Decrypting the Dark Web

Data analysis to be presented at Black Hat Europe highlights trends in communication between bad actors who gather in underground forums across the Dark Web.

Data analysis can be used to expose patterns in cyber-criminal communication and to detect illicit behavior in the Dark Web, says Christopher Ahlberg, co-founder and CEO at threat intelligence firm Recorded Future.

Ahlberg in November at Black Hat Europe 2016 in London will discuss how security pros can discover these patterns in forum and hacker behavior using techniques like natural language processing, temporal pattern analysis, and social network analysis.

Most companies conducting threat intelligence employ experts who navigate the Dark Web and untangle threats, he explains. However, it's possible to perform data analysis without requiring workers to analyze individual messages and posts.

Recorded Future has 500-700 servers it uses to collect data from about 800 forums across the Dark Web. Forums are organized by geography, language, and sectors like carding, hacking, and reverse engineering.

'Pattern of Life'

Ahlberg describes the process of chasing bad actors as "pattern of life analysis." This involves tracking an individual, or class of individuals, to paint a picture of their activity and develop a profile on their behavior. 

Over the last six months, he has spearheaded research to analyse more than three years of forum posts from surface and deep web. Forums have originated in the US, Russia, Ukraine, China, Iran, and Palestine/Gaza, among other locations.

The research unveiled a series of Cyber-criminal behavioral patterns. These can be used to discover illicit behavior, create points for further branches of research, and figure out how hackers are focusing on different tech and vulnerabilities.

Recorded Future built a methodology for analysts to track user actors' handles as people jump across and within forums, he explains. Discovering patterns starts with attribution, or putting together a profile for one person.  The problem is, bad actors often switch between handles to conceal their activity.

"Nobody puts in their real name," he continues. "The issue is, you might track someone and find half of what they're doing is on one handle, and the other half is on a different handle."

He addresses this complication through a process called mathematical clustering. By observing handle activity over time, researchers can determine if two handles belong to the same person without running into many complications.

Temporal patterns exemplify one trend Ahlberg has taken from his observations of hacker activity. "Overall, hacker forums have lower activity on Saturday and Sunday, and peak on Tuesday and Thursday," he says. The times at which criminals are most active can shed some light on their lives and areas of focus. Some forums have a drop in activity around mid-day, a sign that participants could be full-time workers taking a lunch break. 

It's also interesting to watch how forum activity relates to industry news. "By looking at forums and how they react to outside events, we can learn more about what they're interested in," Ahlberg says, calling the process "smoking out rats with external events."

For example, a spike in Wednesday activity could be a sign the forum is reacting to patches and vulnerabilities published by Microsoft and Adobe a day prior. 

Patch Tuesday, he says, could be driving "Exploit Wednesday." 

Dark Reading:         Deep Web – CyberCrime, The Movie:
 

« Future Of Security: Connect Cyber With Physical Defence
ISIS Social Media Ops Are Declining »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LexisNexis Risk Solutions

LexisNexis Risk Solutions

LexisNexis Risk Solutions provides technology solutions for Anti-Money Laundering, Fraud Mitigation, Anti-Bribery and Corruption, Identity Management, Tracing and Investigation.

Simula Research Laboratory

Simula Research Laboratory

Simula Research Laboratory carries out research in the fields of communication systems, scientific computing and software engineering.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Savanti Consulting

Savanti Consulting

Savanti provides practitioner-led cyber security services tailored to meet each organisation’s unique requirements.

GitGuardian

GitGuardian

Enable developers, ops, security and compliance professionals to enforce security policies across public and private code, and other data sources as well

Com Laude

Com Laude

Com Laude is a domain name management company that provides strategic consulting to help companies strengthen digital brand, safeguard customers & protect brand IP.

Syndis

Syndis

Syndis is a leading information security company helping to defend organizations by providing bespoke services and innovative security solutions in the global market.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Stairwell

Stairwell

Stairwell is building a new approach to cybersecurity around a vision that all security teams should be able to determine what’s good, what’s bad, and why.

Corellium

Corellium

Corellium are dedicated to supporting our peers in the ARM community who seek to build more secure, performant, and accessible software and devices.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Turngate

Turngate

Turngate simplify security investigations so you can see employee activities and entitlements in your enterprise in seconds.

Trustack

Trustack

Trustack services cover connectivity, infrastructure services, security, unified comms, agile working and more. Our team of consultants deliver customised solutions tailored to your needs.

MiDO Technologies

MiDO Technologies

MiDO Technologies has a mission to change the narrative around digital enabling tools on the continent of Africa and prepare African youth.

Cyber Grant

Cyber Grant

Cyber Grant excel in designing cybersecurity solutions for data protection. Our approach and vision, centered on ease-of-use, establish us as a benchmark in the industry for safeguarding information.

SecureDApp

SecureDApp

SecureDApp is a blockchain security company that specialises in offering comprehensive security solutions to companies operating in the web3 space.