Matthias Gruber

Did you accept your Dark Net friendship invite?

Attempts at mapping the Dark Net and appraising its current size will only offer a snapshot in time. As with organisational network analysis in business risk management, “law enforcement agencies and researchers in this field should focus more on monitoring and uncovering the mechanisms of criminal network dynamics, instead of aiming at static observations of criminal reality.”((Duijn, P. A. C. & Sloot, P. M. A. From data to disruption. Digit. Investig. 15, 39–45 (2015).))

Law enforcement agencies in the US and Europe monitor and analyse the Dark Net in at least six ways ((Koebler, J. Six Ways Law Enforcement Monitors the Dark Web. Motherboard (2015). Available at: https://motherboard.vice.com/en_us/article/jp5a9g/six-ways-law-enforcement-monitors- the-dark-web.)):

These activities are the cyber proxy for the more conventional ‘real- world’ crime-fighting tasks of surveillance, detection, attribution and intelligence. Few of these activities are appropriate – or legal – in a company setting.


The Deep Web and Dark Net (DDW)

In the subset of activities that are legal, e.g. legitimate CI enhanced by access to the DDW, the chance of finding useful, useable evidence must be weighed against the considerable risk – and cost – of setting up a DDW operation. Finding nothing is not a failure, because the results of all experiments are helpfulin understanding the terrain.

Sense-making algorithms and sentiment analysis for DDW((Al-Rowaily, K., Abulaish, M., Al-Hasan Haldar, N. & Al-Rubaian, M. BiSAL – A bilingual sentiment analysis lexicon to analyze Dark Web forums for cyber security. Digit. Investig. 14, 53–62 (2015).)) are known for at least five years. The US Defense Advanced Research Projects Agency is developing a search engine, ‘Memex’, that tracks patterns and relationships in online data((Finklea, K. Dark Web. US Congressional Research Service (2015).)). Automated Dark Net crawlers search for stolen Intellectual Property and credit card data((Cox, J. The Booming, and Opaque, Business of Dark Web Monitoring. Motherboard (2016). Available at: https://motherboard.vice.com/en_us/article/vv7b4m/the-booming-and-opaque-business- of-dark-web-monitoring. )): the ‘Matchlight’ solution from Terbium starts at $5,000 (€4,000) per month((Terbium Labs. Matchlight. (2018). Available at: https://terbiumlabs.com/.)). Similarly, AlienApp locates user credentials trafficked on the Dark Net((Alien Vault. AlienApp for Dark Web Monitoring | AlienVault. Available at: https://www.alienvault.com/app/dark-web-monitoring.)). With increasing investment in cyber defence, automated search using machine learning and AI is also an investment opportunity.

Outsourcing is an option

Commercial DARKINT companies such as Flashpoint use a combination of technology and HUMINT (Human Intelligence) to interpret findings and manage business risk for their clients. Law enforcement agencies use automated search and monitoring (e.g. in the Netherlands((van Beek, H. M. A. et al. Digital forensics as a service: Game on. Digit. Investig. 15, 20–38 (2015).)); these tools must be deployed by domain experts, as true professionals known how to evade these searches. In cases where the scale or complexity is not served by automated tools, there are still manual search methods, best done by insiders, mercenaries((Fought and Hackers Roam Free. The Hive (2016). Available https://www.vanityfair.com/news/2016/09/welcome-to-the-dark-net.)), gray hats or ex-government officials. Companies without the resources to hire a dedicated business risk intelligence firm or set up an in-house operation may choose this option.

Conclusions

The Deep Web and Dark Net (DDW) comprise at least 95% of services and data available via today’s internet: as a source for competitive intelligence and business risk management, these domains cannot be ignored and as a risk vector, should be included in cybersecurity strategy.

Automated search and detection has developed in the past five years, enabling the identification of stolen access credentials and corporate IP. While the total size of the Dark Net marketplace is difficult to estimate, at least 30,000 sources are known in the Tor network, of which at least half comprise activities that are considered illegal in most jurisdictions. Dark Net analysis thus occupies a legal grey area.

As an ecosystem for criminals, the Dark Net is risky terrain for the uninitiated. The tools and techniques to access, navigate and retrieve objects of value require specialist skills beyond technical proficiencies, using a blend of automated and human intelligence. DDW analysis is therefore generally not a task for the in-house information security team, while operationally, the objectives of a DDW operation may conflict with the company’s stated cybersecurity policies.

Yet for all its hazards, Dark Net analysis is currently an investment opportunity – for those who want to contribute to corporate social responsibility in the cyber realm. For any organisation that stores or transmits data and communications via the internet, cybersecurity is the cost of doing business in the digital age. Similarly – and particularly in the absence of enforceable international laws on data privacy and security – DDW intelligence is probably the cost of remaining competitive in the digital age.

Are you protected?

Me and my team protect you, your business and your data against cyber threats by analysing risks and developing early detection and protection concepts.