, or extremist groups as we previously covered in one of our webinars with a German expert on extremism research. Now we will go into the actual examples that we have.
First we should dedicate a few minutes to talk about the method of dark web research. In this case that would mean focused on researching an individual. It makes sense to use all of this in conjunction.
From the username we can get the specific platform within this interface where the vendor or forum member is present. That can also give us insights into their stated or observed affiliations. Those are the payment methods, the posts and threads and the products. From the posts and threads you can examine the topics discussed in the details which can also tell you more about what exactly they are doing, what kind of merchandise they are dealing in, what kind of categories, and if they have a specific focus. As well as the speech patterns of the idioms and idiosyncrasies used by the individual and the shipping locations. And of course, the products also tell us more about the proper categories and sometimes product cards can contain contact details within them. Objects within this schema such as the speech patterns, the stated shipping locations of the products, the affiliations, and the specific platform can point us to assumptions about a certain region or macro-region.
For example, there is a higher probability of a vendor or a forum member on an Eastern European marketplace to be from somewhere in Eastern Europe. Payment methods can be different as well as various types of e-money, but here we’ll focus more on cryptocurrency addresses. A transaction derived from an address can tell us about the interactions it has with other addresses for groups of those. And it can tell us about the services that they are using such as mixers or exchanges. A mixing service may also have theoretically some kind of interactions in some kind of partnership program for a specific marketplace. They can also be mentioned in various reports or forums. All of those can possibly lead us to digital breadcrumbs, and that in conjunction with the assessment of the presence of the user in other forums and marketplaces and the way their personality may be reflected in their online behavior and the kinds of merchandise that they are dealing in and the kind of payment methods that they’re using is all part of an attempt to create a digital profile of an individual.
Now here we will start with the first example where we will go from an alias. We will run our first transform search for users under this alias. Here we can see some details in the properties, one of those being the side name Tochka Market. “Tochka” is a Russian word standing for point or place. We search for the products related to this vendor and we also extract their PGP open key which is quite often used by vendors. Next, we will use the products and extract the locations they are to be shipped to and from.
We can see here that those are mostly recreational drugs shipped to the United States. From a PGP open key it is sometimes possible for us to go to the email address. Not in a hundred percent of cases, which can also be said about some of the other methods that we will be applying here. Here we see a Gmail and from that we can further try to see if there are any social media profiles and any accounts connected to that email address. There is also the possibility to get reviews if it’s a Gmail account. We can see that there are accounts within Facebook, Firefox, Gravatar, Pinterest, Samsung, and Twitter connected to the email and we see several profiles within Gravatar, LinkedIn, and Skype from which we can extract additional details. In reviews we also see a cannabis dispensary seemingly located in the United States and a bar in Cameroon which matches with the location that we see here within the LinkedIn account [redacted account name] connected to the Gmail address. There is also a post promoting the sale of marijuana on a surface web source stated by the account holder to be safe and secure. Now here we can use some of the Maltego functionality to go into more data about that specific domain. The WHOIS data gives us the name of [redacted name] as a registrant and the company name [redacted company name]. [Redacted names] are both something that we have seen within the social media footprint derived from the email address. Now of course an analyst won’t be as lucky as in this instance in 100% of cases, but this is real data related to a real individual. It is possible because people do tend to make mistakes.
Now we will go through another alias. This [alias] gives us 4 accounts with the same username and it’s something that vendors to do to maintain a commercial reputation with the customer base. Now we can ask for specific platforms. We can see the Dread forum, the Hub forum, the Apollon market, and the Wall Street Market. Now we also see a single PGP key used by three out of four of those accounts and we will further ask for the posts and products. We can see that there is a certain focus on Europe. In this instance the goods are more likely shipped from Europe to locations worldwide. The principles of working with the posts are similar to the way a user of Social Links Pro or a SOC tool in general can work with social graphs. The graphs of social interactions within the digital space. From each of those we go into the thread. From the thread we can go to the other posts within it, and the other users that have been participating in those conversations.
This is just at stage of gathering data and an analyst working on a real case will of course face the necessity to analyze this communication in depth. That’s why there’s a capability here to download the content within those posts and save the text content as a text archive. Now here we see a Proton mail account- [redacted email address] so they seem to be more conscious about their digital footprint and security, but potentially we can try to search for this alias in the social media platforms available. Here we’ll try with an Eastern European platform because [redacted name] [the alias] is obviously a reference to the famous assault rifle. Here we got an account with just the cat as a picture under the name [redacted name] and while it’s not something that we will state and something that we will accuse this person of, it could be a coincidence or it could not be a coincidence. The account is not very informative, is closed, and has a profile picture of a cat. So here we are less lucky than in the first example. In some instances it’s even more obscure. Here we see an individual with the alias [redacted name] focusing on the European Union. They have two email addresses and a statement in the product description that there is a possibility to contact the vendor on Discord. We see that there is a Discord account connected to their Proton mail address, and also a Skype account which states the location as Germany. This is all on the level of analyzing people and individuals or small groups of people, because several individuals can be behind one username.
This can also be done on a macro level. We can take several capital cities or countries within a certain macro region such as Asia-pacific or Latin America and run a search into the full spectrum of dark web sources available to us to see which products are shipped to and from those locations. Here we see that some countries have more activity within the spectrum of available sources, some countries have less, and we can potentially look for vendors that are focused on two or three specific countries at once. We can also see which marketplaces are more active within a given region. Here and in Latin America Tochka market is quite active. Additionally the Apollon and Nightmare markets and then several other ones have much less activity.
Now of course it makes sense to talk a bit about the cryptocurrency aspect within dark web research. Several of those graphs are something that we’ve shared previously in some of our previous webinars. The methods can be split into two sets: passive intelligence and direct engagement. Passive intelligence may include open-source and social media intelligence, the traditional following the money approach, and the enrichment of the initial entered data that the analyst or potentially a victim of a crime may have. Direct engagement is something that implies using custom digital avatars for social engineering and also in the case of enterprises, or state organizations, offensive security procedures or threat intelligence. Some of those methods are more customary to certain kinds of professionals, analysts, and organizations than others but in the end as is the case with any kind of investigation it is all about connecting the dots, the seemingly not connected entities in a broad sense that word.
Here is a small reflection of the situation within the Bitcoin ecosystem. There are a number of addresses here, some of those belonging to militant extremist groups such as the Palestinian Al-Qassam Brigades or Hay’at Tahrir al-Sham the fellowship operating in Syria. Some of those belong to dark web vendors such as Ross Ulbricht of the founder of Silk Road. Alexandre Cazes founder of Alphabay, or the administration of the Wall Street Market that exit scammed in 2019. Some of those were because of law enforcement, some of those were ransomware groups, and some of those were to legitimate exchanges.
A way to perform this attribution to be 100% certain that a specific address belongs to a specific individual or a group is to run searches into the social media and dark web space and also into data that is provided by vendors such as DarkOwl And I must say that DarkOwl provides fascinating amounts of information of fascinating depth, and a number of these were done with the help of DarkOwl as well. Social Links is focused specifically on the Tor Network while DarkOwl, as David has mentioned, also pulls data from other sources such as I2P and Zeronet. Once you get this kind of entity you can further run the transform to get to the details and then examine the contents of those entities. The source of the networks and the date and time are also stated within the properties.
Here we have another simple example of building a timeline with the timestamps from within the transactions related to a specific address and the timestamps of the mentions of that address on a dark web forum.
All of this above is related to the situation around the exit scam performed by the Wall Street Market administration. You can see that all of the transactions and all of posts take place in the second half of April 2019.
If we talk about profiling, there been there are a number of quite famous cases that have been solved by law enforcement and by analysts within those types of organizations related to de-anonymizing an owner or a senior administrator of a dark web marketplace. There is the famous Ross Ulbricht who was using the alias Dread Pirate Roberts and a clear web alias Altoid which was the key thing that led the American law enforcement towards then. We can gather the different data from the full spectrum of sources or potentially we could very carefully try to profile the individual based on the way they interact with the customers, the way they interact with vendors, the way they behave online within the platform. Or we can try to profile those people in retrospect to see what is common between the individuals who have been involved in such activities that have been uncovered historically. We can see that the portrait of the criminal has changed over time to this day in 2022. All of those –Mr. Ross Ulbricht, Mr. Gal Vallerius and Mr. Alexandre Cazes are educated individuals in different fields. For instance, Mr. Cazes has a degree in computer science. They tend to share certain views such as being Libertarian. Libertarianism was something very much associated with the motives of the founder of Silk Road, but similar motives can be speculated about other members of that community. In the case of Mr. Alexandre Cazes, the key input was an email address that was a source of messages to newcomers within the Alphabay Marketplace which was 10 times the size of Silk Road at its peak. The support emails were to new vendors and new members.
Here we can try an example of enriching that identifier to build this graph from scratch. This can be done with the help of something called a machine within Maltego which can automate those queries under a specific logic.
Here at this moment it gives us an IP address from a leaked database, it gives us an account on Gravatar –[redacted account name] an account on Skype, and a number of email addresses with similar passwords. And also a number of additional database records that contain the email in the string. The IP address is further resolved into a Canadian netblock and that is resolved to an autonomous system number. Now we can try to do the same with the second email that we have here. This is giving us two Skype accounts and two additional IP addresses. Of course, we can run a search into the data lake of DarkOwl. From which we will try to extract additional details. Here this gives us the family name, it gives us the name of another individual, and a number of IP addresses and phone numbers. The IP address issue may be just a minor technical problem on the side of Social Links with integrating this, but you get the point. This gathering and structuring process is something that is done in retrospect, so this person has already been uncovered, already been arrested, and already committed suicide while in jail. But I think it’s obvious how beneficial industrial automated tools such as DarkOwl and Social Links can be in researching such individuals and investigating and doing criminal intelligence within those types of sources.
With Oxymonster, the alias that belonged to Mr. Gal Vallerius an Israeli-French individual, the initial input point that investigators had was this vanity Bitcoin address for which they traced output, a number of outgoing transactions to a number of addresses all leading to an account on a peer-to-peer platform [redacted address][.]com under the username Vallerius. That is exactly what we were talking about when we said speech patterns and idioms and idiosyncrasies. The investigators further compared the speech of Mr. Gal Vallerius on Instagram and Twitter accounts that are no longer in existence but we do have a Foursquare profile here with that of the user Oxymonster and there was a certain match in the patterns. Now here we can extract additional things from the DarkOwl entities that we have as well.
In another example with an email of Mr. Ross Ulbricht which was found from one of the posts on the Bitcointalk forum which was initially found a by matching the username Altoid with the first-ever mention of the Silk Road marketplace on [redacted address].org. We can also try to use those transforms to see what is connected to those identifiers.
Here we go to what is more commonly associated with Social Links. Social Media intelligence is our strongest side so far even though we’ve diversified the sources that we have and the methods available for them in the standard procedure of mapping out the digital footprint of an individual. If we return to the initial logical schema of those processes it is a necessity not just to focus on the user account or on the group or on the marketplace within the Tor Network or any of the other darknets. The process of investigation and analysis will take the analyst, if they’re lucky of course, into other kinds of domains which may include conventional social media.
There is another instance for a potential use of OSINT tools in a similar scenario, but it would make sense to use in the case of the Berlusconi Market and their administrator John Kohler Racino . The way that they were uncovered was something far more in line with the traditional work of law enforcement. They were eventually closed down as a result of the operation by the Italian Guardia de Finanza, but it was the result of operatives having ordered number of goods from the marketplace as part of an experiment and having noted that they all came from the same post station from within a small town in Italy. Here we see an example of what can potentially be found from the usernames and the accounts under the usernames that were operated by Mr. Lucino. There are two of them: one that had presence in the Dread forum and was involved in discussions around the Berlusconi Marketplace and another one on several marketplaces including Berlusconi, two of those sharing a single PGP open key with the pattern of the goods being shipped from Italy worldwide. There is some output from the Social Links identity search engine that also gives us a number of email addresses and IP addresses. Operations such as this can be advanced with the use of DarkOwl.
That is all of my part so far with the functional demonstration of the capabilities.
Another topic which we haven’t really focused on today but which is quite relevant here is the usage of those kinds of tools and the exploration and the research by professionals in the field of corporate security. The cases that we’ve shown now –they’re somewhat more in the domain of law enforcement work and criminal intelligence analysts, but the monitoring of sources, aggregating leaked databases, data breaches, are also a topic relevant to the practice within the corporate sector.
How we use those tools to detect human trafficking is a very good question and there is an organization that we have done a webinar with previously called the Anti-Human Trafficking Intelligence Initiative with very brilliant people working in that area. They have a solution of their own that works by a slightly different principal than Social Links and DarkOwl, but yes such solutions do exist and such practices do exist and they have been successful uncovering numerous instances of human trafficking and the distribution of CSAM.
David: Absolutely. Ivan, I just want to jump in and congratulate you on a really excellent presentation. As far as the human trafficking pieces, we are seeing a growth in the kind of communications and coordination that happens on the darknet for human trafficking and even more broadly for the CSAM types of materials. I would like to talk about one of the other questions that has been brought up, and it talks about the companies that have been involved in ransomware incident response. The amount of chatter that we see happening on the darknet for the different ransomware gangs has increased exponentially over the last two years, and we’ve tried to focus on it for quite some time. We’ve really seen how well they have taken their software to market. You can see that ransomware as a service programs have been proliferating widely through markets on the darknet. As far as identifying specific ransomware families, I think we have about 30 or 40 of them that we’ve already curated. Including what cipher they are using, when we first saw them appear on the darknet, and you can use it to gather some of the pricing data that you need.
Ivan: Thank you for that David. One thing that is easy to see even from this simple graph which is just a reflection of the current state of affairs in the cryptocurrency industry and specifically in the Bitcoin ecosystem is that it is very Wild West-esque at the moment. [There is] the obvious pattern of large a number of interactions with people involved in terrorism and ransomware and the trades in illicit goods in the dark web space and human trafficking and CSAM as well, although those two categories are not reflected here. The people at the Anti-human Trafficking Intelligence Initiative know much more about that topic. Interacting with legitimate exchanges such as Binance, Gemini, and Coinbase.
David: There’s a question from Andrew and it says: do DarkOwl and Social Links have the tech to crawl the deep and dark web? Almost all of our collection is technical-automated. There is a combination of techniques that you use to gain access, but then you cannot collect at scale just using human beings so it’s a combination of both. We use both for this kind of collection. Then there was one question about risk management targeted profiling and Customs control. Absolutely, specifically for the for the drugs portion…most of drug shipments that we see happening on the darknet are international transactions. The largest shipper of drugs worldwide is the United States Postal Service because it takes a federal warrant to get into a box being shipped. We see some law enforcement agencies do controlled buys. They use these tools to identify who the vendors are, how do you enter and interact with them, and it’s about the speed – how do you get ahead of this and then do controlled buys. When it comes into your country you will figure out which one of your Customs agents is taking bribes from people to let those packages in. It’s both useful for looking at criminal activity and also from an internal counter-intelligence perspective.
