DARK WEB THREAT INTELLIGENCE

The dark web (also called the darknet) is often associated with images of midnight hackers and secretive villains working in solitude. In reality, the deep web and darknet are hives of communal activity spanning all hours. These areas of the internet are used by people seeking anonymity for a variety of reasons, both illicit and lawful in nature.

Security professionals and public safety officials have a vested interest in discovering threat intelligence on the deep web and darknet. This intelligence allows organizations to detect and prevent threats of all kinds—But first, what exactly are the deep web and dark web?

DARK WEB SEARCH: DOWNLOAD THE PLATFORM OVERVIEW

The deep web, sometimes called the invisible web, includes websites and data sources that are unindexed and non-discoverable by search engines, such as Google, within the surface web. The deep web is estimated to be at least 400-500 times the size of the surface web.

The deep web includes online pages that are restricted by passwords and paywalls (such as personal social media accounts and online banking dashboards), or dynamic and encrypted networks. The term “deep web” is not interchangeable with the darknet/dark web—it includes the darknet/dark web.

The darknet/dark web is a more hidden subsection of the deep web and requires special software, such as a Tor browser, to access. The dark web offers users total anonymity. This is why a great deal of nefarious activity, including illegal goods sales, human exploitation, and discussion around illegal topics, happens there. 

Accessing the dark web is not illegal in itself, even though dark web activities are often illegal. User anonymity means that the dark web is also sometimes used for less destructive activities, such as circumventing government censorship and protecting whistleblowers.

Contrary to popular belief, darknet data is not difficult to access—but it is very difficult to navigate, since pages are not indexed or regulated. Inexpert darknet browsing can be dangerous, and discovering anything specific or useful is extremely time-consuming.

How Does The Darknet Achieve User Anonymity?

Darknet users achieve anonymity with onion routing. A user’s data is sent through multiple layers of encryption before reaching its destination, making its origin anonymous. These encryption layers are analogous to the layers of an onion. 

Tor (acronym for “The Onion Router”), the most popular dark web browser, uses this encryption method. Tor is a free software browser that conceals the user’s IP address, which then inhibits any personal or metadata collection. 

What Do Deep Web And Darknet Sites Look Like?

Most sites and published information on the deep and dark web take the shape of either a marketplace, discussion forum, or breached data dump:

• Marketplaces allow users to anonymously buy and sell illegal goods on the dark web.
• Discussion forums allow users to anonymously discuss illegal topics, such as how to conduct cyberattacks, or how to manufacture illicit substances.
• Breached data dumps, including breached personal or company information, are common on deep web sites like Pastebin.

Read more: 
Eliminate Threats and Mitigate Risk: Dark Web Search for Your OSINT Strategy
What is Tor and the Deep Web

Below is an overview of the types of websites that are active in the deep and dark web. This list is not exhaustive—sites are constantly changing as they are removed or added.

Deep Web Networks

Marketplaces

Deep web marketplaces often aim to remove “the middleman” involved in surface web commerce. Buyers and sellers on deep web marketplaces use cryptocurrencies and engage directly to avoid fees associated with typical payment methods like Paypal. Many dark web marketplaces don’t cater specifically to illicit exchanges, however illegal activity is often difficult to track or manage.

Messaging Apps

Many cloud-based messaging services are considered to be within the deep web. These services are used widely for discussing or creating games, exchanging payments between users, and discussing shared interests with varying degrees of security. Some deep web messaging apps are fully encrypted, whereas others allow users to create their own servers and host private, password protected, or public channels within those servers.

While messaging apps in and of themselves are not necessarily designed to host illegal activity, there have been many reports of phishing scammers using these types of apps as a method of contact with victims. Others have been linked to adult, narcotic, or otherwise NSFW (Not Safe For Work) content. Discord, for example, is linked to discussions about illegal activity as well as the alt-right movement. In August 2017, it was discovered as a planning tool for organizing the “Unite the Right” rally in Charlottesville, VA.

Open Web
The Open Web can be defined as an open network that is decentralized (control is shared by many parties), accessible (anyone can participate without requesting permission) and open-source (anyone can modify or improve it).

