It’s no secret the dark web is where bad guys go to conduct business.
But beyond being the place where cybercriminals share information and buy/sell illicit goods (stolen information, counterfeits, drugs, weapons, etc.), the dark web can also serve as a key resource for the above ground business to understand what is of value to others – and how to quantify the value an organisation places on its data.
When people discuss dark web markets, they tend to focus on payment cards; however, criminals are able to monetise a variety of different types of personal information, account credentials, and other stolen data.
Over just the past week SurfWatch Labs has observed the following items for sale on the dark web:
- Gift cards for a variety of ecommerce sites, retailers, and other services selling for around half price or less, including $1000 gift cards for major airlines available for $600.
- Logins details for video streaming services including Netflix for $1, Hulu for $2.50 and HBO Now for $4.
- Paypal and bank accounts selling for around 10 per cent of their balance; PayPal accounts with a $200 balance were priced at $20 and bank accounts with a $11,000 balance cost around $1000.
- Personal information such as scanned bank account statements, which were selling for $60.
- Hacked reward accounts from a variety of providers, including an airline's reward account with a million points selling for $300.
Stolen payment card data is also readily available on the dark web. This seller is selling compromised card information for $11.95, although buyers can get a better deal if they buy the cards in bulk.
Other cybercrime-related items for sale include pirated media, hacking services and software exploits. For example, our threat intelligence analysts recently came across a seller offering what he claimed was a new Microsoft Office zero day exploit for 40 bitcoins – or around $23,000.
Internal vs. External Threat Intelligence
Awareness of what is being sold on the dark web provides crucial insight into what cybercriminals are currently targeting – and what they’re likely to target in the future. Understanding the types of information for sale on the dark web related to your customers, your infrastructure, your supply chain and your competitors can help cut through the overwhelming amount of cybersecurity noise in order to focus resources on the threats that really matter – to see the forest from the trees, as the saying goes.
This is the crucial difference between external and internal threat intelligence. Internal threat intelligence is necessary for tactical defense. It’s necessary for detecting and preventing threats, for responding to incidents, and for understanding what is happening inside your own network.
External threat intelligence looks outside the organisation’s walls for relevant cyber activity trends facing similar types of organisations to better plan and prepare for impending threats to the business. This intelligence can provide the strategic insight necessary to direct resources and help guide internal tools and processes towards reducing an organisation’s cyber risk. For example, if dark web intelligence reveals that gift card fraud is heavily impacting your organisation or others in your sector, resources can be directed towards discovering the cause of that fraud and implementing tactics to plug those weaknesses. Is the fraud due to skimmers making counterfeit cards, an insider stealing and selling cards, a third-party data leak, or something else?
Relevant, timely and accurate external threat intelligence can help to provide the context necessary to better act on your organisation’s internal data. It can help to answer questions such as:
- What potential threats exist and which of them are currently occurring in my industry?
- How often do those threats occur?
- Are the threats changing over time?
- What threats affect my partners, supply chain and competitors?
- Who is likely to attack us and why?
- Do our controls mitigate that vulnerability? Are we applying the right resources to the right controls?
- How would control failures impact the business?
- Are there different threats to different lines of business?
In essence, this external intelligence can provide the high-level strategic insight necessary to better direct limited cyber resources and more effectively reduce the cyber risk facing your organisation.
Taking Action on Threat Intelligence
As a real-world example of this threat intelligence process in action, SurfWatch Labs recently observed an actor going by the name of AlphaLeon discussing his cybercrime operations on a dark web forum. Additional research helped to confirm that web hosting provider Invision Power Services was compromised by AlphaLeon, and that once AlphaLeon executed his code, web forum users on some professional sports leagues as well as major media and entertainment companies would be breached. In summary, the intelligence led to the threat being eradicated before it could be executed.
This is an example of external threat intelligence being used to directly drive changes to an organisation’s internal security and infrastructure by identifying a cyber threat before it spreads either further into the organisation or on to others in the supply chain. Identifying active threats such as compromised employee email accounts, stolen payment cards tied to a particular organisation and other indicators can help to limit the potential damage of a cyber incident.
As many studies have noted, a significant percentage of breaches go undetected by the affected organisation and are instead discovered by various third parties. Threat intelligence can help to identify a threat before a breach occurs or shorten the window between breach and discovery.
Adam Meyer, chief security strategist, SurfWatch Labs
Image source: Shutterstock/BeeBright