Ivan: Thank you David and thank you for visiting we are always glad to see you here.
David: Andrew we don’t leave you hanging out there I see your question, you’ve asked how they might go seize the ransomware payments. I don’t have any direct knowledge of how that happened, but most of these payments have to go through some form of exchange to move the money around and they likely had access to one of those exchanges that could tell them. Because remember there are some exchanges that are working with and cooperating with law enforcement and international law enforcement agencies and if they get a valid warrant from a law enforcement agency to block the transaction, they can do that. Just like it would work in the international Swift system for blocking bank transactions through the Federal Reserve Bank of New York. I would imagine that probably something like that is how it was done.
Ivan: Yes, I actually think there was an Eastern European mixing service there.
This is it on our part for today thank you everybody very much for participating and we hope that you will contact us to talk with us further about how our solutions can be implemented into your business processes. We will be very glad to see you and will be expecting you on our further webinars that are to come. David thank you for co-hosting.
About Social Links
Corsha is on a mission to simplify API security and allow enterprises, developers, and DevSecOps teams to embrace modernization, complex deployments, and hybrid environments with confidence. Our core technology is dual use, designed for widespread adoption, and easy to configure and deploy to both commercial and government customers. Corsha has a strong engineering team with deep expertise in distributed ledgers, cryptography, security principles, orchestration technologies, and software design.
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.
Interested in how darknet data applies to your use case? Contact us.
DarkOwl’s Chief Business Officer, Alison Halland, the Director of Strategic Alliances at Cowbell, Jessica Newman, and Cowbell’s Director of Risk Engineering, Manu Singh, sit down and discuss the building blocks of the darknet and organizational risk, what darknet data exposure means for small to medium sized businesses, how Cowbell uses DarkOwl’s darknet data to generate a dark intelligence scores for each of their policyholders. They also dive into the value-add of a Cowbell policy to their policyholders provided by Cowbell’s free reports from their risk engineering team utilizing DarkOwl’s darknet data to assess and mitigate cyber risk to businesses.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity
Jessica: I want to welcome you all. We are really excited to have you on behalf of Cowbell and DarkOwl. We are here today to talk about the dark web, which is hopefully an interesting and fun topic of conversation. From what we hear, everyone typically perks up when the dark web is mentioned. It’s a topic that gets a lot of questions and a lot of interest. Our intention today is to arm you with enough information about the dark web and about how Cowbell uses the dark web to feel comfortable talking about the dark web with your customers.
Quickly I will introduce myself, my name is Jessica. It’s great meeting you and being with you today. I run point on our cybersecurity partnerships here at Cowbell… I’m going to let our panelists introduce themselves. We’re really excited to offer their expertise to you all today. Alison do you want to start by introducing yourself?
Alison: Absolutely. I’m Alison Halland with DarkOwl, and we’re based in Denver Colorado. I’ve been with the company for over 6 years and we are Cowbell’s darknet partner. We provide our darknet data to Cowbell and it’s been a great partnership. I’m excited to be here talking to all of you and hopefully you can walk away with a little more information about what the darknet is and how it can be helpful as you talk to your clients looking at getting policies.
Manu: Thanks Alison, thanks Jessica. Glad to be here today. I’m Manu Singh, and I’m the Director of Risk Engineering here at Cowbell. My team assists our policy holders through our continuous risk assessment process. That includes understanding our Cowbell cyber platform, our Cowbell factors, understanding how our AI and machine learning scans are used to develop insights and recommendations, as well as some of the data that we add off the dark web thanks to the assistance of DarkOwl. My team— ultimately our goal is to reduce the frequency and severity of data breaches and cyber incidents for our policy holders. We certainly do that by generating our dark web data reports, and again that is with the assistance of the data that DarkOwl is providing for us.
Jessica: Awesome. I want to kick things off. We’re going to have this be as interactive as possible so please feel free to ask questions, utilize that chat, if questions come up we want to make sure that we’re answering them. I want to kick things off with a question for those of you who are joining us today: I want to understand if the dark web is a topic is of interest to your customers today. Is this something that comes up a lot or do you see [the dark web] as an angle that you can use when you’re selling cyber insurance? There’s a question up there now: How confident are you at discussing the dark web with customers? Do you feel very confident, neutral, or that this is totally new to me? I’ll give you a second to place your vote…. there are some results showing that people are pretty neutral. This is actually really good news. My hope was that you don’t feel very confident in discussing dark web and that you’ll leave today feeling much more so. That gives us a really good place to start from.
Alison I’m going to kick it over to you if you can give our audience a quick overview of what is the dark web. I think having that basic understanding of what it is and what happens there will help us understand how we can then talk to customers about it.
Alison: Excellent. So as Jessica said let’s step back and define the darknet so that you all are all operating under the same kind of information. At this point in time it’s a buzz word that we’ve all heard, especially if you’re paying attention to media or newspapers. It usually comes along with an image of someone in a black hooded sweatshirt with all sorts of code in the background. I want to unravel that a little bit and talk through exactly what the darknet is.
We at DarkOwl consider the surface web to be anything that’s indexed by a search engine. Think about when you open up Google, you put in a search term, you hit enter. All of those results are by definition the surface web. They are indexed and you can click on them. And interestingly despite hundreds of thousands of results coming up on Google that only represents about 5% of the internet. Hence the iceberg analogy this is the tiny piece that is above the surface of the water.
The deep web makes up essentially the other 95%. The deep web is nothing scary or dangerous. In fact, I guarantee that everyone on this call was on the deep web today or yesterday. The deep web is content that sits behind a username and a password –or content that is not indexed by a search engine. What I mean by that is if I go into Google, I might not be able to pull up the deeds on all the houses in Denver within the search engine. But if I go to denver.gov I can find that information. Or, for instance, I logged into my bank website this morning and I paid my water bill. That is deep web content – I can get there with a username and password but all of you can’t access my bank account. That is where the majority of the internet resides. There’s so much that sits behind usernames and passwords.
The darknet, where DarkOwl specializes, sits below both of those. It is an undefined and hard to quantify space, but, in comparison to the deep web and the surface web it is much, much smaller in volume. The reason it’s important and significant is that by definition the darknet allows you to remain anonymous. That is the darknets defining feature. If you want to nerd out over it, the darknet was actually developed by the US Naval Research Laboratory in the 90s to allow folks serving to remain anonymous. As we all know, what does anonymity bring? It brings an opportunity to do things without being found. Hence the illegal activity that happens on the darknet. But I want to be very clear that the darknet in itself is not a bad thing. It is not illegal to go onto the darknet. You do need to download special software. Some of you may have been on Tor.
The key takeaways here are: for the darknet you have to download special software, its kind of a pain get onto it, however, it is not illegal, and anyone is able to access it, and the defining feature is that you are able to remain anonymous when interacting on the darknet. And the best way to visualize this –and you all will know what generation I was born in by my analogy- when you used to watch the Price is Right you’d have that show with the little ship that would go down through all the slots. That’s essentially what’s happening on the darknet with your IP address. The ability to track someone back to an IP address is almost impossible on the darknet whereas if I go to Cowbell.com, Cowbell has an awesome marketing team, they most likely know where I came from, what my IP address was, what pages I looked at, and how long I stayed there. Those same tracking metrics do not exist on the darknet.
Why do we care about the darknet? Why is it something that we are all on the phone to talk about? The takeaways here are usage on the dark web. I go interchangeably between dark web and darknet – we use them interchangeably at DarkOwl. But there was an 80% increase in usage over the last 3 years. Millions of users are connecting through the Tor browser, which is the best-known darknet out there. This is a very lively and active community of folks. It may not be as big in quantity compared to the deep web or the surface web, but there’s a lot of activity going on there. That’s why we are all focused on it, and that’s why we DarkOwl are in business.
Obviously all of you are in the insurance space –so why is it important to understand what DarkOwl does and what darknets exist out there? The kind of stuff you are going to see on the darknet is exposed credentials, you are going to see IP addresses, you are going to see people buying and selling social security numbers, people trading gift cards, people posting ransomware, and people selling services to conduct malicious activity against organizations. You name it and it is being transacted on the darknet.
As a company, whether you are tiny or humongous, you need to understand what that looks like for your own organization. Jessica and Manu and I think a lot about: how can this data be helpful for our respective clients? And the best way to think of it is as an exposure vector. Most people on the darknet are there because they are doing something illegal and taking advantage of the ability to remain anonymous. If you as an organization have content on the darknet, whether it is emails or trade secrets or anything – that is a concern. That is why we’re all on this call today. We’re going to get into how Cowbell uses that information and what you can all leverage to help inform your clients why it is important for them to understand their darknet presence.
Jessica: You can see here the quantity of data that DarkOwl has, DarkOwl being Cowbells partner for dark web intelligence. What we want to impress upon our customers is that with Cowbell, it’s not just a cyber insurance policy that you are getting. You’re getting all the intelligence that Cowbell has from our partners as well. And DarkOwl is the crème de la crème of dark web intelligence. This is a value-add that’s above and beyond what other cyber insurance carriers might offer. And that’s a huge piece of information to keep in mind when talking to customers. The dark web is not just one place, it’s several different places. Many of you may have heard of platforms like Telegram or Discord. These are encrypted chat spaces that DarkOwl collects information from as well.
Alison, quick question for you: most people think to themselves, I am a small business, my information is probably not on there, and if it is on there what can someone really do with it? Can you speak to the amount of exposure you see for small businesses? Let’s say a bad actor has access to an email address, what could they even do with it?
Alison: Right. We get that question quite a lot. The answer is contrary to what most folks think. The vast majority of attacks, whether it’s ransomware attacks or cyber incidents, are targeted at small and medium businesses. Part of that is because that’s an easier feeding ground. A lot of those small to medium businesses don’t have the tech staff or the budget to have cybersecurity tools in place. Yes, you read in the front of the Wall Street Journal that a Fortune 500 company experienced a huge breach. But the ones you don’t necessarily hear about are all the small and medium businesses that are getting targeted day-in and day-out. The risks can be higher for those small and medium businesses… An IBM is going to be able to weather that storm whereas a small or medium business – they could not in a position to deal with a huge ransomware attack. The first question you ask Jessica – it absolutely is important for anyone whether you are a business of two people or two billion.
And the second question is what can they do with an email address? Quite frankly they can do a lot. They can find their way into that organization. A lot of content we see on the darknet will have passwords associated with it. Think about a hacker that has stolen information. And a small to medium business’ employee uses that same password for their Spotify account that they do internally for work. Because of password re-usage, that hacker can access the internal systems of the small to medium business and take down information. The business could be vulnerable to social engineering. We see a lot of executives targeted at small to medium-sized businesses. There are many vectors present on the darknet that threat actors could use to get into the organization from a technological standpoint or to social engineer their way in.
Jessica: That’s the perfect segway over to Manu which is the “so what?” What does Cowbell do with this data? How do we understand at what level of risk a company faces when it comes to dark web exposure? Manu, if you wouldn’t mind, give us an understanding of how Cowbell uses this data and what is available to customers above and beyond what they see in their dashboard? In their Cowbell portal on the platform.
Manu: Absolutely. The way we look at it, DarkOwl’s data is directly aggravated from forums off the dark web. This is valuable data to Cowbell since we’ve created a dark intelligence score for each one of our policyholders in the form of a Cowbell factor. This score helps us determine what the level of risk is associated with the organization’s exposure on the dark web. If we determine that there is organizational data exposed on the dark web, we’re able to quickly identify the number of documents exposed, and then we notify those Cowbell policyholders to potentially take action through our own platform. Now how does that really affect Cowbell factors, and what we can do for our insurers?
Our dark intelligence telefactor is impacted directly by the number of exposed data points that have surfaced on the dark web. The more exposed documents we identify and the more credentials or passwords that are leaked are associated as a high-risk. The severity of those exposed data points is categorized by low, medium, high, or very high. For example, if we identify that there’s 50 documents exposed on the darkweb for a particular insurer and 25 of those documents were considered hack-worthy data, then we may categorize that as a medium-sized risk. If we go down to 20 exposed documents with only 5 that were considered hack-worthy data than that may be considered a low risk. Versus something where we might find 5,000 documents on a particular insurer and they have 250 documents that are considered hack-worthy data. That would be in either the high or very high category as well. At that point we identify that risk for our insurer on our Cowbell cyber platform. From there they can go ahead and request additional details, such as what’s behind those documents and what’s actually been exposed. That’s what tends to happen with policy holders. They reach out to the risk engineering team and then from there we create a report for them.
Jessica: So if I want to understand what’s behind the score, you’re saying that I can reach out to the risk engineering team and receive a report. What does that report have in it? Can you show us an example?
Manu: Absolutely, I have one right here… this is a sample report. For full disclosure this is not any actual data on a policy holder or any actual dark web information on a policy holder. This is all make-believe. With DarkOwl’s data, we organize that data into a report that is consumable by IT professionals, by security professionals, and a report that makes sense for management teams and the C-suite as well. We want everyone to be able to look at this report and say: I get it, I see what the risks are, I see what the exposure is.
Our risk manager has done a great job of aggregating that data into a report that’s consumable by all. On the top you’ll see that summary of findings found through the help of DarkOwl’s platform. It will quickly summarize where this data was exposed. This report says the data was exposed in the MGM 2022 breach as well as the leading data source where all types of information was exposed. In this one it highlights the PII that may have been exposed such as date of birth, email addresses, names, actual physical addresses. This was happening for over 142 million records from the MGM breach in 2022. From there the report goes into some of the categories that we have found. The total number of exposed documents that have surfaced on the dark web for this particular insurer will be listed.
We have 555 exposed documents. From there it goes into how many of those are actually exposed credentials with passwords listed whether is plain text passwords, so that would be the actual password, versus something that’s hashed which would be more of a coded password and more difficult for a bad actor to take advantage of. It has listed 5 there. And then 5 is the total number of exposed passwords. This is passwords without a credential associated with it. This will also list out the most recent data that was listed, so you may find data that was listed in 2021, 2020, 2019. This data is as of this year so that makes it even more crucial for an organization to understand that this is a direct exposure, this is a recent breach, and this could be a recent password that an employee is using.
Down here we have a couple of charts. It will tell you the amount of passwords and some of the other data that is exposed such as email, names, phones, and physical address which is conveyed here for a policy holder.
Scrolling down we get into the recommendations that we want some of our policy holders to follow if they do have data exposure, such as what you can do next and how you can mitigate some of the exposure. We have listed some of the best practices and security controls policyholders can apply.
Everything from applying multi-factor authentication to those email accounts that may be exposed, to changing those passwords, creating robust password policies, requiring employees to have alphanumeric passwords, and passwords of at least 10 to 12 characters. That’s the standard right now. With special characters included. Training your employees to identify phishing attempts, having good email hygiene, and not clicking on links if you don’t know who the sender is are what we recommend to our policy holders to apply if they do have any exposure.
