The underground marketplaces behind cybercrime [Q&A]
In the last few decades, we've seen cybercrime transform from an activity perpetrated by independent lone actors into an increasingly professional business endeavor in pursuit of profit.
Cybercriminals communicate and collaborate, working together and exchanging information on the deep and dark web. But what exactly is up for sale on these underground markets and what does this tell us about threat actor behavior and motivation?
We spoke to Dov Lerner, the lead security researcher at Cybersixgill to find out.
BN: What sort of information and tools are available on the dark web?
DL: The deep and dark web is a community of communities, in which conversations and commerce take place. In this environment, actors sell and share tools that can be used to carry out various types of attacks. These include malware and hacking tools, some of which are for general use, while others target specific services.
You can also find data, both sold at a price and shared for free, procured as a result of previous cyberattacks. This data includes information such as compromised credit cards, credentials, and sensitive personal information. Finally, actors can forge professional partnerships and access peer-created cybercrime tutorials, allowing them to continuously advance their level of sophistication.
BN: What's behind the increasing professionalization of cybercrime?
DL: Crime follows the money. In the past, criminals with advanced capabilities and aspirations might have been pirates raiding trading ships or robbers on horseback boarding trains. Nowadays, with the digitization of global commerce and finance, there are countless opportunities for criminals with proficient cyber know-how to make a fortune. But siphoning millions in cybercrime isn’t simple. If a criminal group wants to maximize its winnings, it must develop advanced skills and a solid infrastructure. Unfortunately, the best criminals are rising to the challenge.
Professionalization doesn't mean just good hacking skills. Groups need to build robust technical infrastructure in order to avoid takedowns. They also need capabilities to launder funds around the world and connections with local authorities to allow them to act with impunity.
BN: Is there a trend towards an as-a-service model of malware?
DL: Malware-as-a-service, and more broadly, cybercrime-as-a-service, have both been increasingly popular on the deep and dark web for some time. As with any developed economy, on the underground, there's a specialization of labor. Different actors develop specific expertise for the various stages of the attack chain and sell their skillset as a service. So, for example, while one actor focuses on gaining access to networks, another specializes in writing ransomware, another excels in ransomware deployment, and another with receiving and laundering the payments. Everyone plays a part, and everyone takes a cut from the crime.
We see a lot of actors that invest efforts into branding and marketing the services that they provide. They advertise on various forums, employ designs and logos, and offer deals for higher-value customers. Some of the larger ransomware groups even offer customer support (including office hours), so affiliates can contact them in real-time with troubleshooting issues.
In practice, this service model greatly reduces the cost of entry for any aspiring criminal. Instead of needing to learn how to master each component of an attack chain, you can simply pay for services to cover each stage, allowing you to easily string together a fairly sophisticated attack.
BN: There are legitimate uses of the dark web -- in avoiding censorship for example -- how do we balance that against criminal use?
DL: Anonymous interaction and commercial transactions are neither inherently malicious nor illegal. In fact, there are many legitimate users on these underground forums, including dissidents, gamers, crypto enthusiasts, and even white-hat hackers. Shutting down sites will negatively impact these users, but it won’t do much against cybercrime -- threat actors will find a way to set up shop somewhere else.
The better way to handle cybercrime is to understand what's being targeted, how it's being targeted, and who’s doing the targeting. This way, defenders can protect themselves and disrupt the attack chain. Law enforcement can focus on identifying and neutralizing key actors.
BN: How can companies leverage the dark web as a source of intelligence?
DL: Intelligence from the deep and dark web can advise an organization's strategic, operational, and tactical decision-making. On a strategic level, it enables risk identification and enhances risk assessment. By comprehensively reviewing the threat landscape, you can understand broadly what actors are targeting, and more specifically, how they are uniquely targeting your industry and your peers.
On an operational level, this intelligence enables prioritization and the fine-tuning of mitigating controls. By understanding the tactics, techniques, and procedures employed by threat actors, you can adapt your cyber defense strategy accordingly, ensuring your organization is prepared to counter the threats relevant to your particular organization.
On a tactical level, this intelligence is both a protective control -- by blocking malicious indicators of compromise found in the underground -- and a detective control -- discovering compromised data belonging to your organization.