Threat Intelligence In The Dark Web

Ever wondered what really happens in the dark web? While most of us will want to avoid the dark web, there is still that curiosity in most of us to go in, look around and find out why is the dark web really that dangerous. But accessing the dark web is no easy task. One would require specific browsers to access the content on the dark web. And normally, once you go in, you’re basically leaving the door open and exposing yourself to everyone and everything in there.

From stolen data, guns for hire to pornography, the dark web is often considered as the marketplace for illegal activity. At the same time, there are also other uses for the dark web. Whistleblowers for example, use the dark web when exposing information to media or agencies to protect their privacy. In fact, most activities in the dark web are often hard to track.

It was in this notion, CyberSecurity Asean and CyberInt together with Ingram Micro hosted a roundtable breakfast with C-level executives from various industries in Kuala Lumpur to explain to them the dangers of the dark web and how they can not only protect their organisations, but also be aware if their companies have had their data breached on the dark web.

Andrew Martin, Group Publisher of AOPG started the session by explaining the dark web and how many organisations are still not very aware of how they can protect themselves from it. Referring to a recent survey conducted by AOPG Insights, 64% of the organisations said a dark web security strategy is something they think about. Interestingly though, almost two-thirds of them have not checked if their data is available on the dark web or aware their data has been leaked there.

“Most of the ransomware that hit us start from something that was pulled out of the dark web. If you’re going on to the dark web for legitimate reasons, to check if your data is there, you’ve got to be aware that you may end up going down a rat hole that shows you things you’re not comfortable with. So, it doesn’t make sense to go into the dark web as a strategy to check if your data is there. There are much better ways to do it.”

While the survey revealed that more than half of the respondents have never accessed the dark web, Andrew pointed out that a majority of the respondents did not know what threat intelligence was. For those that thought they did, they got the definitions wrong. This is worrying because without leveraging threat intelligence, it would be much harder for organisations to identify and mitigate modern threats coming from both the surface and the deep web as that requires a move from traditional detection techniques.

From the survey, Andrew concluded that while the respondents possessed some knowledge of the dark web, their organisations, however, are not prepared enough to deal with threats – not unless they have a dark web strategy in place. At the same time, Malaysian organisations also have to take a more serious look at employing the right threat intelligence to keep out cyber threats and prevent data breaches more effectively.

Lester Leong, Senior Division Manager, Ingram Micro explained why organisations need to seriously consider their cybersecurity options. Highlighting that Malaysia is top for security breaches in the Asia Pacific region, Ingram Micro partners various cybersecurity solution providers like 

CyberInt to ensure organisations get the best protection and security available to them.
Is my data exposed?

The second part of the session saw Andrew Ong, VP Sales for CyberInt, explain how organisations can check if their data has been exposed, from where the threats originate to the type of threats to how long has the threat been in the organisation by using targeted threat intelligence.

Highlighting data breaches in Malaysia, Ong pointed out that the attack surface is expanding especially with organisations becoming more digitalized. Cyber threats originate from almost anywhere these days with attacker gaining ground on the methods they use. While there has been increased regulation on data and cybersecurity almost everywhere, the human factor is still a big problem when dealing with cyber threats.

Having worked with various organisations around the region, Ong said that problems faced are pretty much the same. Organisations still have limitations and shortages when it comes to the time, people and skills required. The lack of knowledge and experience in dealing with threats are still a major issue for most organisations. While technology has allowed some of these operations to be automated, the final outcome is still not good enough.

Addressing the attendees, Ong said that while there is trust on employees to execute certain tasks, there will be human carelessness at times. So how do organisations proactively check and be alert of this.
This is where CyberInt comes in. They help their customers understand and notify them if there is any lapse in their tasks. CyberInt provides a threat-centric detection and response suite based on a modular automated platform. It prioritises integrated insights across organizational and digital environments.

“We provide a threat-centric detection and response suite: based on a modular automated platform, it prioritizes integrated insights across organizational and digital environments.”
With that said, CyberInt moved to a demonstration of how their solution works. CyberInt Technical Consultant, Henry demonstrated what CyberInt’s Argos platform does. The Argos platform discovers vulnerabilities and threats to enable mitigation before they turn into incidents or breaches via targeted threat intelligence. It is able to detect phishing attempts and provide take downs per customer engagement as well as detect fraud.

Demonstrating the Argos dashboard and the information delivered, Henry pointed out that the platform is able to crawl both the dark web and surface web to get threat intelligence regarding the environment and find out who does what exactly. The service is also able to show you how many indicators were posted and how often they were posted as well. Another example he demonstrated was on social media service, Telegram.

“We have the ability to go into social media based on our own propitiatory technology. We can be using bots, crawlers or virtual avatars to crawl the web for all these sources of threat intelligence. In this case, this threat actor is using Telegram to post things for sale, such as credit card information. Going more detail, you will be able to see the indicators, profile and categories of this threat actor, just based on a username handle.”

A real use case example

After a couple more examples, Ong requested for one of the attendees to try out their own information and find out if their company has any breaches. A long pause followed as none of the attendees felt they want to expose their company information, although they were in a controlled environment. In the end, one brave executive decided to give it a go. Upon entering his company URL, the results showed out a list of usernames and passwords from his organisation that have been exposed.

Suddenly the entire atmosphere in the room changed as all the attendees were impressed and also concerned at how simple, sophisticated and vulnerable their organisations are. If a simple URL check of their company website could expose such details, what happens if they were to input their emails or usernames or other information. The realisaiton of the seriousness of the threat became a reality.

Making sense of threat intelligence

Moving on to the question and answer session, one of the attendees asked about the false positives ratio from the platform. Ong answered from the threat intelligence perspective, CyberInt sets up the environment for customers and it depends on the context and keywords that is provided to them. For example, generic words like bank which will generate scores of false positives. Ong added that they will help focus on the keywords and minimize the false positives, but in terms of threat intelligence, they would prefer a higher false positive compare to no false positives to bring in more data. In terms of the alert they send out, it’s less than 2% false positive.

Another question was on the language input of the platform, as to how many different languages is the service able to understand and search. According to Ong, the platform is language agnostic. Using analysts to hunt for sources, the technology will then be enabled to scrub the data inwards and the language translation is done within the platform. CyberInt is able to work on languages and slangs requested by their customers.

“Our capabilities are not just detecting the specific post, in fact, we also draw in the whole conversation chats as well to know what they are communicating. And this is done without your security team having to get into those channels (in the dark web) as it can be viewed on the platform.”

While this is for targeted threat, Ong added they also provide managed services for scrubbing data. It goes down to the security team. If they want to look through the data without CyberInt’s support, they just get onto the platform and work it out.
For CyberInt, providing targeted threat intelligence is key for them and not generic threat intelligence. Even though with petabytes of data, the platform customers have access to must be contextualized and match their keywords of their digital assets. For example, the service does not allow Bank A to get access of Bank B’s data. The data presented in the environment must be related to the keywords and context.

“We do not provide everyone’s data on a single platform due to compliance laws. We have limitations from an unstructured data perspective. We do not allow you to access the content of other organisations. We are aware there are some threat intelligence platforms that allows you this. But we have seen issues like insider threats becoming common as well.”
He added that CyberInt also logs all the users in the platform to ensure there are no data or security breaches.

In conclusion, the attendees were impressed with the information they received, especially on how the dark web can be a concern for their organisation. With threat intelligence fast becoming an important aspect for organisations in cybersecurity protection, the attendees know that they need to seriously check their systems and be aware if their data have been exposed.


You might also like
Most comment
share us your thought

0 Comment Log in or register to post comments