Jessica: I want to note that somebody in the chat asked: Is it hard to remove your information if it is on the dark web? Alison thanks for answering it [in the chat function]. In fact, it is impossible to erase information once it is on the dark web. There are two things to keep in mind here. Number one is this set of recommendations. If a customer is highly exposed, however, they are acting on some of these recommendations the exposure will go down with time. The more time that passes the lesser the importance of the exposure, such as if they are old passwords or passwords that are no longer in use or if there’s multi-factor authentication enabled. That’s going to disable a bad actor from using this information to do anything bad.
Manu: And the answer is yes. It is hard to remove that data. We can’t simply call the bad guys and say “hey look can you please delete my data off the dark web?,” they just won’t do it. Once it’s on the dark web it’s most likely on there for good. It’s going to be bought and sold. It’s going to be reposted on other forums for bad actors to buy, for actors to attempt to deploy phishing attempts against, to employ brute force attempts against, so it will always be on there. What the organization should do at that point is mitigate. Be proactive in your approach. Apply best practices. These are some of the recommendations that we initially want the insurer to take advantage of and quickly apply within their environment.
Going onto the next page this will be the actual raw data that we notice from DarkOwl’s aggregation. We’ll list out the email that was leaked and posted on the dark web. It will be the company email most likely. From there we’ll also post whether any password was leaked. In this case the password was leaked. The answer could be yes, no, or could be a hashed password. From there we want to give the policyholders the date that it was published on the dark web. We think that’s important because the more relevant data for the bad actor to take advantage of and to use to compromise your organization will be the most recent data that was posted. We tend to see that with credentials that they get from the current year – those passwords may still be current. Employees may still be using those passwords to login to those accounts. Threat actors take quick advantage of that. Then we’ll list out the data source as well just so the policy holder can understand: was I compromised, or was this from a third party where my data might have been sitting somewhere and the bad actors had access to it that way? If there are any of other types of information included –so email addresses and passwords for this one –you can see some of these emails have a lot more PII associated with them, such as email addresses, names, titles, their LinkedIn IDs, and where they’re living.
Alison: That context that Manu just went over is extremely valuable and I don’t want that to be lost in the details. There are other darknet providers who might be able to say yes, that company has exposure on the darknet. But then it’s end of sentence. And you don’t get the context. Being able to share with that client that these exact email addresses with these exact passwords were a part of this breach is so much more powerful. Think about the mitigation if you are a small-medium sized business and this report comes back and there’s three email addresses on it and three of those employees are no longer with the company and left 4 years ago. You’re not concerned. Or, you come back and this report has 5 email addresses listed on it and every one of those employees was attending a conference last week together – that’s going to be a very different mitigation strategy for that business than the former. The context and the fact that Cowbell can pass that on to you to pass onto the policy holder… is extremely important because it allows them to act on it versus “well there’s information out there, good luck.”
Jessica: Alison when you say valuable, I want to press upon that. A lot of DarkOwl’s customers are cybersecurity companies. They might charge thousands of dollars to a customer per year to provide this in-depth information. Manu, do our customers have to pay for this report?
Manu: No, this is a value-add for being a Cowbell policy holder. It’s one of the many value-adds that we bring to our policy holders, and it’s one of the most frequently requested value-adds that we provide. If you notice that you had an exposure on the dark web, within the same day or within 24 hours we can turn around a report and get it over to your risk managers and your security folks. There’s no added cost associated with utilizing this service.
Alison: I would leverage that highly. When we were prepping for the webinar, Jessica was asking me how I would position it if I was in all of your shoes. I think about comparing different car insurances. If you make that analogy over to cyber insurance, this is the equivalent of getting free oil changes and engine checks. This is a huge value-add especially for small-medium businesses that may not have an IT staff who can be looking on the darknet. I think it’s a freebee that they can take advantage of.
Jessica: Absolutely. Manu, can you answer for us: what are some of the most common questions or trends that you get from customers about the dark web? Is there a common misconception, myth, or concern that your team fields most often?
Manu: The number one question we get after an organization realizes that their data was on the dark web is: “have we suffered a data breach or a cyberattack?” In most cases that we’ve seen the answer is no, it’s just the circumstances – it tends to be that the compromise happened at a third party, and they were storing your data in some capacity and threat actors gained access to it and they posted it on the dark web. Sometimes a bad actor will even mention the data source that they aggregated the data from. There are some cases where it could be direct exposure to your organization, and this indicates a breach. But what we tend to see is that it’s most likely a third-party breach and your data has been posted on the darknet. I would say the next question that we receive often is: “how can I reduce my risk?” and “this data is out there, what do I do?” and “how do I make sure that I don’t get hacked, how do I make sure that I don’t become a target?” It goes back to being proactive to applying those recommendations that we spoke about. Between MFA, email security, training your employees, and having strong passwords –all of that is very important. Those are probably the top two questions we get from policy holders once they notice that they have had some exposure.
Jessica: Manu this question (from the chat) is going to come to you. Do we also use this data as we underwrite and determine premium rates for prospective customers, and if so, is there a way to get a sample of some exposure for clients in advance as we help them consider the value of a Cowbell policy?
Manu: It is factored into the underwriting process if there is exposure on the dark web, however, we do give policyholders a chance to let us know what they are doing to be proactive to reduce their risk. Once underwriting understands [what they are doing to reduce risk] we get comfortable enough with the risk to move forward in the underwriting process.
Alison: Can they share it with their prospective clients?
Manu: Yes. We can certainly provide that data to prospective clients as well.
Jessica: So a broker could reach out in advance and understand what the exposure is so that they can guide that client potentially into a Cowbell policy or elsewhere?
Manu: Yes. As far as sending the actual data over we wouldn’t do that. We would just let them know if there is exposure and the amount of documents we’ve noticed as hack worthy data on the dark web. Then the actual data that is exposed would be shared with the policyholder or the potential client.
Jessica: So the dark web report that you shared is a post-buying experience for the policy holder. Any final comments? Alison and Manu thank you so much for being here. Do you have any closing thoughts for the audience?
Alison: We’re here and as you can tell we are doing a ton of work in the background and by “we” I mean Cowbell and DarkOwl to try and make this a much more robust policy than some other folks out there so don’t be afraid to come to us, ask questions, and if you have any personal interest in learning more about the darknet, there’s a lot on our website at DarkOwl. We’re just here to help.
Manu: Thanks Alison and I would say that if there’s exposure on the dark web and if you don’t know what to do –come to us, ask, go on the platform and see if there is any indication. And if there is exposure as us to generate a report for you. Again, it’s a value-add for our policy holders so certainly take advantage of it. This helps in several ways. It will help reduce the organization’s chance of suffering a cyber incident related to that exposed data. It also helps underwriters better understand your security posture, and then they can more accurately rate your organization as a safer risk, and that includes during the renewal process as well.
The organization can show Cowbell that they have been proactive, that they have reached out, that they have mitigated against some of these exposures, and they can show us that they are in a strong place for a renewal. Take advantage of the value-add from DarkOwl and Cowbell; it only helps reduce your risk and make your organization a stronger cybersecurity organization.
Jessica: Thank you. Hopefully we’ve given you some things to think about today that you can turn around today, tomorrow, the next, and directly relay to your customers as to why Cowbell… is different in the market than other carriers. We’re using data sources that are absolutely the best in class to help define risk and rate risk. Beyond that we have Manu and his team who are here to help you, guide you, and provide extra information and context throughout the entire lifecycle of a policy.
Cowbell is the leading provider of cyber insurance for small and medium-sized enterprises (SMEs) and the pioneer of Adaptive Cyber Insurance. Cowbell delivers standalone cyber coverage tailored to the unique needs of each business. Our innovative approach relies on AI for continuous risk assessment and continuous underwriting while delivering policyholders a closed-loop approach to risk management with risk prevention, risk mitigation, incident preparedness and response services. To learn more, visit: https://cowbell.insure/
DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl is unique not only in the depth and breadth of its darknet data, but also in the relevance and searchability of its data, its investigation tools, and its passionate customer service. Our passion, our focus, and our expertise is the darknet.
Interested in how darknet data applies to your use case? Contact us.
Industrial control systems (ICS) and their adjacent operational technologies (OT) govern most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Cyberattacks against these are on the rise and the challenge to protect industrial control systems persists. Recent research from DarkOwl analysts specifically identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise critical infrastructure.
DarkOwl is not the only one taking note of these trends and associated challenges. Hybrid CoE, the European Centre of Excellence for Countering Hybrid Threats, has published a Working Paper entitled Defending critical infrastructure: The challenge of securing industrial control systems, diving into the topic of cyber threats affecting industrial control systems, the downstream affects and what can be done from a policy perspective.
Last week, DarkOwl CEO Mark Turnage participated in a webinar, “Defending Critical Infrastructure: The Challenge of Securing Industrial Control Systems” hosted by Hybrid CoE, with speakers from The United States Army College, the Internal Society of Automation (ISA), and the National Institute for Strategic Studies, Ukraine.
The panelists discussed DarkOwl’s recent research in detail, covering topics such as cyber incidents affecting the vulnerabilities of industrial operations, recent examples from Russia’s war against Ukraine, specific OCS/OT threats on the darknet, and potential ways to develop more effective policies.
The slides that Mark Turnage shared during the webinar can be found here:
Curious to learn more about how darknet data can tailor your threat intelligence or provide insight into the threats your face? Contact us.
DarkOwl CEO Mark Turnage and Symbol Security Co-Founder and President Craig Sandman discuss the darknet, key elements of cyber surveillance utilizing darknet intelligence, their partnership, and why darknet data is an essential part of Cybersecurity programs in the SMB market.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Mark: Let me talk a little bit about DarkOwl. We’re a company that’s about five years old based in Denver, Colorado. We specialize in collecting, aggregating, indexing, and supplying data from the darknet. And we’re very specialized and focused just on the darknet. There are other companies, there are other threat intelligence companies that provide other types of data. But our specific expertise is simply in the darknet. We’re very proud of the fact that we have more female employees in the business than most tech companies do, I think we’re just under 30% right now. In the past, we’ve been as high as 40%, and we’re very proud of that fact.
But to the point of darknet we have built over the 4 or 5 years of the company’s existence, we built what we believe is the largest darknet database in the world. And let’s just talk a bit about what I call definitional ambiguities. What is the darknet? What is the deep web? The surface web is what everybody sees as the top of that iceberg on the right. That’s where we spend all our time. It’s accessible by Google. You can get information and that’s where the vast majority of the world spends most of its time on the web. The deep web are authenticated websites. So, for example, your bank account information – Mark Turnage cannot get to your bank account information from my browser. I might be able to get to your bank’s sign in page, but I can’t get to your information because I lack the authentication and the credentials to get there. Ironically, that’s where the bulk of all the data that is held on the internet is actually stored.
Where we specialize is in the darknet. These are anonymized networks that reside below the level of the surface sites, surface web and the deep web. And they generally require specialized browsers to get access to. And it generally requires some type of specialized knowledge, although not in all cases. If you look at this slide, what we’re talking about is at the bottom of that slide, Tor i2p, Zeronet, other new darknets that have been created, these are darknets where DarkOwl is on a daily basis collecting data and supplying that data to our partners and now including Symbol. And that data is full of information that is relevant to measuring the risk of organizations and understanding the risk and addressing that risk.
We also do collect data and supply it from certain high risk surface websites, pay sites, and some discussion boards, as well as some deep websites, some underground criminal forums and so on. All of that we describe as the darknet database. And again, we’re collecting it so that organizations can understand what data of theirs is in the darknet, what exposure they have in the darknet.
Kathy: Mark, real quick – a couple of questions have come in on that last slide that you just shared. The first one is “How big is the darknet?”
Mark: That is a really good question and nobody particularly knows the answer. When we started collecting data from the darknet, the darknet was Tor, the Tor network. There are now probably half a dozen darknets that exist and we collect data, as this slide shows from it, and Zeronet. We’re moving into other darknets as well. But there is no easy way to measure the darknet. And the simple reason for that is that the darknet is generally distributed around the world. The Tor network is a network of between 15,000 and 20,000 servers around the world that serve that. There’s no easy way to measure it. But to give you a sense, DarkOwl collects data from somewhere between 25,000 and 30,000 darknet sites a day. That’s before you get to the high-risk surface websites and the deep websites. So that’s a lot of data. These darknets are growing and usage on these darknets is growing great.
Kathy: And there’s also a question as to “How do you know when a company is being targeted on the dark web?”
Mark: Well, generally indicators of the fact that a company is being targeted in the darknet show up. Either the company is mentioned by name or their IP range, it shows up in a targeting website, let’s say a hacker forum where somebody says, here are some IP ranges where I’ve discovered certain vulnerabilities, or I’m selling access to this company’s server network. Or you will see things like credentials and passwords for sale for individual companies that allow hackers or ransomware actors or other actors to drive straight into the network and be inside the network. So there are lots of indicators of risk of companies that show up in the darknet. Using our database and using Symbols database, you can search for those indicators of risk that may exist with respect to your individual organization.
Mark: I’m going to finish on this slide I mentioned earlier. We’ve built what we think is the world’s largest database of darknet content. This gives you a sense of some of the locations that we collect from Telegram, ITP, Tour, zero net, pay sites, and so on. And it will give you a sense of just what we’ve indexed in the last 24 hours. The slide shows 8.4 million documents have been indexed into our database in the last 24 hours. If you look along the bottom, it will give you a sense of what we have collected over the years of our existence. We have somewhere north of 8 billion email addresses in our database. We have somewhere north of a billion IP addresses, 9 million credit cards, 236,000,000 crypto addresses. That gives you a scale and sense of the scale of what exists in the darknet and exists by virtue of having access to our platform.
We provide that data a number of different ways and are delighted to partner with Symbol and now I’m going to turn it over to Craig.
Craig: Great. Thanks, Mark. Appreciate it. Great job. Mark did a great overview of darknet, deep web and the surface web. Certainly it’s a squirrel space and a big space. So let me tell you a little bit about Symbol Security and we’ll kind of pull into this how we managed to get together with DarkOwl and deliver some of these darknet cyber surveillance services to the SMB market.
Symbol Security is a provider of predominantly security awareness training services. As you probably know, security awareness training is something that’s been hot in terms of a way to address and mitigate the attacks of cybercrime and it’s also in regulated environments. And we’re talking now close to 800-850 regulations, laws and other statutes that require businesses show evidence of security awareness training. So it’s becoming a nonstarter for businesses, even if you didn’t feel like it was a good use of your time or argued the fact that it made your company safer or not. Independent of that, it’s a requirement in so many regulations, it’s becoming a nonstarter.
One of the things we do a little bit differently than most companies is we deliver a managed program. So a lot of the security training services and the implementation falls down in just that, in the implementation of it. So they may buy the software, but do they actually properly implement or even get to implement the service? We know how things go in the small to mid-size business. Everybody’s 150% subscribed in terms of their time and it’s difficult to execute on everything you have to do. So things fall to the bottom of the list. One of the things that typically will fall to the bottom of the list is security awareness training. We look at security awareness training and security awareness as targeting human risk. So how do we identify human risk and how do we mitigate human risk? Through education. We do more than just training videos and phishing stimulations. We look at email and domain threats. So email threats would be breach alerts and things like that. Is your email address compromised in any way? Domain threats look at the potential of doppleganger and lookalike domains being manipulated and used potentially against you, just helping give access and visibility to your thread envelope.
