Resources

Understanding the dark web and how it factors into cybersecurity

LookingGlass Podcast

In this podcast recorded at Black Hat USA 2017, Eric Olson, VP of Intelligence Operations at LookingGlass Cyber Solutions, talks about the dark net and how it factors into cyber security.

Here’s a transcript of the podcast for your convenience.

Well, thank you Eric for joining us today. You need to really help our audience understand a bit more about the dark net because quite frankly, everybody thinks that it’s all bad things in the Internet and we need to have Eric Olson who is our VP of Intelligence Operations from LookingGlass Cyber Solutions. He’s going to straighten all of us out in terms of what is the dark net.

Thanks, Joy. I think this is actually a really important question. Definitions matter and especially in an industry that is possibly more prone than many to buzzwords, I think we’re lacking a clear definition of the dark net, and so LookingGlass has kind of put a stake in the ground and said, “Well, here is how we define it because no one else has.” We define the dark net as essentially any online content that requires specialized software knowledge or access to view. Put it another way, it’s the stuff you can’t get to unless you know someone, know something or use something other than a standard browser.

A lot of folks equate the dark net with Tor, and I would argue that Tor is one of the many aspects of that so-called hidden Internet, but a lot of people think that is the extent of it. I would actually divide at a very simple level the dark net into the dark web, which cannot be accessed with a standard browser, but given the right software looks a lot like the web. It has sites, it has pages; you just need a special browser to visit it. This would include Tor, but also other nonstandard networks such as I2P, Zeronet and Freenet. There are also non-web protocols and formats like IRC, and there are forums, chatrooms and other types of exchanges that may be accessible on the standard Internet but require specialized knowledge or access to gain entry to.

Thanks, Eric. Well, now that we know what it is the other question is but why all the discussion now about it?

I think there are a couple of answers to that. The first is, it’s been around long enough to have made it into mainstream consciousness and bad TV shows. The dark net or elements of it have been around for years in some cases, decades, but it’s become a convenient hand waving technique to make magical things happen in the movies and television. “Oh, I found this on the dark web and so now the plot can continue in our bad TV show.” I think when it goes mainstream is when you see a lot of interest around it.

You know it’s interesting because as a source, it is not fundamentally different in kind than any of the surface social or deep web type of content that companies like ours collect, monitor or search. But it’s sexy because it’s inaccessible to the average user, and so it has the air of mystery that it’s this vast underground that isn’t or can’t be understood by mere mortals. All of which to use a technical term I think is bunk.

Indeed. I guess the question now becomes so if I understand LookingGlass is doing a fair amount of search of the entire Internet including the dark web and the dark net, but what percentage of threats are actually coming from the dark net?

This is a great question I’ve gotten a couple of times in the last year, and back to my opening gambit that definitions matter, I think it depends on what you mean by threats. So for example, there are certain types of business risks that are far more likely to be on the surface or social web than on the dark web. For instance, if you are selling something that is relatively innocuous to a mainstream consumer audience but not let’s say, within the bounds of the law exactly. An example would be hacked cable boxes or, I don’t know, hot Manolo Blahniks or something. Then selling those on the dark web is useless because the only people down there are the highly technical folks who are looking on the dark web for marketplaces for far more contraband or illicit materials and goods. If you have a mainstream consumer market, Facebook marketplace or Alibaba or eBay or Craigslist classifieds are a far more effective medium. So percentage of quote threats depends entirely on the type of threat.

Now, if you’re looking for an unannounced vulnerability that would allow you to hack into highly protected networks, high quality methamphetamine or medical grade cocaine, murder for hire or child pornography – then the dark web is definitely a more likely place to find those things. But I think when you ask what percentage of the threats are down there versus the traditional environments with which most users are familiar, it really depends entirely on which type of risk you’re concerned about.

Well, that makes sense. I think then the question becomes since you’ve already said that LookingGlass does glean intelligence from the dark net and the dark web, the question would be how do enterprises ingest this, and how did those threats as you define actually help them to protect their assets?

It’s actually several great questions, Joy. Let me start with how an enterprise or an organization might go about this. The first thing is to tread with care, and that’s the reason that companies like ours and to be candid, a host of startups who specialize solely in this frankly, microscopically small environment are out there going to enterprises saying, “Well, we cover the dark web, we crawl or mine or survey the dark web.” To LookingGlass, the dark web is just another source like the many social media platforms, search engines, web crawling, IRC networks and host of other content types that we ingest into our systems.

But the reason that I think a specialty vendor of some sort actually makes sense for most enterprises is really a question of trade craft. If a user at a corporate network just goes and starts leaving footprints all over the dark web, the denizens of that environment are the highly technical folks who know what they’re looking at and are more likely to get value out of those visitors and the networks they’re coming from than the other way around. So to do this, you really do need to have some knowledge, some software, stealth, hiding your footprint and knowing how to tread lightly because again, the folks that live in these environments are usually more technically savvy than the people who come stomping about looking for it.

So I think there’s a really important need for educated tradecraft, and the scalability that comes with purpose-built systems designed to harvest data from these environments. This is not something you want to try to do with your fingers, both because it’s not efficient enough and because those fingers leave fingerprints.

Thank you, Eric and thank you for helping us to better understand the dark web, the dark net and how it factors into cyber security. So again, Eric Olson, Vice President, Intelligence Operations with LookingGlass Cyber Solutions.