Commonly when surfing the web, Transport Layer Security (TLS) is the cryptographic protocol that provides confidentiality for your communication with the server. The green lock on your URL bar is an assurance, but not a guarantee, that you're communicating confidentially with the entity you think you are. While TLS is designed to provide confidentiality and identity, dark web protocols are designed to provide confidentiality and anonymity. There are many of these dark net protocols, but Tor is by far the most common, likely because of its use of exit nodes to allow a user to obtain anonymity on the public internet by routing traffic across the Tor network.
On Anonymous Networks, Reputation Is Everything
The quality of your collection strategy dictates how confident you can be in your analysis. Garbage in, garbage out. This is an often-ignored part of dark web marketing. Anonymous networks help segment your actual identity from the persona (or avatar) you develop on these dark nets. Because of this, the reputation of your developed persona is the only currency you truly have. Also remember that there's no guarantee the person behind the persona you are interacting with isn't a criminal, a threat intel company, or possibly even law enforcement! The story of the Besa Mafia is a great example of criminals scamming criminals, getting hacked themselves, and then law enforcement arresting people who were trying to hire these fake hitmen. It's also not uncommon when law enforcement takes control of a hidden site only for them to continue hosting it in hopes of deanonymizing the users of the site. Basically, trust nothing.
I Registered For Access, And All I Got Was This Low-Confidence Assessment
Developing personas to obtain and, more importantly, maintain access is time-consuming and most of the work involved with good tradecraft on the dark web. Be wary that some "dark web intelligence" offerings skip the hard part and are just using technical collection to scrape information from essentially public markets and forums. To say this is a commodity capability would be a major understatement, as the ability to automate the scraping of websites is as old as the internet, and as we've established, dark networks really just reflect a difference in protocol selection. The use of the iceberg metaphor is a clever bit of psychological warfare . . . ahem, marketing . . . to remind you that they have access to all this stuff under the surface that you don't. As someone who evaluates these vendors, many of them don't either.
Any Company Selling You On "Dark Web Intelligence" Is Only Talking About Its Collection Strategy . . . And There's Big Problems With That
After collection, the next challenge would be processing and exploitation. Processing is frequently discussed as stripping out things like HTML tags from the raw data that's been collected. If you think that is a big deal, I have a regular expression (regex) to sell you. Where things get interesting is trying to exploit this data to get something useful on an analyst's desk. Here's a few examples:
Very few, if any, public sector vendors have swaths of analysts translating everything on the dark web on a daily basis from languages such as Arabic, Farsi, Spanish, Russian, and Mandarin. How is this being done at the same scale as collection?
How does your translation software handle slang? Without specific knowledge of a particular group, you would have no idea they are using the code name "Iowa" when describing a target in Iran. Keep this in mind if someone mentions they are going to Iowa next month; it might be a lot more exciting than it sounds.
Then there's something I call "the Target problem." Target is a retail chain with stores in the United States, Canada, and India — many of you may be familiar with the brand. Now, imagine the data problem created in attempting to parse out relevant chatter about the Target brand from the rest of the noise on the internet. Incidentally, the string "target" appears five times in this blog post and only three times in the context of the retailer.
A vendor cannot have an appreciation of these problems and not talk about their solution to them. If they are just trying to sell you on their ability to collect data from the dark web and then show you their platform, you don't need to see the platform.
Finally, There's Some Really Bad Stuff On Dark Nets, But They Also Are A Critical Resource For The Oppressed
Must read: Revolutionize your security strategy by applying Zero Trust to your business.
This blog was written by Senior Analyst Josh Zelonis and originally appeared here.