From a training perspective, we have really great trainings, very good simulations, and we make things quite easy because we’re typically focusing on the SMB market and through SMB distribution points like managed service providers and managed security service providers. And we’ve added cyber threat surveillance now to this platform into the bundle. And I’ll talk about why in a moment, but it plays into the extension of threat awareness for the individual and for the small business that’s how and why we’ve tied it in.
And we’ll talk now about what cyber threat surveillance is to us and to the SMB market space. So essentially, as Mark indicated, there’s a lot of different things that you can pick up on the darknet and on the deep web that are very valuable in terms of being proactive in your cyber awareness strategy. So reactive would be we’ve seen a breach alert for a particular email address. Now we go in and change username and password so it can’t be further manipulated, but the breach has already happened. We’re reacting in that case and there’s other instances where we’re simply reacting to things that have already happened.
We’re flipping a script here and allowing for darknet visibility and deep web visibility to provide proactive awareness. So when might things begin to look strange or suspicious that we need to act on, rather than we already know there’s a problem? We’ve probably already been hacked or attempted to have been hacked, and now we’re going to mitigate post that event. The concept of brand protection falls in there if there’s potential issues in and around your brand or people are slandering your brand or lining up your brand for an attack or any kind of negative event. VIP email monitoring we talk about a lot as well. So if you have individuals that are perhaps tightly associated with your brand, obviously any kind of reputational damage, there could be a cyber issue or a damaging issue for your organization. And then monitoring chat rooms. And just as part of the entirety of the deep and dark web chat room, visibility is included in there, as well as looking over products and domains. So those are also places where organizations want to protect their assets. What we’ve done here is taken a service and a feed that is typically consumed by government entities, large agencies and Fortune 100 companies, and we boiled it down to a simplified package so that the SMB can consume it.
That’s what was missing before. Right. We have incredible service provider in DarkOwl and some really great layers around that the entities in the market use in order to consume this data. But when it gets to the SMB, it’s too complicated and or too expensive for most budgets. So that’s really what we need when we say SMB packaged. And as part of that, we’ve broken it down into really keyword and email monitoring and we’ve integrated it into our cyber awareness reporting for the small to medium business.
Kathy: “Don’t threat actors only come after large companies? And what is the top cybercrime for small businesses of under 50 employees?”
Craig: First question, definitely a misnomer in that cybercrime happens most often with large businesses. It’s equally prevalent in small businesses. Obviously, big businesses might offer a bigger return from a cybercrime business perspective. But at the same time, the small businesses are generally less able to defend themselves and so they become quick hits. And if cybercriminals can get a 10,000, 20,000, 50,000 dollar return on investment for a crime, they’ll do it. And so there’s case after case after case of small businesses getting swindled out of 10,000, 50,000, $100,000 at a time through direct targeted cybercriminal attempts.
The second question was what is the top cybercrime that small businesses under 50 employees face. Cybercrime can be broken into many different buckets, probably not too surprising. The execution is typically ransomware that finds its way into all business sizes. How it gets in there is sometimes varied. So we focus a lot on fishing training and sort of mimicking phishing attacks. We can teach users to at least recognize and for that entry point for ransomware. But obviously ransomware can be delivered a number of different ways. That is the most prevalent situation. We do see wire fraud work its way into small businesses as well. That might be some kind of action sometimes from a phishing email that says something along the lines of, hey, please wire funds from this account to that account, where the secondary account isn’t something that’s owned by the small business. But certainly locking up files and then extortion from a ransomware perspective is, I’d say, the most common across probably most business segments.
Mark: Let me add something to Craig’s good answer to your first question of our SMBs targeted. To the same degree that large companies are targeted, we have found that oftentimes SMBs are targeted in favor instead of larger companies. Larger companies have a lot of money they can spend on hardening their defenses. SMBs oftentimes are softer targets for hackers and for malicious actors. So we have found that in some cases they go deliberately after SMBs versus going after larger actors. But that’s exactly right, Craig. I mean, I think the types of attacks that you’re seeing amongst your client base, it mirrors exactly what we see as well.
Craig: Absolutely.
Craig: And so from a cyber threat surveillance perspective, we’re not going to get into a demo today, just kind of short on time, but I wanted to give you at least a screenshot so I can talk through how this operationalizes itself into our platform.
Essentially, we provide we provide daily updates on darknet findings that are pertinent to your organization. And we’ve really structured the input so that it’s simple. We’re looking for keywords and potentially VIP emails we can also as mark alluded to. We can enter things like credit card information or IP addresses as well. From an advertise level, we really focus on keywords, which would be a business name, a product name, a brand name, an affiliate name, and then we are also looking at what we call VIP email protection as well. But again, we can pivot to incorporate some of those other items as well. We integrate the results directly into reporting and a dashboard. So as you saw on the last screen, briefly we’ll intake the findings. If your keyword or your VIP email is found, we’re going to give you plenty of surrounding context. It may be thousands of characters of additional data around the keyword that we found. You’ll get full context of not only the fact that this VIP email or keyword, maybe your brand name, your company name was found on the darknet, but you’ll see the entirety of the discussion around it in addition to the location that it occurred on. You’ll also get email alerts when these things happen. So administrators are going to get notified.
There’s a nice portal to allow you to track and categorize these incidents. You can categorize them as urgent, you can categorize them as resolved or just leave them in a pending state. Also of interest too is we provide some sentiment tracking as well. So based on what we see, we’re going to give an analysis of sentiment or negativity around a particular finding. So if it may be benign, there’s plenty of benign information on the dark web that’s really not pertinent, not meaningful, certainly not hurtful. You’ll see those results, but we’ll prioritize and we’ll flag as urgent results that hit a high negativity level. So we kind of take care of some of the analysis for you, although response remediation planning around what to do if you do find something is really up to you as an organization or perhaps a security provider that you’re partnered with.
Average price – so we will talk about price here for our service falls 4,000 to 15,000 dollars per year. It’s obviously a large range, but it really just depends on how much you want us to monitor for you. So I wanted to give that too because the average price point, entry level price point for the service is generally three to four times the high end that I’ve referenced there. And so in those cases, the access to this data typically outstretches an SMB budget. We fit it squarely in a range where SMBs can afford this service and most times we’re addressing clients that also have other needs around security awareness, training, password management services. We’re able to bundle those elements together and give them a nice SMB cybersecurity suite. As I mentioned, we will sell these services through managed security service providers as well. So we have a portfolio of managed service providers that will deliver many more services bundled together. Additionally, we can deliver these as a single suite and more of a point solution to organizations as well. All right, any other questions that we want to get to before we close it out here?
Kathy: Yes, we have had a couple more come in. “Can you please give an example for a small business where information from the dark web could help protect the brand reputation?”
Craig: Yeah, I can. Mark, I’m sure you probably can as well. But one of the things that comes to mind is a couple of things really I address this earlier in the conversation when I start talking about executives that are really tied to the brand of the company. And in some cases, if either those executives are being targeted or perhaps they are involved in some nefarious activity and that gets picked up, it’s not going to be a good ending. But at least an organization has time to prepare and plan and take action before an event has occurred. And that might be public relations type planning or perhaps getting out in front of any potential negative activity. Additionally, if there is some really slanderous and hateful discussions about a particular organization, that would be a cause of concern and you can use your imagination on what those things might be, these will get picked up if they’re happening on the dark web and on the darknet. So those are two situations that are certainly ones that the surveillance will help identify, which if you had typical reactive cybersecurity services, you’re not going to see those things until an event is inbound or incoming. Mark, I don’t know if you have anything to add to that.
Mark: That’s an exceptionally good answer. I would just add that in addition to VIP information slanderous activity, I would start by saying there is almost no mention of your organization in the darknet that couldn’t potentially affect your brand. So if you’re breached in a ransomware attack, if you’re being targeted in addition to the slanderous statements that are being made, ultimately that’s going to affect your brand negatively. Everybody knows about what happened to large companies that have been breached and their brand being tarnished as a result. The same is true for SMBs. And so all of the categories that Symbol monitors on behalf of its clients, all of them have some capacity or some capability to damage the brand.
Kathy: “So Symbol covers what is on the darknet, but what about other cyber risks?”
Craig: Yeah, that’s a great question. I mentioned some of our partner organizations. Obviously, the landscape of cyber risk is significant. These services that we provide, provide great coverage across the things that we’re specialists in, which should be training and some visibility around potential cyber threats that cross the dark web and potentially into domain names and breached email addresses and things like that. Of course there’s many more things to cover and we highly recommend, especially in the SMB space, security consultants, virtual CISOs. If you don’t have a CISO on board or maybe can’t afford one, those kind of fractional consultants are great and we have a number of really good managed security service providers that can provide a large breadth of cybersecurity type services from a single organization. Best of breed. Best practices and things of that nature. So we can certainly sit as a point of reference for helping you find those things and for the pieces that we cover today, we’re happy to deliver those directly as well. But yeah, there’s a lot more to it for sure.
Thank you so much for joining us today.
About Symbol Security: Symbol Security’s SaaS platform helps customers reduce their cyber risk, and adhere to industry compliance requirements. Through authentic simulated phishing exercises, interactive training content, and awareness of risk data across domain registries, and the dark web, Symbol helps companies identify and act on potential points of cyber risk. Symbol can be operated by company administrators with ease or leveraged by Managed Security Service Providers as part of their security offerings. Visit their website: https://symbolsecurity.com/
About DarkOwl DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.
On the 24th of February, after months of failed diplomacy, war broke out between Ukraine and Russia. While the war was being fought in the physical realm, Ukraine’s Ministry of Digital Transformation turned to the digital realm for assistance. Within days of the invasion, a call across underground forums and chatrooms was placed and hundreds of thousands of hacktivist volunteers answered.
Ukraine’s call for help sparked off the first ever global cyberwar which for the first time in history has been waged between two countries simultaneously with a land war. This webinar looks at what we have learned from the cyberwar to date.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Hi, everyone. Thank you for joining today’s webinar, “What a Real Cyberwar Looks Like.” My name is Kathy. Dustin and I will be your hosts for today’s webinar…. and now I’d like to turn it over to our speaker for today, Mark Turnage, our CEO here at DarkOwl, to introduce himself and begin.
Mark: Thank you very much… it’s a lot more fun for me as a presenter to answer questions as we go along, and so I would very much love it if you have questions, put them in the chat and Kathy or Dustin will interrupt me and we can have a conversation instead of a one way webinar.
We at DarkOwl have covered the Ukraine-Russia conflict extensively since it began in February, and even a little bit before that. Many of you may have seen our posts and our blog covering the war. We thought it would be useful to circle back and give an update and some of our observations on the impact of the war on cyberwarfare theory and practice.
There are just four areas of this webinar that I want to cover today. One is I want to talk a little bit about what the competing theories of cyberwarfare are, because those competing theories inform some of our observations on how the actual war, which is the first war between two nation-states, first extended cyberwar between two nation-states, has unfolded. And then I want to talk about some of the impacts on the internet and on the concept of modern warfare. And then we’ll make some concluding remarks. So, roughly, the slides that I’m going to walk through and hopefully the conversation we’re going to have follows this agenda.
One of the problems with cyberwarfare in general is that it suffers from pretty significant definitional ambiguity, by which I mean, if you talk to people, people have very different views on what cyberwarfare actually is, and if you look at these three overlapping circles, the top being physical disruption, the lower left being misinformation and disinformation, and the lower right being sort of communications disruption and espionage, cyberwarfare actually touches on all three of those.
And so somewhere in the overlap between those three circles are the various definitions of cyberwarfare. And perhaps the best definition that I personally like is the one on the lower left in a cyber school called the Revolutionist: actions by a nation-state to penetrate another nation’s computer or networks for the person’s purpose of causing damage or disruption. Pretty straightforward. It speaks to a variety of degrees. It speaks to each of those three circles. But again, the point here is that there is no one definition of cyberwarfare. We can’t talk about cyberwarfare without understanding some of the complexities and some of the significant differences between cyberwarfare and physical warfare. And so, I want to spend a little bit of time on this slide because I think it’s fairly important as we talk about how the cyberwar between Russia and the Ukraine has unfolded.
One of the key differences between cyber and physical warfare is that geographical proximity is not necessarily launch and maintain an attack. Hypothetically, two countries on opposite sides of the globe could fight a cyberwar between the two of them and it could be quite a fierce war with significant collateral damage, and they wouldn’t be anywhere near each other. Another key difference is that the weapons that are used in cyberwarfare are largely one and done. Once you mount an attack on an electrical grid and it’s understood by the opponent how you’ve mounted that attack, they can patch that vulnerability or they can close that door that you walked through and you will not be able to walk through it again.
And so, one of the key differences here is that you can only use those weapons one time and that actually has an impact on how this particular war has been waged. One of the benefits of a cyberwar is that you can more precisely target cyber weapons. Anyone who’s followed the news can see that when either the party shell the other side and oftentimes civilians are killed because they’re in the neighborhood or they’re in the physical proximity of military weapons and there has been significant loss of life in this warfare. Cyber weapons have the ability to be more precisely targeted. It does not mean that there won’t be a civilian loss of life.
We’re going to talk about some explosions that have occurred in Russian oil and gas facilities that have in fact caused civilian loss of life. But the theory here, and it would appear to be born out by reality, is that civilian loss of life is nowhere near as much as in a physical war. A fourth key difference is that attribution of who did it is a major problem and it has really severe implications for escalation. If you don’t know who it is that has attacked your electrical grid or taken your internet offline and you can’t actually be certain of it, a potential retaliation against your enemy or against the enemy you’re fighting at the time might have an escalatory implication that isn’t deserved. So attribution in non-cyberwar times is difficult… in cyberwar that is even more complex because it has this escalatory component to it.
Private actors can cloud the attribution question. And the question is if a private actor jumps on board, for example, on behalf of the Ukraine and attacks Russia or tax targets in Russia, are they acting on the behalf of the Ukrainian government or are they acting as private actors who may be just hostile to Russia, and vice versa? Same thing for the Russian side. And that really clouds the question of who’s in control of this particular part of the war. So those first five bullet points, I think, are critical components to be considered in any evaluation of what cyberwar looks like and how it could be waged in the future.
There are a couple of other points I want to make which are quite interesting in the context of thinking about a cyberwar between two countries. Several years back we estimated that a nation-state could attain superpower status for less than the cost of an F16 jet on an annual basis, considerably less than the cost of an F16. So, the cost of entry to become a cyber superpower in today’s world are orders of magnitude lower than other types of military expenditures. And we’ll come onto a slide here that talks about who are the superpowers, but there are countries that punch well above their weight because they’ve made that investment in becoming either a superpower or near superpower.
