3

At our company, we offer security services to our clients. One of the things that management has pushed down to us is the need for dark web monitoring.

Because I am in the business meetings as well, management has come to this conclusion because many CEO’s, or the ones we work with, eyes light up when “dark web” is mentioned. My management plans to offer the monitoring of 10 key and/or important individuals in a company.

While we are going through this process, this made me wonder how an attacker might avoid detection. Sure, many of the existing tools are proprietary but having researched them, generally, they seem to be just crawling the Dark web through Tor browsers.

My question (purely for academic reasons): How might you, as an attacker, avoid detection on the dark web given that you have confidential information on 10 key individuals of a company and you are trying to receive some sort of monetary value for it?

I imagine an answer with steps, from the day you gain access to the confidential data to the day you sell it on the dark web.

* This answer would really help me in defining the scope of the service we are going to offer and to be realistic to clients.

**IMHO, I do not believe in the usefulness of dark web monitoring because it gives a false sense of security.

schroeder
  • 123,438
  • 55
  • 284
  • 319
pm1391
  • 1,427
  • 2
  • 7
  • 19
  • 1
    Why not check the dark web to see how it's actually done? Also, what's to stop a seller from omitting crucial identifying information and simply including a note to contact them for details? For example, "*info on execs from top-10 infosec research firm*" instead of "*info on [insert names] from [insert company]*". Without human intervention, a dark web monitoring tool wouldn't be able to figure out what's actually being sold. – Mr. Llama Jul 16 '18 at 16:36
  • 1
    The issue you have brought up is one that I have also brought up. I’m simply building a case to present to management so unrealistic expectations aren’t created – pm1391 Jul 16 '18 at 16:47
  • 1
    Do you want to avoid being detected as the *seller* or do you want to avoid having the material that you want to sell being detected? If the former, how does that impact or diminish the results of monitoring? If the latter, then I would do what many do: only communicate the material in invite-only chat rooms (which is still considered Dark Net). – schroeder Jul 16 '18 at 16:50
  • 2
    The whole point of "Dark Net" monitoring is to see if the material is being broadcast to a wide criminal market. Monitoring is not meant to discover all possible routes to selling. If being sold on the open market, that communicates the level of threat you are under. Monitoring has value the moment it discoveres something. – schroeder Jul 16 '18 at 16:53
  • @schroeder To be honest, we are still defining the scope and I am not against monitoring the dark web but want to set a clear scope with clients – pm1391 Jul 16 '18 at 18:46

1 Answers1

4

Obtaining Access

To begin a dark web is a network (often encrypted) which overlays the Internet but requires specialised software to access it. The Tor client, supplied within the Tor browser bundle, will connect to the Tor network and direct traffic through a triplet of nodes: entryNode --> relayNode --> exitNode. All three nodes will encrypt data transmitted with their public keys in the order:

  • (entryNodePublicKey(relayNodePublicKey(exitNodePublicKey(data)))

Unless you have spyware loaded onto the host computers for the "important individuals" you will only see the entryNode IP address and encrypted traffic. Using this IP address you could confirm it belongs to the Tor network, as an induction node or guard node.

Because Tor is implemented for political activists, whistleblowers, oppressed dissidents, etc... it has built-in tools for censorship circumvention, OBFS4 bridges are among a few common methods, but another is using meek bridges. Meek bridges take advantage of AWS and Azure for domain fronting, this will make the Tor entryNode when performing DPI appear as an HTTPS amazon.com or microsoft.com connection; normal traffic. This method is deployed to circumvent the Great Firewall of China.

Equally other methods to conceal the entryNode connection include, but are not limited to:

  • OpenVPN using AES encryption: most modern VPNs
  • Proxy: HTTP, HTTPS, and SOCKS
  • RDP (or any other remote access protocol, preferably encrypted)

The RDP idea will involve connecting to a remote computer and be using that to access the dark web, with or without the protection of VPN(s) or proxy(s).

Mentioning about circumventing censorship has relevance, as Vault 7 disclosures outlined CIA malware would use data centers as botnets and would prefer performing any connections over HTTPS (with modern ciphers) on port 443. This would draw much less attention to connection logs when reviewed by a SysAdmin.

With this information in mind, now we should consider without tremendous detail, the metadata and "noise" the attacker made when obtaining the confidential information. Questions include:

  • Did they leave logs and metadata concerning the breach?
  • Did they use someone else's access to access the confidential information, or use a zero day exploit?
  • Do IP address logs belong to residential IP address(s) or recognised anonymising networks.

We have now built knowledge of when the confidential information was stolen. So, now we can see if the attacker had vulnerabilities within their OpSec that we can use to deanonymise them.

Selling the Information

This would be your second (and last) opportunity to identify the attacker. This also may not be possible, as it involves tracing the payment method, which could also employ money laundering.

This confidential information is now an asset to the attack. Presuming their goal is to profit from the attack, we will sell the information onto a buyer. A dark web marketplace would be a good start. Although, they could have been hired by a wealthy group to perform the attack. So, the information will be sold via either method:

  1. Dark web marketplace
  2. Closed auction (private)

The timing for selling this information would depend on the nature of the breach. Intellectual property with patents would not need a critical sell window, while a database of password hashes should be sold ASAP before the passwords are changed.

Payment would be your opportunity to trace the attacker. Payment could cover several forms:

  1. Dead drop bank account(s)
  2. PayPal
  3. Credit/Debit card(s)
  4. Cryptocurrencies

I cannot elaborate much further here, as money laundering is its own topic, and can be very broad. I can state that, the more judiciaries the IP addresses and payment cover, the more cumbersome and less likely you are to identify the attacker.

safesploit
  • 1,827
  • 8
  • 18