The age of digital business has, for the most part, been positive. It has increased the ease and speed of communication while at the same time as reducing the cost.
But with more than 3 billion individuals interacting across social media, mobile and cloud services every day it means that digital footprints are increasing. With this comes the increased risk that some of this information can be inadvertently exposed and may be used maliciously.
The information at risk we refer to as a ‘digital shadow’. This is a subset of a digital footprint but consists of exposed personal, technical or organisational information that is often highly confidential, sensitive or proprietary. Adversaries can exploit these digital shadows to reveal weak points in an organisation and launch targeted attacks.
Adversaries cast a digital shadow too
A digital shadow is not necessarily a bad thing. Adversaries also cast a shadow similar to that of private and public corporations. These ‘shadows’ can be used to better understand the threat businesses face. This includes attacker patterns, motives, attempted threat vectors, and activities. Armed with this enhanced understanding, organisations are better able to assess and align their security postures.
The chief aim of cyber criminals is to make money. Tracking a digital shadow begins with this understanding. The anonymity offered by the ‘dark web’ is often (but my no means exclusively) used as a safe-haven by these criminals. By observing activity on the dark web it is possible to gain a better understanding of how cyber criminals behave.
For instance, it’s possible to monitor what is being sold on online marketplaces and gain a view of the latest tools, such as attack kits which are being used and which vulnerabilities criminals are looking to exploit. This provides an attacker’s eye view of how these criminals might look at our own organisation and means we can be better positioned when it comes to our own security defences.
Learning from hacktivist groups
As stated, the so-called ‘dark web’ is not the only place where it’s possible to exploit the shadows of adversaries. With ‘hacktivist’ activity, for example, more typically use social media such as Twitter and Facebook and sharing sites such as Pastebin.
Hacktivists tend to be more visible and easy to track because a primary motivation is to be heard and cause disruption and embarrassment. Their activity can be broken down into three main parts:
- Indication and warning – social media is a useful tool for monitoring hacktivist operational announcements. The use of operational hashtags, which are prevalent, aids this process. Groups will invariably provide operation names and specify target lists. If a hacking group name you on a target list, you are going to want to know.
- Evidence of attack – organisations should monitor for claims of defacements, DDoS attacks and breaches. This may occur on social media, often Twitter, but also on code-sharing sites such as Pastebin. Getting there first can help to reduce the reputational impact on your organisation. But it also helps from a historical view; understanding what tactics, techniques and procedures (TTPs) have used in the past help you to gauge how to best prioritise defence spending.
- Significant activity – Organisations can monitor social media and news sources for significant activity. While more mature organisations may use Activity Based Intelligence (ABI) to draw this information out, this approach need not be that complex. This approach may simply include observing arrests, reference to new techniques, declaration of links to other groups or actors.
Defence through understanding
The dark web can be a useful place to find out about the latest TTPs of cyber criminals, but firms should not underestimate the power of social media and sharing sites. These can provide a valuable insight into the activities, motivations and TTPs of attackers. Simply put, those who possess an understanding of these will be in a stronger position to defend themselves.
Image source: Shutterstock/Stefano Tinti