One odd inversion of the international order, the more technologically advanced a country is, the more susceptible it is to a cyberattack. It goes without saying that North Korea, which is not heavily industrialized, not heavily complex from a technological perspective, oddly, is aspiring to cyber superpower status, is probably one of the least susceptible countries in the world to a cyberattack because it’s not connected. The grids are not connected. The level of complexity through the society is very low. On the other hand, both Russia and the United States and the Ukraine are heavily connected societies and are very susceptible to cyberattacks. The point I want to make is that there are some very significant differences between how cyberwar is waged and can be waged and what the implications of that are to how it’s waged, how physical warfare is waged.
I started off by talking about how there are many definitional ambiguities in cyberwar. This is how the popular press thinks about cyberwarfare. If you listen to CNN or Fox News or any of the cable TV stations, this largely captures how people think about a cyberwar; “With a nation in the dark, shivering in the cold, unable to get food at the market or cash at the ATM, with parts of our military suddenly impotent and the original flashpoint that started it all going badly, what will the Commander in Chief do?” (Clarke and Knake, 2012). That is the popular theory of cyberwar that once a cyberwar is launched, people will go back to the Stone Age. And that theory still permeates popular culture.
I want to just talk briefly about some of the competing academic theories of cyberwarfare.
Both of these boxes, the top and the bottom basically parallel each other, and they move from left to right. So on the left of each of the two boxes, the top is sort of a state of the art in 2013, the bottom is state of the art in 2021, and they basically parallel each other on the left. The revolutionists or the alarmists believe that cyberwarfare can change how we fight wars in general. They think it is a fundamental step change in how wars will be fought today and in the future. In the middle are the skeptics or the traditionalists who think it could be significant, but don’t think it will change how international order operates. And on the right, the environmentalists or the realists don’t really believe that it’s going to have a significant effect.
The problem with the competing academic theories of cyberwarfare is that none of these theories, at the time that they were formulated and articles were written about them, could reference a real, sustained cyberwar between two nation-states. These were theories, and they were based on the few historical antecedents prior to 2022. And in each of these historical antecedents… Estonia suffered a sustained multi-month attack by Russia in 2007, during a quick two month war in 2008 between Georgia and Russia, there was a cyberwar rage primarily from Russia to Georgia. China from 2009 onwards had a very significant global espionage effort underway. Iran, 2010, where the United States and Israel attacked the nuclear centrifuge facility in Frodos with the Stuxnet virus. In 2014, the North Koreans attacked Sony. In 2012, Saudi Arabia was attacked by Aramco, was attacked by Iran.
I would define all of these as largely skirmishes. Now, they were relatively limited. In effect, they were not sustained over a long period of time. But there was clear attribution to nation-state actors in each of the cases. The parties involved or the aggressor involved was a nation-state, and attribution was very clear. And in the Ukraine, from 2014 through through 2021, there was simultaneous with the armed conflict in the eastern side of the Ukraine, there were what I would call cyber skirmishes between Russia and the Ukraine. But in none of these cases did we see a sustained cyber hostility between two nation-states for longer than a couple of months. So the theories that I referenced on the prior slide had only these as the antecedents leading up to the current conflict between Russia and the Ukraine.
Dustin: I’m going to interrupt you there. We’ve had a couple of questions come in. The first one is: “Were all of these state to state attacks?”
Mark: Not all of these were state to state. In the case of the North Korean attack on Sony, that was a state on a private entity in the United States, it’s on the slide because we were able to make attribution to the aggressor, in this case North Korea being a nation-state. There are other examples. For example, it’s widely believed that the Russians hacked the International Anti-Doping Association and doxed a number of athletes in retaliation for Russian athletes. This is in the lead up to the Rio de Janeiro Olympic Games. That’s in response to Russian athletes being barred from representing Russia as a state in the Olympic Games. So that was another example of an attack on a private entity. But in all these other cases, these were state to state conflicts.
Dustin: “What impact did the CIA and NSA leaks of tools have on this?”
Mark: We at DarkOwl have written extensively about this. As recently as of three or four years ago, we published a paper on nation-state warfare in the darknet. Just by way of background, both the CIA and the NSA in the last four or five years have suffered significant leaks of their offensive weapons into the darknet and into the public. And our theory in looking at those leaks was that the widespread availability of the tools that were among the best tools that the NSA and the CIA had leveled the field in many respects between nation-states because a relatively small nation-state could go pick up those weapons and start to wage warfare against other countries and it didn’t necessarily elevate them to cyber superpower status. But it did have an effect. We don’t know whether any of these particular cyber skirmishes or cyberwars that took place or battles that took place used those weapons. Most of those I think both the CIA and the NSA leak took place after 2015. So only really the Russia-Ukraine war will probably have seen the use of any of those weapons, if at all.
I wanted to throw this up because I talked about it just in lead up to our discussion, but the Belfast Center at the Harvard Kennedy School came up with a CyberPower index algorithm which is at the bottom of the page there and they rank the top five global cyberpowers as the US, China, UK, Russia and the Netherlands.
And perhaps there’s no surprise in that listing. The Netherlands are relatively small but a highly sophisticated country and they have made cybersecurity a significant part of their defense structure. I note here honorable mentions and I’ve talked about them before. North Korea, perhaps one of the lesser developed countries in Asia, is certainly a near cyber superpower, Israel, there’s a lot been written about Iran. None of them are particularly large countries. I think Iran’s population is verging on 60 million and is probably the largest, but the fact that they are able to achieve near superpower status is an indication that this is an area that they have significantly focused on.
So let’s talk about the Ukraine-Russia war and some of the observations that we have seen in the lead up to the Ukraine invasion in February, and by invasion I mean the invasion of the Russian troops, physical troops into Ukraine. We saw a significant amount of cyberattacks actually going back into the fall, but in mid-January there were significant cyberattacks against Ukrainian government services, government web-based services, there were a number of false flag operations attempting to implicate Poland in those attacks, which was interesting and we started to see wiper malware deployed in a variety of these attacks there were widespread leaks of Ukrainian citizen data there were a number of DDoS attacks that were mounted across Ukraine – there were a number of attacks on the Ukrainian financial sector.
Perhaps the most interesting thing in the lead up to the actual invasion was that there were six strains of wiper malware that were deployed and what we saw was a transition from traditional sources of attacks to wiper malware in the final weeks before the campaign and again many of these tried to implicate Poland as the source of the attacks but in reality Microsoft has done a pretty good robust study and identified six unique strains of wiper malware that were used and again.
Wiper malware goes onto a computer and wipes it – you don’t have any retrieval capability of the data that is kept on that. There was clearly a significant amount of cyberattacks that were waged in the months leading up to the actual war. We saw on the 24th of February the physical war started, Russia entered from the north, the south and the east into Ukraine and launched missiles at targets in the first 36 hours.
We’re now roughly six months out from the launch of that war so we’re now at a point where we can make some observations about what we have seen and start to make some hypotheses about how this war has been waged. A lot has been written about this but one of the most interesting and unanticipated things that we’ve seen in this war is that literally on day one the Ukrainian government requested help from the activists, the international activist community.
They formed the IT Army of the Ukraine on Telegram and put out a call for activists around the world to join them in attacking Russia from a cyber perspective. And the last time I checked, there were 300,000 or 400,000 followers on the IT Army of the Ukraine. By the way, that channel on Telegram is still very active on a daily and weekly basis. It provides targeting information to the activist community. As recently as yesterday, we saw new targeting information go up, targeting, I believe, Russian Financial targets in Russia. So what the Ukrainians were able to do, which I don’t think anyone anticipated, was suddenly galvanize an army of probably tens of thousands of activists around the world to start to attack Russian targets. And against the backdrop of a Ukrainian cyber armed, uniformed cyber force of probably hundreds or low single digit thousands, suddenly there were tens of thousands of people fighting on behalf of the Ukraine.
Day three of the war, Anonymous launched a campaign to attack Russia and the Belarus. And actually, Anonymous has since been joined by a number of other private actors who have stood up efforts to join the attacks in Russia. And by day five, we started to see a significant amount of data leak into the darknet from Russian targets, both civilian and military targets. In this case, we saw a leak of 60,000 government email addresses. There were immediately attacks on critical infrastructure suppliers: Gasprom, Foreigner, Gas, Mash Oil. A lot of them were hacked. In the first days of the war, it was very difficult as a Russian to get access to any government website and to get access to your bank. We saw tax of Russian state TV military communication leaks. We then started to see leaks of private information of Russian soldiers who were fighting in the Ukrainian battlefield, and they were doxed. And as I mentioned earlier, financial institutions were targeted. We continue to see daily DDoS campaigns. We’ve spoken to a couple of commercial entities in eastern Europe who are effectively offline from a commercial perspective because they’ve turned over their entire network to DDoSing Russian targets. So, you get a sense that overnight this was unanticipated. The Ukrainians were successful at galvanizing the international activist community to fight on their behalf, their offensive cyber capabilities increased by orders of magnitude.
Anonymous messages to Russia
Quickly talking about some of the creative attack methods that were used, GhostSec carried out a printer hack. It turns out that Russian government printers are networked, and within a few weeks at the beginning of the war, GhostSec hacked that printer network and started spewing out inside Russian government facilities propaganda on behalf of the Ukrainians streetlight control systems were hacked. There were a variety of hacks of messaging systems used widely in Russia. We saw electrical vehicle charging stations hacked. We saw, both at the military and the civilian level, short band radio interception and direct trolling. And it turned out that the Russian military was using short band radio in the early stages of the war, and it didn’t take very long for that to be hacked as well. As I mentioned earlier, ATMs were hacked, radio and television channels were hacked. Flights were disrupted, food deliveries were dusted. So these were disruptions that occurred at the civilian level and at the military level in Russia in the early days of the war, but they were they were largely addressed by the Russians within hours.
And by the way, on the other opposite side, the same thing happened in the Ukraine. There were Russian attacks on Ukrainian ISPs, banks, government websites as well. But these don’t rise to the level of that definition that I gave you earlier in the webinar, which is Russia didn’t go dark and cold and stay that way.
Dustin: “Is the IT Army of Ukraine still active?”
Mark: Yes, it is. And I think I mentioned we actually monitor on a daily basis – it’s found in the darknet database yesterday. When I looked at it, I believe they were putting out targeting information for Russian financial targets. They’re still very active.
Dustin: “What are the long term implications of the IT Army for future cyberwarfare?”
Mark: Oh, that’s a great question. So the Director of the FBI has testified in front of Congress that the implications of something like the IT Army for future cyberwarfare are unknown, but they’re not positive. I think the words he used in his testimony were that if you green light 50,000 civilians around the world to attack another nation-state, it’s well within possibility that they could also attack the United States at some future date. And I think that in a lot of the cyberwarfare, that must have occurred at the federal government, at the military level in the United States, we may have anticipated five or ten or 20,000 Chinese or Russian soldiers cyber warriors attacking us. Once you start to increase that number by orders of magnitude, it changes the equation. So the long term implications are probably alarming and are poorly understood. But clearly, it’s a major issue for any country, by the way, not just the United States, any country that could face the wrath of people who have successfully attacked a nation-state in the past and know that they have the tools to do that.
Dustin: “Obviously, Russia must be monitoring these channels. Are some of these meant as deception or distraction efforts, while more specialized secret targets are addressed by specialized, more capable actors to take advantage of the chaos?”
Mark: Yes and yes. Clearly, Russia’s monitoring these channels, and my guess is, as soon as they see a bank and an IP range targeted, they’re trying to take whatever precautions they can. I don’t think it could be a deception effort by the Ukrainians to distract them from targets that are elsewhere. The reality, though, is that, especially in the context of a DDoS attack, the number of people participating matters. So even if they are deception efforts, they’re working. The actual attacks are working from what we can see. But that’s a great question as well. And I have no doubt, by the way, that the Ukrainians are not publicizing all of the attacks or all of the targets that they’re targeting.
These are some screenshots of some of the hacks of the electrical systems.
On the left is the EV electrical vehicle charging station, where the actual screen read obscenities about Putin. On the right are hacked ATMs. You’ll see the Ukrainian flag coming across the ATM on the right. One of the really concerning things, obviously, about cyberwarfare in general is the potential to attack critical infrastructure. And we have seen that in this war. We’ve seen a number of vulnerabilities. Exploited water and electricity facilities have been targeted. We haven’t seen a large scale shutdown of water and electrical facilities. They’ve been fairly narrowly time delimited. We have seen attacks on oil and gas refinement distribution centers, particularly near the Russia Ukraine border, and there have been a number of explosions. We don’t have direct attribution that those are caused by cyberattacks. We suspect they are. And in some of those cases, there were civilian casualties. Those have been perhaps the highest profile critical infrastructure attacks that we suspect were carried out by cyber warriors. We’ve seen satellites targeted. By the way, not only have the Russian satellites been targeted, but the Russians also targeted European satellites in the early stages of the war. We saw the Joint Institute for Nuclear Research was shut down for a number of days as a result of a DDoS attack. And then we’ve seen ISPs and other telecommunications providers. So again, we’ve seen these attacks occur.
We have seen some consequences, we suspect, from these attacks. What we have not seen is a sustained shutdown of any of these facilities as a result of these attacks. One of the real surprises for us was the ability of the Ukrainians to galvanize the international activist community and with unknown implications for the future of cyberwarfare. Another interesting and unanticipated consequence of this war has been that the criminals have fallen out with eachother.
Now, in the lead up to the war, we long suspected that many of the ransomware gangs and some of the other bad actors on the darknet were a combination of Russian and Ukrainians working together. And what we have seen since the beginning of the war is a very clear fallout between the Russians and the Ukrainians in the darknet, some of these gangs have split apart. Some of these gangs have clashed with each other. Where gangs had both Ukrainians and Russians in the gang and they split apart. Each side is leaking secrets into the darknet about the other side. And we’ve seen an unprecedented amount of data leaked into the darknet about the ransomware gangs, about their tactics, about the tools that they were using and how they were actually going about what they were doing. I mean, it’s been a treasure trove of information for us and for the industry to give people a sense of how much data has been leaked into the darknet. Both this type of data as well as just leaks as a result of a tax.
DarkOwl has been in existence just under five years. We’ve been collecting data continuously during that time. Since February of this year, the net size of our database and we archive all that data the net size of our database has increased by 20% in six months because so much data has been spilled out into the darknet. Some of these names may not mean anything to you, but these are among the major ransomware gangs leading up to the onset of the war. And what we have seen is that they have stayed split. They are still battling with each other. They’re still spilling eachother’s secrets into the darknet.
Dustin: “Have any of these attacks resulted in any significant physical damage?”
Mark: The only one that we’re aware of is, and we suspect because we can’t make direct attribution to a specific attack, are some of the explosions that have occurred in oil and gas distribution and refining facilities near the Ukraine Russia border. There doesn’t appear to be a physical reason for those explosions, which leaves cyber. And the Ukrainians, I think, in one or two cases, have taken credit for those explosions and credited their cyberattacks on that as well.
