SBN

Gathering Cyber Threat Intelligence on the Dark Web: Guidance for the Private Sector

For cyber investigators, obtaining the complete picture for analysis is increasingly important. Openly available information, commercial data sets, and cyber intelligence feeds may form important components of an investigation, but an additional source is often omitted: the Dark Web.

The Dark Web can be a valuable place to look when investigating cyber threats. Illicit forums, or Dark Markets, are a haven for criminals to discuss targets, share tactics, and even sell vulnerabilities (such as malware) and data breach information. Companies may also find their own customer data or internal login credentials available to the highest bidder.

Referring to websites and content that require special software and protocols to access, the Dark Web is a general term that includes sites accessible via TOR, Freenet, I2P, and other methods.  Analysts may face impediments to access including additional IT security burdens, especially if accessing via an organization’s primary network or on a dedicated standalone network used for research.

For many organizations, visibility into cyber threats exchanged on Dark Web forums provides a critical advantage to information security practitioners who need to stay ahead of malicious actors and understand the threat landscape.

While the value of dark web intelligence to info-sec practitioners is clear, their employer may see it as a risky and potentially costly endeavor. Understandably so – the Dark Web is an unfamiliar territory and there are reasonable legal and cybersecurity concerns about employees accessing criminal marketplaces to gather intelligence and defend company networks.

Last year, the Department of Justice’s Cybersecurity Unit issued a memo addressing concerns from private sector organizations about the legality of gathering cyber threat intelligence on Dark Web forums. The memo discusses common threat intelligence gathering scenarios and the legal implications practitioners and their employers should take into account before engaging in such activities.  

“As the [Cybersecurity Unit] has learned during its outreach about active defense to industry, many cybersecurity organizations consider gathering cyber threat intelligence to be among the most fruitful of cybersecurity activities.”

Below are some highlights from the DOJ guidance that information security practitioners should keep in mind to help your organization safely access the Dark Web to gather critical cyber threat intelligence.

The memo and following discussion does not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.

“Practice Good Cybersecurity”

“Practice Good Cybersecurity: In the situations discussed in this document, information is exchanged with cyber criminals. There is no such thing as being “too suspicious” in those circumstances. Practice good cybersecurity at all times and use systems that are not connected to your company network and are properly secured when communicating with cyber criminals.”

With Silo for Research Dark Web Add-On, all of your activity takes place in a secure, isolated browser environment. There’s no need to set up a separate network to conduct your intelligence gathering. You can efficiently hunt for online threats without ever compromising your company’s network infrastructure.

Maintain Records of Your Activity

“… a practitioner and his or her employer should maintain records that document the practitioner’s actions on the forums and the legitimate business purpose for the practitioner’s activities so they can establish a legitimate motive and the steps taken to avoid furthering illegal activities.”

Utilizing a tool like Authentic8’s Silo for Research Dark Web makes record keeping easier.  All web activity is logged so information security teams can be sure that the tools are being used appropriately, an accurate record of web activity is kept, and that the data collected is stored securely.

Seeking out cyber threat data and security vulnerabilities is certainly not without risk, but it shouldn’t be dismissed out of hand by C-Suite executives. With the proper technical means and training, the ability to access Dark Markets can be a valuable asset for any information security team.

Dark Web Trainings

To learn more about using the Dark Web for online investigations, join Authentic8’s Matt Ashburn for What’s Hiding in the Dark?, where he will address why you need to use the Dark Web for your online investigations.

Sign up for our full Dark Web series and see other upcoming webinars at https://silo.authentic8.com/2021-webinars.html.

  • Dark and Dirty: Real-life Stories of Dark Web Online Investigations (Part 2) — Thursday, June 3
  • Tradecraft Training: Deeper into the Dark Web — Thursday, June 17

*** This is a Security Bloggers Network syndicated blog from Authentic8 Blog authored by Abel Vandegrift. Read the original post at: https://blog.authentic8.com/dark_web_collection_guidance/