beebright -

An insider’s look into the dark web

A principal research scientist at Sophos offers a glimpse into the abysses of the dark web in a bid to uncover what cyber crooks are up to

Chester Wisniewski’s job at Sophos is unlike that of his colleagues in the cyber security company’s product teams. Instead of spending extended periods of time researching on the latest threats, he gets to dive deep into the abysses of the dark web to uncover what cyber crooks are up to.

That most cyber security attacks and malware begin and end somewhere on the dark web makes this labyrinth of dark underground networks fascinating to researchers such as Wisniewski and his peers at other cyber security firms.

Much of the dark web’s activities are focused on open marketplaces peddling drugs, pornography and guns, as well as malware that have been commoditised from leaked exploits built by nation-state actors. Getting access to those marketplaces is easy, says Wisniewski, a principal research scientist at Sophos.

“Anyone can sign up and gain access once you get a referral and start buying illegal drugs or malware toolkits,” he adds.

The closed forums, mostly in Russian, on the dark web are much harder to access. According to Wisniewski, references are needed to get an account, and depending on the forum, there are usually more barriers to entry, such as proving that one has committed a crime, in a bid to keep the authorities out.

“Most of the time, we spend six to 12 months getting an account approved, and even then, it’s hard to maintain access because there’s so much Russian slang going on in those forums,” Wisniewski says.

Although Sophos employs Russian speakers, Wisniewski admits it’s hard to fathom terms such as “potato” in Russian, which is being used by underground criminals to refer to stolen credit cards. “Native speakers won’t know the slang used by these criminals. To fit in, you need to know what they’re communicating,” he says.

Being underground, the dark web could potentially be used by cyber criminals to coordinate and plan targeted attacks against specific businesses. But Wisniewski does not see that in the forums he has access to, noting that most targeted attacks are opportunistic attempts arising out stolen digital loot being peddled by someone who happened to find unsecured information belonging to an organisation.

“In most cases, it doesn’t look like they went after a target – it’s more like they’re casting a wide net to look for a company with a low bar on security, broke into it, and stole data such as passwords and personal information to a crook who knows what to do with it,” he says.

Wisniewski says businesses can guard against these attacks by observing good cyber hygiene such as patching, given that opportunistic attackers – as opposed to nation-state actors with a clear mission to compromise specific targets – are often too lazy to try hard enough to break into a system. “They’re just going to go after the next vulnerable target and you just got to hope it’s not you,” he adds.

So far, the modus operandi of cyber crooks on the dark web uncovered by Wisniewski’s team has helped to shape the product strategy at Sophos. For example, when cyber criminals realised that their botnet traffic was being blocked on network security products around two years ago, they started using transport layer security (TLS) to encrypt their communications.

Wisniewski says that led Sophos to build TLS decryption capabilities into its endpoint products, instead of relying on the much harder task of configuring network firewalls to block encrypted botnet traffic. “In many ways, research on the dark web has given us a heads-up on how things are changing,” he says.

Read more about cyber security

Read more on Hackers and cybercrime prevention

Data Center
Data Management