Dustin: “What is your assessment around why we have not seen sustained attacks against critical infrastructure?”
Mark: I’ll come on to that in the next couple of slides. Many of you will know that Belarus was used as a staging ground for the invasion of Ukraine from the north. In other words, Russian troops were in Belarus and moved from Belarus into the Ukraine, which then caused Belarus to become a target for the Ukrainians. And there were a number of attacks as well into the Ukraine. It was difficult, if not impossible, to buy a train ticket, and it severely disrupted the train system in Belarus in the early weeks of the war because such a successful cyberattack occurred. There were a number of attacks against banks, transportation, legal, military contractors. We saw a massive leak of data coming from the largest defense contractor in Belarus. There have been and again in the world, of criminal gangs fighting criminal gangs. GhostSec attacked a group called ghost rider who were aligned with the Russians. And GhostRider has remarkably retaliated with a really sophisticated phishing campaign. And their phishing campaign has targeted civilians in combat zones in the Ukraine with emails that come from Ukrainian government email addresses asking them to leave the area they’re in and congregate because of the war that’s being waged around them, and congregate in areas that have been subsequently been hit by shelling. That’s about as sophisticated phishing campaign as you can imagine. You’re geolocating the recipients, you’re sending them very official looking Ukrainian government emails. You’re sending them those emails at a time when they are hearing shelling or experiencing shelling in their neighborhood, and you’re moving them to areas that are more vulnerable. So that’s where the overlap occurs, between relatively harmless, between warfare that may or may not affect civilians to very directly affecting civilians. And it’s incredibly sophisticated what we’re seeing in terms of that unfolding.
And I’m going to come on to the question of why we’re not seeing more Russian attacks on critical infrastructure impact the US and western countries and companies in the region. So obviously Russia, the Ukraine, and Belarus are pretty well offline for any normal commercial activity and pretty well likely to be so for the indefinite future. We’ve seen that subsidiary and vendor risk in those countries and in the region, more broadly in the eastern European, risk has become extraordinarily high. And we have seen this among our own client base. We have seen vendors and contractors and subsidiaries for our own clients and their clients directly attacked, directly targeted, and in some cases compromised as a result of this cyberwar. So from an American or a western commercial perspective, you absolutely need to pay attention to any exposure that your organization may have in the region.
And let’s be clear, both Ukraine, Belarus, and Russia were all sources of relatively low cost and relatively sophisticated coding and computer science capabilities. And Ukraine in particular had tens of thousands of employees in Silicon Valley and western companies coding and working for them. Some of you may remember that in the early stages of the war, there was a terrible incident where a woman was taking her children and her husband to safety and was killed in a shelling in the street. She was the Marketing Director for a Silicon Valley company living in eastern Ukraine. That’s how close to the vein it is, particularly for the American tech sector. We did see critical infrastructure, as I’ve discussed, severely impaired. And our advice to companies that have any exposure in this region is to make an assessment and be extraordinarily cautious about how you move forward in the region.
This is the part of the answer to the question about attacks on critical systems. So, we have seen Russian attacks on western and Ukrainian critical infrastructure. The Russian attacks on Ukrainian critical infrastructure have largely received less publicity than the actual physical damage done by the war, which is occurring right there. So there hasn’t been a lot of publicity. I think there was some publicity about the fact that the main Ukrainian ISP was taken offline for a number of days by a Russian attack. It was subsequently restored. None of the power grids have gone off for more than a day. So I think those attacks have occurred. We have actually seen attacks on Western targets. The German wind turbine systems were knocked offline, there was a European satellite network that was targeted, we believe, by the Russians, Romanian gas stations were knocked offline. We’ve seen a fair level of increase in Chinese activity supporting Russia in this effort, which was a little bit of a surprise for us. And the FBI has already released indictments against Russian sponsored attacks on nuclear water facilities. We think in many respects, this is not the fullness of what Russia could do.
The retaliation by Russia against US and NATO or US and Western targets has been surprisingly ineffective. And our hypothesis is that there are a number of reasons for that. One is after Estonia and after the battles that we saw in the lead up to this war over the last decade, there has been billions of dollars invested in defensive cyber operations, and that is paid off well in this war. We also think the Russians are largely distracted by the attacks that are taking place against the targets in Russia and they’re preoccupying the cyber warriors. If you’re a Russian cyber warrior today, whether you’re a public or a private actor acting on behalf of the Russian state, right now, your predominant activity on a daily basis is going to be defensive in nature. We also have detected indication that in Russia there is a digital underground that opposes the Russian invasion of the Ukraine. And we’ve seen some targeting from inside Russia of attacks. And then there is a question of whether there is some lack of support in the Russian public. The public polls that we’ve seen indicate large spread support for the war by the Russian public. We don’t have any reason to doubt that. But as the war grinds on, and this is the same in any country, as the war grinds on and casualties mount, support tends to diminish. So I think that’s the answer. We’ve been surprised that the attacks from Russia have not been more sustained, more significant, and more serious, and that’s the best answer that we can come up with.
However, in the context of the first point that I made, which is our defensive posture, CISA early in the war, put out very specific guidance. Shields up. And here are things that you can do as a Western and American organization to better defend yourself against the prospect of a Russian attack, or any cyberattack for that matter. And these are obviously obvious to everybody who’s on this webinar. MFA, antivirus, anti-malware. Put up your spam filters, patch your software – how many times do we have to say that? And filter network traffic and monitor your logs, and knock on wood, that has had a significant effect today.
Dustin: “According to international law and the Geneva Convention rules, these private citizens attacking other nation-states organized under the Ukrainian government are legitimate military targets. What do you think will be the fallout or implications from this? If Russia has been able to successfully identify any of the members of the Ukrainian IG Army, do you think Russia or Russian aligned countries will try to arrest or conduct strikes on these people while they’re traveling?”
Mark: There’s a lot of good questions in there, and thank you for asking it. I’m not an expert on international law and the Geneva Convention, so I can’t actually address the first question about whether these are legitimate military targets. And my guess is that if Mark Turnage, sitting in Denver, Colorado, were to join the IT Army of the Ukraine and start to participate in attacks on Western on Russian targets somewhere in there, that would be a violation of US law, irrespective of the Geneva Convention or the rules of war. I may be violating US law, not that I don’t think the US is going to necessarily prosecute Mark Turnage for doing so. Certainly possible that they could do that. My guess is Interpol would not honor any international arrest warrant requests. Certainly, again, to use the example of me, if I were to travel to Russia, they could certainly arrest me and charge me with whatever they wanted. I think that one of the unknown implications of this war is the fact that we don’t know how this hacktivist army shapes up in future wars. But my guess is, to the extent that they are individual citizens and not uniform soldiers, they put themselves at some risk by participating in this. And, yes, they could be potentially arrested.
Dustin: “How does a commercial threat intel feed help me protect my organization from rogue IT armies?”
Mark: A lot of different ways. If I’m running a large Fortune 500 companies security and network and I have a robust threat intel feed I’m able to see whether my organization and its IP range is being actively discussed in targeting forums and in hacker networks that are adversarial to either my country or to my organization or these are just commercial ones so I can get a sort of pre warning on the fact that they are targeting my organization. I can get threat intel feeds on the nature of the vulnerabilities that are being used to exploit networks such as mine. So, I can draw a direct link between the software we use to protect our network and any known vulnerabilities of that particular software that are out in the darknet or out elsewhere for sale or being actively used. And for the most sophisticated of those organizations, they’re able to take some proactive steps to avoid attacking. So I would see that a dedicated, robust threat intel feed that encompasses both the darknet and social media is critical to any security posture for a large organization and if nothing else, this war has proven that very robustly.
Let’s talk about some of the observations so far in this war. As I mentioned, this war is largely not being fought by cyber soldiers but by criminals, mercenaries and activists and non-state actors who are acting at the behest of the warring parties. It’s an unknown, crazy world we’re walking into, to be honest. This was not anticipated by anybody and my guess is that in the war games that we conducted leading up to the Russia Ukraine war, this fact did not feature highly, if at all. As I’ve said, cities aren’t losing their power and water for longer than a few hours. Plenty of companies and government ministries are being taken offline, but again for days, not even weeks and there’s little evidence of sustained serious impact in Russia or the Ukraine. Again, the bulk of the focus in the Ukraine is on the physical damage that’s being done that’s being rotten on the country.
And then in answer to the question that came in earlier, the implications of war being fought by private citizens beyond the control of governments is really poorly understood. And I throw down here a couple of hypothetical questions of what happens is if a ceasefire or a peace treaty is reached between the Ukraine and Russia and the private warriors just carry on, what are the implications of that?
They’re profound, actually and this echoes the FBI director – should nation-states be worried that somewhere we don’t know if it’s 250,000 plus hackers, 50,000 hackers, but tens of thousands of hackers have successfully attacked Russia? At the bottom I put one of my early observations in the actual physical war that has been fought between Russia and the Ukraine there have been a number of deficiencies in the Russian armed forces that have been identified and they’ve been surprising, to be honest. Some of them have to do with supply chain and how the Russian armed forces support its troops in the field. Some of them have to do with the maintenance of Russian military equipment and so on. I’m wondering if there’s a similar deficiency that we’ve seen in the Russian cyber capabilities. Are they simply not the superpower we thought they are? The alternative, the flip side of that coin is they could be holding back. They could have an arsenal of cyber weapons that they’ve not deployed and not used. But it could very well be that to the extent that the Emperor has no clothes on their physical military capabilities, that the same is true in the cybersphere.
Observations on the privatization of warfare – this is another surprise and it doesn’t really address the cyberwarfare capability, the cyber implications. But this is a war where private actors on both sides are playing a significant, major role in the attacks in the war, and I mean both the cyberwar and the physical warfare. So as we’ve talked about, private hackers are waging a war on behalf of Ukraine, Russia. That’s been a real surprise. If not 100% of the military communication by the Ukrainians is done by Starlink. Early in the war the Russians were successfully took offline the Ukrainian military communication system. Within days, Elon Musk and SpaceX had launched satellites over Ukraine. And today the bulk of the communications that the Ukrainian military uses is provided by a private American enterprise. Now let that sink in. That’s a commercial enterprise that is doing that. Some of the best reporting on the war has been by OS analysts, not by US government analysts who have been using commercial satellite imagery that has been widely available since the beginning of the war. The coverage, particularly many of them have posted their analyses on Twitter have been very good.
The Western sanctions that have been imposed on Russia and its allies in connection with this war are being privately enforced by banks and companies. Those are private enforcement capabilities efforts. I would point all of you to bellingcat as a great OSINT source using open source tools that are available on the Russian side. The Wagner Group is heavily involved. It’s a private mercenary enterprise. It’s heavily involved in the war in Eastern Ukraine up to and including flying fighter jets for the Russians. And obviously there’s a fair amount of pressure on companies continuing to do business with Russia.
We have made the observation that private hackers are engaged in this war. It’s not just private hackers. Right through the war on both sides, private actors are playing a very significant role in the waging of this war. What are the implications for the post war darknet? DarkOwl is a darknet intelligence company. We gather data continuously from the darknet and we provide that to our clients around the world as a threat intel feed or as a source of information so we see a lot of this unfolding, particularly in the darknet and what I call a chaotic and often unruly environment in the darknet, just became even more chaotic and risky. When you start to see major criminal gangs in the darknet start to fight each other and leak each other’s information into the darknet. But it’s a golden source of information for us and for our clients. But it’s also just an indication of just how anarchic that capability has become. These criminals will continue to turn on each other, but that’s not going to last forever, and we don’t know how this is ultimately going to shake out. Ransomware has been a big focus of criminal activity in the darknet. We expect that there will be a shift that that will continue to be the case. But we’ll see more wiper malware deployed.
So the consequences, again, for a US Hospital that’s subject to a ransomware attack of not paying a ransom, may be even worse by not paying the ransom if they don’t have a backup and they don’t have other capabilities to restore their network. If the criminals on the other side of that effort choose to deploy wiper malware, you may lose those, particularly if you don’t have backup. You may lose those medical records forever. Again, very sophisticated malware targeting for industrial control systems that we’ve seen.
We’ve seen an increase in awareness about what the darknet is and how it can be used. Propaganda and disinformation – I’ve spent relatively little time in this presentation talking about propaganda and disinformation, primarily because most of those efforts are in social media, not so much in the darknet, although we do see it occurring in the darknet. And as I said earlier, the hacktivist movement has been unleashed.
Here are some unanswered questions and I think some of the questions that we’ve had during the course of this webinar are addressing some of these:
How do the laws of war apply to cyberwarfare both in the decision to go to war and in the decision to wage the war and how you wage that war? The implications of it are very poorly understood. The attribution error issues, frankly, scared me to death.
How does one deescalate against cyberattacks that are coming in that you think but don’t know for sure are coming from an adversary? Where’s the safety valve in all of this? In physical warfare? I can see that your planes are coming to attack my targets. I can see that you’re shelling me from behind your lines in cyberwarfare. It’s a far messier calculation and the implications of that are frankly, frightening.
What are the implications with the appearance of non-state actors on the stage? We don’t know. Will cyber become strategically decisive in a war? It has not been strategically decisive in the Ukraine Russia war, although it’s been a significant factor, but it’s not been strategically decisive. And where is the line between cyber terrorism, cyber criminal activity and cyber hacktivism on the battlefield to be determined going forward.
Thank you very much for joining us today.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
Of the numerous quantitative models that attempt to define and quantify the cybersecurity risk to organizations, very few consider risk indicators from the deep and dark web. Using ransomware as a case study, this presentation reviewed the content that exists on these hidden networks, and explored how data from the dark web can serve as an important data point for more comprehensive risk models. Further, Ramesh Elaiyavalli, CTO of DarkOwl, discussed the unique challenges and considerations that must be made when examining dark web data.
For those that would rather read the presentation, we have transcribed it below.
NOTE: Some content has been edited for length and clarity.
Kathy: Thank you, everybody, for joining us today for our webinar: Deep and Dark Web Data and Its Impact on Modeling Cybersecurity Risk. My name is Kathy, and I will be the host for today…And now I’d like to turn it over to our speaker today, Ramesh Elaiyavalli, our Chief Technology Officer here at DarkOwl, to introduce himself and to begin.
Ramesh: Alright! Thank you, Kathy. Appreciate the intro. Hi. Hello. My name is Ramesh. I go by Ramesh Elaiyavalli. I’m the Chief Technology Officer and am responsible for product and technology groups to set the strategic technical vision of DarkOwl, as well as kind of the day to day workings and implementation of our platform, our processes and our people.
So with that, today’s webinar, as Kathy mentioned, is to go over at a high level: what is the darknet and the deep web and how risk modeling is relevant to the current web dates. I will talk a little bit about ransomware as a darknet data multiplier. We’ll also review the security risk frameworks, and some of the stakeholders that need to be engaged as you look at risk modeling and the application of darknet and deep web as it relates to modeling and any future quantification efforts of darknet data.
