In today's threat landscape an organization can use all the help it can get with detecting threats against its...
assets. Monitoring for threats within a company's network has and will continue to be the first place to look for threats, but many people are exploring additional locations to monitor for threats outside of their direct control. With these additional options available, many organizations are turning to services that monitor the dark web to expand their threat monitoring capabilities. This allows organizations to keep an eye out for attacks being planned in the dark web or even to be notified if stolen corporate data is being posted to malicious forums. Sometimes you need to be in the lion's den to detect an attack.
Jul 25, 2017 (PRWEB) July 25, 2017 Leaked exploits and hacking tools dumped online for every cybercriminal’s easy access fueled significant illegal activity in the first half of this year according to key findings in a new mid-year report by cyber threat intelligence provider, SurfWatch Labs.In the analysis of cyber events, the problem of stolen cybercrime tools was exacerbated by wide-spread data dumps.
The dark web has been a place filled with mystery and can offer anything from drugs, books, weapons, music, stolen data and even refuge for political dissidents. It's the internet within the internet and allows people the freedom, either good or bad, to access data that they're looking to research, view or even sell with the guise of anonymity. The dark web, which sees the sale of stolen data, malware and hacking campaigns, makes it a natural place for cybercriminals to congregate. There are plenty of legitimate uses for the dark web, but many people focus on these uses since it's what's mostly reported about in the media. It's for this reason that cybersecurity threat intelligence companies like OWL Cybersecurity and SurfWatch Labs undertake threat monitoring of the dark web and other commonly used hacker sites to bring this correlated intelligence to your fingertips.
Having insight into what's occurring within the dark web is extremely useful when an organization is looking to monitor for potential risks before they occur. These solutions are taking advantage of the openness of the dark web and using it for your benefit. The dark web is unlike the internet we all know, mainly because it's not indexed by a common search engine and it's hard to determine where certain activity is occurring. This makes it much harder for people to find information on the dark web unless they know where to look.
Particular threat intelligence companies are piggy backing off the data on the dark web and using this to their advantage by creating alerts when something of interest for your organization has been found. There have been many examples of attacks, or malware being found, that if detected and alerted on earlier would have given the victims a better chance to prepare for the attack before it occurred. It is alerts like these that allow threat intelligence companies to shine a light on the dark web and become an earlier warning system for organizations looking to monitor for threats outside their direct control.
There have also been instances where compromised data from an organization has been posted to the dark web either for sale or to dox another entity. Having the ability to use the data provided from these companies, or to run custom queries within the data threat intelligence companies own, allows you to proactively be notified if there's been a breach. This has been seen many times with insider threats that take data or ideas and post them within the dark web for sale or reputation harming. Without knowing where to look in the dark web, this data would go past any internal threat intelligence organization that a business might have deployed. If an organization knows data was posted to the dark web by an insider threat, it can limit the scope of its investigation or at least be able to understand the motives behind the attackers' actions sooner.
Threat monitoring on the dark web adds an additional level of intelligence that many companies are grasping for in order to get a leg up on attackers. Just like anything else, these technologies aren't to be used solely by themselves. They're to supplement your threat monitoring architecture by being able to perform searches outside of your normal domain and within areas that attackers are performing business. It's becoming extremely difficult to monitor all areas that an attacker might post information, but having services review the dark web and other sharing platforms that attackers normally communicate is critical in today's threat monitoring and reputation protection. Being able to monitor communications on the dark web of attackers discussing campaigns with other actors could yield vital information a company would want to know urgently.
By monitoring potential attackers as close as possible where many groups are performing their operations and communication allows you to take a step closer in disrupting their efforts in organizing an attack. It also assists with monitoring of data that might be used to harm your business and be used as an early warning sign that something isn't right. Using technologies like this might not find threats every day, but when they do you'll be happy to know about it beforehand.
The most feared hacker groups are what cybersecurity professionals refer to as 'advanced persistent threat' actors.
Unlike your average hacker breaching a server for curiosity or activism, or criminal gangs armed with ransomware and interested only in money, APTs backed by nation-states usually are among the very best.
And most of the time, they are interested in just one thing: Stealing secrets.
Well, that and not getting caught.
'Advanced persistent threat' actors are frequently discussed as a hot topic among cybersecurity experts, political leaders, and white hat hackers.
It's the best way to define the hackers who burrow into networks and maintain 'persistence' — a connection that can't be stopped simply by software updates or rebooting a computer.
APTs vary in their methods of gaining access. Some use targeted email-phishing campaigns that install malicious software onto a victim's machine, while other, more advanced groups will use 'zero-day' exploits.
The exploits are called 'zero day' since no one knows about them until they are actually used for the first time. The software bugs were unknown, and the victim has had zero days to develop a solution to it.