It can also be defined by what it isn’t: the internet’s “walled gardens” where content is centrally controlled and monetized (Facebook and Google, for example). These walled gardens provide an easier and more curated user experience, but at the cost of certain freedoms—algorithms control what content is published, and publishers are restricted to services that are built by the sites.

Content on the open web is publicly accessible but not necessarily indexed by common search engines like Google. Pastebin and Craigslist are both examples of open websites.

Read more:
Open Source Threat Intelligence 
Social Media Monitoring

Dark Web Networks

Dark Web Networks and Tor

Tor was created by the U.S. Naval Research Laboratory in the 1990’s aiming to enable secure government communications. It’s now the most commonly used network for navigating the dark web. Tor sites have .onion as their top-level domain.

Tor contains a number of discussion forums which tend to serve a somewhat ill-intentioned user base. Online hate-groups use these forums to hold anonymous discussions including planning criminal and violent acts. The now-defunct 8chan, for example, is associated with the 2019 Christchurch mosque and San Diego synagogue shootings. The latter’s perpetrator posted links to his manifesto and Facebook page before committing the attack. The site has 35,000 daily users.

What exactly are criminals doing on the dark web? Most corporate security professionals and public safety officials are seeking crimes and evidence of crimes related to stolen and illegal goods, conducting drugs and human trafficking, planning attacks, selling and leaking data and information, money laundering, and fraud. 

The following are some specific examples of darknet activity:

• Discussing and selling “How-To” guides. Guides can cover everything from how to produce an illicit substance, to how to conduct fraud against an organization.
• Releasing or selling personal data. Personal data breaches are commonly used to gain access to financial accounts, or can be used to target individuals for harassment (known as “doxxing”).
• Buying and selling fraudulent tax documents. Cybercriminals will often purchase and submit fraudulent tax documents before the real taxpayer is able to.
• Exposing national security data, such as defense strategies, weapon plans or building blueprints pertinent to national security.
• Leaking or stealing source code. This makes it easier for hackers to determine if there are any vulnerabilities in your organizations’ operating systems or security software.
• Selling “spoofing” templates. Spoofing templates allow scammers to create fake websites or forms on behalf of an organization as a means to collect personal data.
• Exposing company databases. This leaks sensitive information about employee accounts, as well as a company’s overall footprint, including partnerships and private contracts.
• Hiring for illegal activities, such as hitman services or human trafficking.
• Buying and selling illegal goods or substances.
• Viewing and exchanging child pornography.

Read more: 
Darknet Market Shutdowns and the Future of Threat Intelligence 
10 Ways Cybercriminals Put Your Data Security at Risk

The following are specific industries that actively pay attention to deep web and dark web sites to find and mitigate common threats:

Public Safety Professionals (police agencies and federal defense):

• Discover drug, weapon, and human trafficking cases
• Find discussions and marketplace listings related to cybercrime
• Monitor communications between threat actors (planning attacks or other crime)
• Find fraudulent passports and other documents

Corporate Security Agencies:

• Protect brand reputation
• Discover insider threats
• Discover data breaches
• Protect executives and enforce personal information security 
• Detect and avoid DDoS attacks

Financial Institutions:

• Discover and protect against:
• Money laundering
• Counterfeit currency
• Credit card fraud
• Internal attacks
• Data breaches
• Employee-directed phishing attacks
• Ransomware, malware, and cryptojacking
• Unsecure third-party vendors and cloud-based service providers 
• Spoofing and DDoS attacks
• ATM attacks

DOWNLOAD BANKING CASE STUDY

Retail Security:

• Discover stolen goods and counterfeit sales
• Find fraudulent gift cards
• Conduct post-burglary investigations
• Discover company-branded credit card fraud

Read more:
4 Reasons Why Your Retail Security Team Needs to Be on the Dark Web

Whether or not you search for them, security threats are prevalent on the deep and dark web. Although much of the activity on these sites is benign, deep and dark web threat intelligence is crucial for organizational security and public safety.

Deep and dark web sites are extensive and constantly changing. OSINT training and tools that gather deep and dark web data can support organizations with the discovery and mitigation of threats related to data breaches, illicit goods exchange, and exploitation.