We believe that the deep web and the darknet data have a significant impact in any type of cybersecurity risk modeling.
If you look at the dark web in general, think of it as an iceberg where the tip of the iceberg is the surface web, that we all know and use every day. It was originated back in the nineties. It was basically browser based and we all know that a ton of content which is publicly available is available via the surface web, and there are many content or many types of content ranging from discussion boards to pay sites and so on.
The deep web is anything that is not indexed like Google, simply put, and that is typically behind some type of the authentication of the websites that you require authentication or any type of human intervention. So this is where things like IRCs, telegrams, criminal forums, marketplaces, they all reside in the deep web. And that kind of emerged in the mid-nineties.
[This takes us] all the way to darknet, which was founded as part of the Tor Project in 2006. So this is the intentional anonymizing of networks accessible only by a proxy or a specific peer to peer protocol. So the best example is Tor or called the Onion. And then we have I2p, ZeroNet, Freenet, Oxen, Yggdrasil, so the list goes on and on with a ton of such networks and protocols that only exist in the darknet. And they have become kind of a very important infrastructure for advanced threat intelligence and long defined risk.
When we talk about darknet data, the data is both diverse as well as dispersed all over the internet, The surface web as well as the dark web. So when you look at the diversity of data, data is available as email addresses or email breaches with passwords, which is really the authentication data. There is domain data, subdomains, the IP addresses that are tokens that are common vulnerabilities, exploits and so on. There are source code available. There is content and text available about a company, which is the chatter across the threat actors. There is critical corporate data, contract and financial information, intellectual property, executive insights, as well as employee activity, phone numbers, PII data, banking data and so on and so forth.
So, as you could see, the data is very diverse. Also, the data is spread and dispersed across various sites that could be transient in nature, there are darknet data places, there are forums that criminals use for discussions, there are image boards or chans, there are blogs on ransomware, there are marketplaces where data is being sold in classifieds, and last but not least, is Telegram and some of the IRC chatrooms.
Given the diversity and the dispersion of data, we also know that the data is really valuable when the data is at scale. And scale matters more so now than ever before. Why is this? Number one, there is a rapid digitization in our society overall. Everything that is paper and tribal knowledge is becoming a digital asset.
And, with COVID-19, the pandemic has changed the fundamental way in which we work. A lot of the hybrid and work from home exposes organizations to networks that are only as good as the weakest link. So, there is quite a lot of attacks surface that has been exposed with the work from home networks and the garden variety wifi protocols that are out there.
The third one is [that] the Ukrainian-Russian conflict has significantly shifted the threat landscape. If you think the Ukraine Russia war is far off from you, think again, because a ton of supply chain risk exists today from vendors that you work with and you partner with. And they are directly impacted because of the war or because of the supply chain issues.
And, number four, there is an unprecedented number of never before seen malware and critical zero-day issues in the wild. There is a significant increase in ransomware, ransomware attacks and all of this kind of has fundamentally changed the landscape in which we look at darknet. So it is taken in from a corner of the Internet to now center stage. So the dark web usage has really jumped over 80% in the last three years. 2 million active users, if not more in the Tor browser and the ransomware cost, just the sheer cost is over 20 billion in 2021.
Now, ransomware-as-a-service is a term [increasingly] in vogue. And the threat actors have become very sophisticated in not only attacking and penetrating your organization, but they have the maturity to go after these ransomware-as-a-service providers to make the transaction more professional. You can transact on the internet, on the darknet, and the deep web, where you leverage these initial acts as brokers and third parties wherever they are possible. And the consultants would help in the victim negotiations as well as target the qualification, meaning they would know how big your company is, how much can you pay, and what’s your propensity [to do so]? How badly do you want to be covering your exposures here? So based on that, they offer a service which is the ransomware-as-a-service, and these are paid insider threat partners that criminals and threat actors work with.
[Lastly], with the Ukraine conflict, like I mentioned, there’s a fluctuation between Ukraine conflict and the various international law enforcement operations. We’ve heard about Conti and Cooming and Stormous data which are available immediately after the invasion. The Happy Blog, for example, returned despite the arrests by the FSB. LockBit, AlphV, Snatch – they all have increased activity. Victim data leaks continue at a very high volume CONTI pretty much disbanded and dispersed into not just one group, but various splinter groups. And such threat actors are directly contacting our stakeholders for pressuring the victims.
The bottom line is this ransomware as a darknet ecosystem is extremely well-structured. It is operationally very efficient. And the biggest fear is they are running this at scale with ransomware as a service. So this kind of changes the entire threat posture of a lot of companies out there.
And, if you were to be a victim of a ransomware attack… from a customer standpoint, you are completely shut off from your access points. There are messages that prevent you from getting in unless you’re willing to talk to and pay the ransomware and the threat actors.
Ransomware Shame Site on Tor
Now, [let’s talk about] ransomware as a threat signal and overall as a dataflow lifecycle. You start with a pre-cyber incident, and then there is an initial access where that campaign has been launched. There are then incident responses and negotiations as part of the public announcement over to the post cyber incident management and then the whole attack cycle restarts. So, that’s kind of a quick [overview of the] lifecycle of the entire ransomware threat signal and data flow.
And, 46% of the ransomware victims, unfortunately, have not been compromised once, but multiple times. Over 90% of the data leaks we observed in the last year were attributed in some way or the other to these ransomware actors.
Darknet Ransomware Threat Signal and Data Flow
Now in talking about ransomware, here’s another great example that we tell our customers about: Volvo.
As we all know, Volvo is a very large auto manufacturer. But interestingly, their ransomware attacks did not come from their own compromises, but it came from their supply chain. It started with November 2021, where snatch one of the Chinese Volvo corporations that had a breach. And then it went on to Denso and then it went on to the Volvo Corp update will work to back defense over to StrongCo and so on.
So, various subsidiaries of Volvo, such as the Mack, the Mack defense, the Mack trucks and so on, were exposed as part of this attack. And these impacts we are observing pretty much up and down the entire supply chain. And there are multiple, not just one threat actor, but there are multiple threat actors that are finding ways, finding vectors, finding threat surfaces to expose and bring down some of the largest companies that are out there, either directly or as part of their supply chain and their vendor relationships.
Now, when you look at the darknet and you look at security risks overall, we talked a little bit about ransomware, but there are other type of threats that you should be worried about. We all know about the phishing attacks and the malspam campaigns, the cyberattacks, all the way from the overt or covert malware, DNS hijacking, data exfiltration, cyber espionage, denial of service attacks, insider threats, and basically any type of information based reputation attacks. So the types of threats have multiple dimensions, and ransomware has kind of bubbled up to the top. However, there are other threats that you need to equally pay attention.
And, what are the consequences of these threats? It is data corruption, it is operational downtime, a huge and a tremendous amount of financial and revenue loss, regulatory issues and fines, damage to your virtual or physical infrastructure issues with your shareholders and society as a whole, and the loss of customer confidence and a significant dent in your brand reputation. The consequences of ignoring these threats are significant and threats continue to evolve and [be a] cost concern for various organizations.
Having said that, how do you do threat modeling is not [the exact same as] how you look at risk modeling. Threat modeling is a subset of what you have to think from an overall risk modeling standpoint. Now, are there standards? [What are] the best practices for risk modeling? The good news is that there are some, but the bad news is there are plenty of them. There is no one single overarching standard for risk modeling. So, depending on your use case, depending on your company, your business, your operations, and your exposure to various security and methodologies, you can adopt one or more of these frameworks for your risk modeling.
The stakeholders for such risk modeling would pretty much be everybody in the organization and beyond. It starts with your SOC, your incident response teams, executives, data protection officers, the governance folks, CISOs, IT leadership.
If you are in Insurtech space, it very much applies if you are a broker, you’re an engineer, you’re an underwriter, you’re a reinsurer. All aspects of insurance underwriting and cyber security assessments need to be worried about risk modeling. It also applies to investors, private equity, and venture capital firms who are looking to fund that startups or to do mergers and acquisitions type activity. So all of those decision makers need to be aware of this, including policy makers, security agencies, military decision makers and so on and so forth.
When it comes to risk modeling stakeholders, it is everybody who has some form of decision making capability and they are doing an assessment, they are underwriting the risk in a way. So the NIST really defines the cyber risk assessments as the ones that are used to identify and estimate and prioritize risk across your organization, your operations, your assets and the people that you have within the organization.
One of the things that we are interested in talking about, [and] is a question we get a lot, is how do you quantify risks? At DarkOwl, we spend a lot of time thinking about it, and we have come up with ways, strategies, and products and score models that would help us objectify and quantify risk at scale. It’s not an absolute risk metric, but we see a very strong correlation and influencers for their risk calculations and your business decisions based on the exposure of data about you and the company that you represent as it relates to the darknet. So we call these “entities” which are basically email credentials, it could be domain names, it could be IP addresses, the set of entities that are easy to take, tokenized, and quantified.
Like I mentioned, this model is not basically the threat modeling aspect, but much more. And, you know, you need to give a lot of considerations for all the external and influential factors, which is the who and the where and the when as it relates to getting your data exposed.
So here’s an example of Microsoft whose overall risk profile, or we call it the darknet score, their score has been trending upwards (pictured below). A lower score is better. So, when your score is going up, that is not a good thing. So it could be either as a result of the amount of leaks that they have or the documents that are being exposed, how much hackishness is in those documents. So risk quantification with scores is a very important way to measure and assess risk.
Microsoft darknet exposure score (DarkOwl Vision)
The next one I want to briefly touch on is an experimental basis. We have Scores 2.0 that we are actively building. We are very excited about these scores to point out where we have used our own data, which is data from our entities, from our e-mail breaches, credentials and so on, and we believe it has predicted 73% of the breaches overall and 100% of all the four ransomware cases that we analyzed in the past. So here’s an example of a company such as Okta, which is the largest security authentication company out there. And interestingly, their exposure on the darknet was partly due to their leaks and some of their breaches. But more importantly, their biggest supply chain vendor is Sitel, which is a call center company which had access to Okta data. And when Sitel got compromised, that bubbled up to Okta. So we we always advise our clients to say, look carefully with your company within your data set, but also make sure that you are monitoring your supply chain vendors. So this is a perfect example.
How do we see the future of quantifying darknet data? It is very important that a very critical time is right now where we need to see a dialog among multiple organizations on what are the best methods and the best practices for quantifying darknet data and how do you do the risk modeling. We would love to see folks getting rid of questionnaires and checklists and, you know, making decisions based on data that is available in the open net or OSINT data.
We advocate for education on darknet and darknet data and how important it is for overall cybersecurity. There is a clear need we see in establishing a common language and a common set of mathematical models, be it the darknet score, or it could be something else. But, we want to see more such quantified risk models that are available in the industry.
There is a need for better understanding on the relationships between not just the threat actors, but between the personal and corporate risks that every companies go through. And [as we showed earlier] – you got to take a closer look at the type of data that is being leaked by some of the ransomware groups and the threat actors. Some of it is because they may want money, but a lot of it is also, they’re trying to build reputation by leaking data.
[We advise that] you take a close look at what data types are being leaked and what the cohorts and the verticals in the industry are talking about. Also, the key question here is this: how do you measure the goodness or the effectiveness of your current cybersecurity risk model? Ask that question often, ask that question early, and ask that question constantly. Which is, is your risk model effective enough and is it good enough?
With that, if you want to know more about DarkOwl, please talk to us. Get in touch with us at [email protected]. Or you can follow us on various social media and you can also check out, check us on our blog or on our website. And if there are any other questions, I’m happy to address them. That’s the end of the presentation.
Kathy: Thank you, Ramesh. We have had a couple of questions come in. So let’s see if we can get to some of them. The first one we have is” Why do I need DarkOwl? Most of the darknet can be accessed by individuals.
Ramesh: It’s a it’s a great question. Darknet data can be accessed by any individual or any company for that matter, but I would not recommend doing this at home. The reason being that you’re dealing with data that is extremely sensitive in nature and you are potentially interfacing with criminals and threat actors and it is a very dangerous place. So there is very likely challenges that you would run into is you may get attacked yourself when you expose yourself and your network, if you tried to do it without much expertise.
At DarkOwl, we take great lengths to make sure that our access to the darknet and our ways of ethically gathering data is serving you as a customer so that you can access data through our platform and the safety and security that comes with our platform, as opposed to interfacing directly with the threat actors and the criminals. So I would always recommend go through a provider and sort of avoiding direct.
Kathy: Great. Thank you. Another question that came in is: I want to access your data. What is the best way for me to do so?
Ramesh: Okay. The best way to access our data. The short answer is it depends. If the use case is you are a cyber security analyst or you’re looking for a very specific thing. You want to search on the dark web on a limited basis. The best bet would be to leverage our Vision platform. The next step is if you’re a developer and let’s say you want to build an API because you have a platform already built out, or you’re thinking of building a platform or you’re in cybersecurity and insurance business and you want to leverage darknet data for those type of use cases. We would recommend to our API. And by the way, our API, we offer a Search API, we offer Entity API for lookups on email credentials or crypto and so on. We also offer source via API and we offer entities and searches also via API.
So, there’s a variety of APIs that you can leverage, assuming that you want to be building code and develop and integrate dark data into your platform. And then all the way, if you’re a data science person, you are looking at large amounts of data and big data, right? And you have a data science team that is available. We would do what we call DataFeeds, which is snapshots in time that you can have either our entire dataset or filter based on criteria that you provide as well as we can do these historic data dumps and we can take snapshots in time and send it over in a in a secure transmission over to you and your data science team. So it really depends on the use case. The bottom line is you can leverage our Vision UI, platform or you can leverage our API platform or you can consume our big data, be our data feeds.
Kathy: Great. Thank you so much…Ramesh, thank you so much for this insightful presentation to our attendees. If you’re interested in learning more about how darknet data applies to your use case, please feel free to request time with us using the link in the chat. We look forward to seeing you at another one of our webinars in the future. Thank you.
Ramesh: Thank you.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case.
Learn how DarkOwl’s darknet intelligence platform plays a critical role in how Blackpanda supports customers bounce back from an attack, providing robust darknet data to fully understand customers’ risk profile and asses threats. Plus, dive into a case study and see the platform in action.
For those that would rather read the conversation between CEO of DarkOwl, Mark Turnage, and Director of Strategic Development at Blackpanda, Mika D., we have transcribed the presentation below.
NOTE: Some content has been edited for clarity.
Mika (Blackpanda): Thank you, everyone, for coming to this Blackpanda, DarkOwl information session. Very excited to be partnered with DarkOwl, Blackpanda being an incident response firm. We’re going to get into more of that. Today we really wanted to present the value to end users, customers, large companies, and organizations of this partnership that we’ve developed. So with that, we’ll jump into some introductions. Mark is the CEO and founder of DarkOwl with a very, very long list of credentials and much experience, I will hand it over to him to do a bit of introduction.