One such nation-state APT used four such zero-days in an attack against Iranian nuclear sites. One is usually enough to get the job done, so four is pretty much unheard of.
And zero days are also a big business in themselves. These software exploits can be bought and sold for hundreds of thousands, and sometimes millions of dollars.
Though sometimes it can be very hard to determine who an APT is, where they came from, or if they even have the backing of their nation's government.
That's due to the problem of attribution, since hackers can hide behind multiple proxies and bounce their traffic around different computers around the world. A North Korean army hacker could be attacking South Korea with a computer it hacked previously that was located in Japan, for example.
Still, their techniques, tactics, and procedures usually offer at least some insight. And cybersecurity companies like Mandiant, Crowdstrike, Kaspersky Labs, Symantec, and others often give them names and detail who they *think* they are.
One thing that's very clear when researching known APTs: China seems well ahead of everyone else. There are more than 50 groups with ties to the country, far more than Russia — which has roughly a dozen.
Perhaps the most notorious among China's APT groups is known as 'Comment Crew.' The cybersecurity firm Mandiant released a 60-page report in 2013 linking it to attacks on Coca-Cola, RSA, and US critical infrastructure.
Source: The New York Times
The report offered up plenty of evidence that 'Comment Crew' — sometimes referred to as 'Comment Panda' or 'APT 1' by other firms — was actually a Chinese military unit known as PLA Unit 61398.
Not surprisingly, China denied any involvement.
![Surfwatch Surfwatch](/uploads/1/2/5/3/125318647/517729159.png)
There are a number of Chinese groups operating in cyberspace. They've been given names like Naikon, Shell Crew, or Toxic Panda, and they've hacked everything from US government agencies to financial-services and energy firms around the world.
Though China seems to have the most hacking units, other countries are doing their own attacks in cyberspace while trying hard to cover up their digital tracks.
One of them is the US. As the disclosures from the Edward Snowden leaks have showed, the NSA's offensive hacking abilities are among the best in the world.
One of its unique methods was exposed in the leaks: NSA's top hackers actually intercept network hardware and computers and install 'beacons' to give them a backdoor inside. Then they box it back up and send it on to the intended recipient.
Most cybersecurity experts believe it was NSA (along with Israel's Unit 8200) that built the Stuxnet worm, a sophisticated cyber weapon that physically destroyed Iranian centrifuges.
And a recent film called 'Zero Days' also exposed how NSA could have totally wiped out Iran's infrastructure, from its power grid to financial sector, with nothing more than computer code. No small feat, for sure.
Iran was taken by surprise by Stuxnet, and it invested in its own offensive cyber army as a result. With $20 million in funding and a few years of experience, it now has the fourth largest cyber army.
Source: TI
Besides hackers launching cyberattacks on US financial institutions a few years ago, an Iranian group called 'Shamoon' pulled off a major hack of Saudi Aramco, wiping out or totally destroying around 35,000 computers used by the state-owned Saudi Arabian oil firm.
Source: TI
'They’ve grown up very fast and very significant over the past few years,' David Kennedy, the CEO of cybersecurity firm TrustedSec, told Tech Insider. 'They realize they can’t have any type of superiority around air, or anything like that, especially when it comes to the United States. So they’re investing a lot of it into the cyber piece.'
Another key player is Russia, which has about a dozen APT groups with names like 'Sandworm,' 'Cozy Bear,' and 'Turla Group.' The most notorious among them is called 'Sofacy.'
Also referred to as 'Fancy Bear' by cybersecurity firm Crowdstrike, it was most recently found inside the servers of the Democratic National Committee. The firm also found 'Cozy Bear' there as well, writing that both groups' 'tradecraft is superb, operational security second to none and the extensive usage of ‘living-off-the-land’ techniques enables them to easily bypass many security solutions they encounter.'
Source: Crowdstrike
Just last month, Palo Alto Networks observed Sofacy hackers as they sent phishing emails targeting the US government. The group — believed to be linked to the Russian intelligence service — mostly targets Russian neighbors, governments in Europe, and NATO.
Source: Palo Alto Networks/ FireEye
Though another Russia-linked group called 'Sandworm' has even the NSA director spooked about potential critical infrastructure hacks. That's because those seem to be the team's specialty, and late last year, it used malware against a Ukrainian power company and turned off power for about seven hours.
Source: iSight Partners
If there's one thing to take away from the big hacks and APTs that are pulling them off, it's that war and espionage in cyberspace continues in the shadows, with little in the way of rules of engagement.
![Surfwatch Labs Hacker Groups Surfwatch Labs Hacker Groups](/uploads/1/2/5/3/125318647/839420814.jpg)