Decrypting the Dark Web

Uploaded on 2016-10-31 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Data analysis to be presented at Black Hat Europe highlights trends in communication between bad actors who gather in underground forums across the Dark Web.

Data analysis can be used to expose patterns in cyber-criminal communication and to detect illicit behavior in the Dark Web, says Christopher Ahlberg, co-founder and CEO at threat intelligence firm Recorded Future.

Ahlberg in November at Black Hat Europe 2016 in London will discuss how security pros can discover these patterns in forum and hacker behavior using techniques like natural language processing, temporal pattern analysis, and social network analysis.

Most companies conducting threat intelligence employ experts who navigate the Dark Web and untangle threats, he explains. However, it's possible to perform data analysis without requiring workers to analyze individual messages and posts.

Recorded Future has 500-700 servers it uses to collect data from about 800 forums across the Dark Web. Forums are organized by geography, language, and sectors like carding, hacking, and reverse engineering.

'Pattern of Life'

Ahlberg describes the process of chasing bad actors as "pattern of life analysis." This involves tracking an individual, or class of individuals, to paint a picture of their activity and develop a profile on their behavior. 

Over the last six months, he has spearheaded research to analyse more than three years of forum posts from surface and deep web. Forums have originated in the US, Russia, Ukraine, China, Iran, and Palestine/Gaza, among other locations.

The research unveiled a series of Cyber-criminal behavioral patterns. These can be used to discover illicit behavior, create points for further branches of research, and figure out how hackers are focusing on different tech and vulnerabilities.

Recorded Future built a methodology for analysts to track user actors' handles as people jump across and within forums, he explains. Discovering patterns starts with attribution, or putting together a profile for one person.  The problem is, bad actors often switch between handles to conceal their activity.

"Nobody puts in their real name," he continues. "The issue is, you might track someone and find half of what they're doing is on one handle, and the other half is on a different handle."

He addresses this complication through a process called mathematical clustering. By observing handle activity over time, researchers can determine if two handles belong to the same person without running into many complications.

Temporal patterns exemplify one trend Ahlberg has taken from his observations of hacker activity. "Overall, hacker forums have lower activity on Saturday and Sunday, and peak on Tuesday and Thursday," he says. The times at which criminals are most active can shed some light on their lives and areas of focus. Some forums have a drop in activity around mid-day, a sign that participants could be full-time workers taking a lunch break. 

It's also interesting to watch how forum activity relates to industry news. "By looking at forums and how they react to outside events, we can learn more about what they're interested in," Ahlberg says, calling the process "smoking out rats with external events."

For example, a spike in Wednesday activity could be a sign the forum is reacting to patches and vulnerabilities published by Microsoft and Adobe a day prior. 

Patch Tuesday, he says, could be driving "Exploit Wednesday." 

Dark Reading:         Deep Web – CyberCrime, The Movie:
 

« Future Of Security: Connect Cyber With Physical Defence
ISIS Social Media Ops Are Declining »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Fasoo

Fasoo

Fasoo provides data-centric security to protect data within the organizational perimeter and beyond by limiting access to sensitive data according to policies that cover both users and activities.

European Organisation for Security (EOS)

European Organisation for Security (EOS)

EOS represents all domains of security solutions and services.providers including ICT information and communications technologies.

Netmarks Indonesia (NMID)

Netmarks Indonesia (NMID)

Netmarks Indonesia is an IT solutions provider offering services related to ICT infrastructure, digital transformation and cyber security.

Nova Leah

Nova Leah

Nova Leah helps connected medical device manufacturers meet cybersecurity compliance requirements throughout the entire product lifecycle.

IT Search

IT Search

IT Search is a specialist IT recruitment company focusing on Cyber Security, IT Infrastructure, Software, Data, Digital Transformation and C Suite leadership positions.

CNS Group

CNS Group

CNS Group provides industry leading cyber security though managed security services, penetration testing, consulting and compliance.

Ackcent Cybersecurity

Ackcent Cybersecurity

Ackcent's mission is to help our clients to protect their critical digital assets by providing them with a portfolio of specialised professional services.

Crosspoint Capital Partners

Crosspoint Capital Partners

Crosspoint Capital Partners is a private equity investment firm focused on the cybersecurity and privacy sectors.

Entara

Entara

Entara (formerly YJT Solutions) is an eXtended Service Provider (XSP) focused on providing cutting edge technology and cyber security solutions to companies in regulated industries.

Gridware

Gridware

Gridware is a specialised cybersecurity consultancy firm and an emerging global player in the cybersecurity intelligence and advisory field.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

Kodem Security

Kodem Security

Our mission is to make AppSec simple. Meet the world’s first dynamic software composition analysis platform. Only Kodem uses runtime intelligence to determine application risk.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

AUCloud

AUCloud

AUCloud is a leading Australian cyber security and secure cloud provider, specialising in supporting businesses and Governments with the latest cloud infrastructure.

Lenze

Lenze

Lenze are an experienced partner for automation systems, digitalization and cyber security.

Raven

Raven

Raven are on a mission to help companies protect their cloud native applications by focusing on runtime.