Mark (DarkOwl): Great, thank you for having us, Mika, and delighted to be here. My background is as an entrepreneur in the security space. All the companies that I’ve run have been security related companies, most recently DarkOwl, which we founded five years ago. My co-founder and I and are very pleased to be here and looking forward to this conversation.
Mika: Great, thank you, Mark. I’m representing Blackpanda, Director of Strategic Development. I was also the founding incident response member of the Blackpanda Group that’s based out of Singapore and Hong Kong. We address special risks from incident response malware, business email compromise, different kinds of cyber attacks all the way down the cycle to cyber insurance. So, risk transfer and mitigation ahead of time to try to prepare the environment in the event that something happens. My background is primarily in national security and a full range of cybersecurity services, products, and a little bit of time in the intelligence community. So excited to jump into this webinar and give you a better idea of how our incident response services and deep web threat intel work together a bit on the cyber incident response side of the house. We hyper focus on digital forensics, the investigation, and cyber crimes, and we are stationed in different cities across Southeast Asia so that we have a local presence in all of these markets if and when an incident occurs.
A bit about the incident response lifecycle because it’s confusing what happens exactly when an organization is hacked and how does that move forward? How do we work with our partners, especially when something happens?
Essentially, incident response starts with a call, an alert or an automated indicator that comes from one of our intelligence platforms, be it DarkOwl or an endpoint detection and response tool or our own proprietary software. Once we receive that alert or notification, we will then determine the validity and extent of the attack. So it’s kind of like scoping out what happened and what resources do we need to deploy in order to address it? We prepare the team and we proceed to a triage process where we’re gathering evidence. We’re looking for indicators of compromise, we’re collecting a plan of action, and we work with the client in order to basically stop the infection from spreading any further. Then we move into the containment phase. Within the first 48 hours, we’ve figured out roughly what’s going on, who is the threat actor, and question what assets could be at risk and what data is at risk.
The customer always wants to know, has data been leaked? What kinds of emails or passwords or proprietary files might be out and be in the dark web? And at that point, we will then turn to some of our partners, such as DarkOwl, in order to enhance that information. So, as we’re containing the malware, we’re also providing the suite of the environment to look for extended attacks. This could be second stage payloads, which would be if the attacker first gets in and spreads more malware, or they’re looking to steal credentials or steal certain files. So, we’re really examining both inside the organization as well as from outside what might have left the organization.
And then, finally, once everything’s been contained, we feel comfortable that the organization can get back online, we prepare a report and present lessons learned. We also try to assemble any and all information that could have been leaked because that’s where regulation and compliance comes into play. So that’s essentially the incident response lifecycle and is one of Blackpanda’s areas of expertise.
Now onto DarkOwl.
Mark: Thank you, Mika. And as Mika mentioned, we are involved in both the frontend and the backend of the incident response cycle with Blackpanda. Just a bit about DarkOwl and what we do. Darkowl has built a platform that actively and continuously monitors the darknets, many darknets, and makes that data searchable by our clients. Among the darknets that we monitor are ToR, I2P, Zeronet, a range of other darknets. And I should say, that we call it the darknet, because in most of these forums and most of these darknets, user identity is obfuscated and traffic is encrypted. So, it’s a very difficult environment to monitor, and we have built a platform that does that across 25 to 30,000 darknet sites a day and it archives that data so that not only will you look and see what was happening today and on a continuous go forward basis, but you also have an archive to see what has happened in the past.You’ll see some of the some of the numbers of records that we have available in our database today.
Records available in DarkOwl database as of April, 2022
Just to talk a little bit about what is in the darknet, why is it important for both an incident response team and then more broadly. Among the types of data that are found in the darknet are very large quantities of personally identifiable information credentials, compromised accounts, malware, ransomware. There’s a lot of chatter among a variety of different forums between threat actors. There are lots of vendor and supply risk indicators as well. Most recently, in the context of the Ukraine Russia war, we are finding significant indicators of risk among vendors, supply chain vendors and supply chains that have presence in Ukraine, Belarus, and Russia. A lot of that chatter, a lot of those indicators show up in the darknet and in our platform. A lot of our platform is very intuitive to use. We can deliver data a number of ways what you’re looking at here is our vision platform search UI.
Screenshot of DarkOwl Vision UI platform
And actually, later in this webinar, I’ll do a quick tour. But you can see from looking at the top of this, it’s a very simple search bar. We can look for whatever you’re looking for in the darknet, at any given time. You can see there’s a search loaded on this slide for Conti, one of the threat actors out of Russia, and there are 52,000 results. We see 52,000 pages in the darknet at the time this search was run talking about Conti or mentioning Conti, or where Conti is participating in it in a forum. So, it’s a comprehensive platform to monitor the darknet and in the context of an incident response team, it can both alert you to a breach or to an incident and then it can provide you with the intelligence, as Mika said, to assess that breach and then really remediate it.
Mika: And I was just going to jump in exactly on that point. We’ve dealt with several Conti breaches, and once we see indicators that that might be the malware in use the threat actor in use, not only are we on the hard drive examining the forensic artifacts of the system to pull out what time they got in, what they’ve taken and basically any signs of lateral movement or their actions on objectives, we’re also coming over here and plugging in the exact threat actors names. They have handles, they have email addresses, they have IP addresses, so whatever we find in the environment, this search platform is kind of where we go to see what’s happening on the outside as opposed to just on the inside of the organization across the systems.
Mark: And connecting those dots is critical. If you don’t connect those dots, you’re only looking at one particular piece of relevant information. And we are delighted to be able to offer that level of intelligence to teams like your own.
Mika: Absolutely, and sometimes the crawl date will show a date that much precedes the actual incident. So, the event might have happened even before, and that also helps our forensics because it gives us pivot points in time so we might go back further to the first sign of chatter on a certain target.
Well, I guess this comes back around to how we work together. The reconnaissance phase is what we just mentioned, where a threat actor is mentioning a potential target, the threat actor has scoped out where they’re looking to go and what they’re looking to do, actions on objectives. During that reconnaissance phase, we might see chatter in the dark web. The cyber kill chain is a Lockheed Martin concept that helps explain the chronology of an attack. So, they’re scoping out the target, they’re preparing an exploit that could be used against a vulnerability at the organization, and then delivery exploitation installation is typically where the customer would pick up on the fact that something is happening. Command and Control is quite noisy and usually limited to just forensics and network analysis. But that’s where they are continuing to operate within the environment, using remote access to the organization. And, like we said, actions on objectives. This is where data is leaked or sold on the dark web. This is where they’re actually putting ransomware across systems and trying to extort the organization. All of this can either be incident response based, so in the event of an attack or a proactive service called compromise assessments, which is where we would continuously perform these darknet searches with DarkOwl and we would have software on the endpoints that allow us to perform advanced threat hunting. So, anything we’re seeing, like Mark said, there’s chatter and there’s also indicators across the internet of potential events that could be happening. We can sweep the environment and look for signs of that before something actually happens. So even though antivirus and anti-malware were just some percent of the time, there are advanced threats that don’t yet have signatures that nobody’s tracking yet across the board and these allow us this advanced threat hunting skills and darknet searches allow us to find signs of that much earlier.
We can jump into a case study a little bit before Mark demos. But essentially, Blackpanda had a great success tracing down data leaks following a case in Southeast Asia. We were tasked to discover, analyze, and report stolen or misappropriated data related to client domains or keywords. This essentially means they thought they might have been breached. They hadn’t yet signed on for a compromise assessment, which is basically like a sanity check. Is there something going on? My antivirus didn’t check, and they came to us with the suspicion that something had happened. Over the course of this project, partnering with DarkOwl, and performing very targeted searches for their keywords we then pivoted to compare how this attack was similar to another found threat actor groups and different sites in the deep web that held their records. After about two months, we had 13,500,000 records related to this one company. That allowed them to report and take precautions, and follow on measures to contain the attack and also try to remediate the damage of that data leak. It was very important for them to know the extent and just how much data was actually released. And then we walked them through how to actually patch and repair the systems that led to that attack. So, what happens? How do we find 13,000,000 sum records, Mark?
Mark: Well, that’s a that’s a very good question, and we’ll show you a couple of searches to show you how we do that. It is not unusual for sizable companies to have that level of exposure in the darknet. They are usually the result of multiple leaks, multiple breaches that have occurred over the years. The risk, by the way, to this company and to other companies is that a substantial portion or even a small portion of those records are still alive. So many people will remember the Colonial Pipeline breach that occurred last summer here in the United States, shut down a saline supply to a large portion of the east coast for about a week. It has been publicly reported that the way the hackers got into the Colonial Pipeline network was in fact, via a credential that had been formerly used by an intern that was available widely in the darknet. In other words, there was no phishing that occurred. They just went into the darknet, pulled down a credential, discovered that it was live and walked right into the network into the Colonial Pipeline network. That is one of the risks that occurs. That’s exactly where Blackpanda can add significant value to any client.
Mika: Excellent. So we’ve already been through this kind of wave as to how we could either proactively identify those leaked credentials after a compromised assessment and prevent a lot of these from happening. There’s also the incident response where we get indicators and intelligence that we need to enrich and also check externally whether there’s any additional signs. So these are just more kind of snapshots of how this could work proactively. But, you know, in our reporting, we’re very thorough, this is sort of inside the organization. We’ve deployed a certain endpoint detection and response tool where we’re looking for signs of malware, signs of threats. These are all technical threats that would only be available given a view into the organization. These are all the kinds the strains of malware and hash values that might be in a report. And again, signs of these things can also be thrown into DarkOwl, or a platform that helps us enrich that intelligence. So what else do we know about a file with this hash values of the hash that is the unique signature of a single piece of digital information? Whether it’s a single document or a giant binary file, everything can be hashed to a unique value. So these are great ways to leverage DarkOwl as well. Has anyone else been talking about or posting about malware by this name or with this hash value? Are these websites places that this backdoor Trojan might be still sitting? Has anyone else talked about these particular indicators of compromise? IOCs across the deep web. So these are just a few of the ways that we would really get into DarkOwl and use it not only during an investigation, but proactively as well.
Mark: One of the strengths of the DarkOwl platform is that any of these terms can be inserted in and searched for on the platform. It’s a search tool. It has a fundamental search capability. And as Mika said, we can then identify the threat actors who are discussing it, whether there are future targets, whether there was there were discussions in the past about targeting this particular client’s environment. It’s a wealth of information that opens up once you have the ability to search across the entire dark web for any of these terms or any of these hash values.
Mika: Absolutely, and that’s exactly how we enrich our intelligence and report on what really happened and what could be happening even outside the organization. With that again, DarkOwl traces and brings into their intelligence ecosystem a number of different breaches. So although this was particular to a certain client, you know, these breaches hold passwords of thousands and millions of users. They could be huge. They could be massive databases that are even sometimes an amalgamation of different breaches over time. So DarkOwl keeps us current on what else is happening. And with that, again, we’ve kind of been over the flow in a sense, but we extract indicators of compromise from the evidence we received by going through the forensic intake and triage process. Then we enrich across dark web intelligence sources and perform forensic analysis on the actual system itself. So getting timestamps, trying to bring it back to the root cause. So when did this happen? Why did this happen? And then our reporting can be very robust as a result of us having this level of intelligence. So I guess it’s time to see it in action.
Mark: Well, thank you. If you could let me share my screen, I will switch over. What you see in front of you is the landing page for DarkOwl Vision, our user interface. It’s quite intuitive. There’s a search bar and you can search for any term. As mentioned, they can be hash terms, they can be nicknames, they can be user handles, they can be combinations of all of the above. I’m going to do a quick search and I’m going to pick on AT&T for no good reason. I apologize if anyone from AT&T is going to see this. I’m going to do a search for AT&T .com, and I am going to search for any mentions of AT&T .com in the darknet, meaning any page that has a credential or mention of AT&T .com domain on it. And as you can see, there are almost half a million pages in our database in the darknet mentioning AT&T .com. The results are presented here. If you scroll down, you’ll notice that M.J. Matthews of AT&T .com has, as mentioned, a range of email addresses that are mentioned here, and the results are can be sorted and presented in a number of different ways. If I search, if I sought these results, these half million results by crawl date, for example, and there are a lot of results, so this will take a second. You’ll see that the most recent of these results was extracted from the darknet about an hour and a half ago. So this is a very recent result, and I can then sort them by relevance and hackishness, is a term we use to date to determine how dangerous those results are. So, for example, I won’t click on it, but down here, my guess is this is 100 percent hackishness because there’s a password associated with that particular domain. So it’s very intuitive, it’s very easy to use. As Mika mentioned, a team that is looking for a specific term or an actor in the darknet can very easily and very intuitively jump onto this platform and see what’s happening and then say, what were they doing most recently? And you can sort by crawl date. I want to show one other feature that is relevant to what Mika has been talking about, which is our dark and exposure scores. I can create a score for any domain, any domain in the world, and I’ve just randomly selected. You can see even there’s a dark score here if I click on this AT&T score. This is a score of how exposed AT&T, since I just did the search, is in the darknet and you’ll see the score changes and you’ll see as I move my cursor, the score changes in proportion to how much data is available in the darknet at any given point in time around AT&T. And I’ll take the example of BlackBerry here. BlackBerry on the 5th on the 14th of May of last year had a score just above 10, and overnight their score jumped to just under 14. That’s a massive jump in our scoring metric and in our scoring algorithm. And the reason is somebody released a bunch of data around BlackBerry. In fact, a terrific amount of data around BlackBerry. If you’re a user of the platform or a partner like Blackpanda, this is an indicator that something’s gone wrong. There has been a major compromise. We need to investigate this very quickly. So this provides a very quick back of the envelope way to monitor clients, to monitor your own environment, to see what’s going on and to compare how you are doing relative to, say, your competitors or other peoples, other people who are in your sector. The platform comes with a range of other ways that you could pass data, search data, and make use of data, including an alerting platform, so that if, for example, AT&T is a client or you are AT&T and you’re monitoring your own environment, you can be alerted by email to any critical elements that show up in the darknet at any given time. So that a very quick demo, Mika, and thank you for allowing me to do that. But you can see it’s a very intuitive platform. It has direct usage in the incident response phase, and we’re delighted, as I said earlier, to partner with Blackpanda.
Mika: I think that’s our last topic, just on that again, it’s been very powerful for us to be able to show again every, every organization that’s been hacked. It’s the worst day. It’s a terrible event. But in the event that we get those early indicators and we’re able to stop something before something even worse happens, you know, at the sign of chatter or proactively by finding initial indicators of an intrusion and correlate that with deep web intelligence and then stop this thing before it happens. It’s just a very powerful solution. So we’ve been thrilled to partner with DarkOwl. And if there are any questions after the webinar by all means, we’ll provide contact details in posting this this recording.
Curious about something you read? Interested in learning more? Contact us to find out how darknet data applies to your use case. You can also reach out to Blackpanda here.
In this webinar, our CEO will deliver a briefing on the top incidents businesses and organizations need to know about in order to optimize their security posture as events develop as a result of the Ukrainian Invasion by Russia.
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.
