Many people view the dark web as a place for illegal activities, but anyone in a cyber investigation or analysis role should be looking at the dark web for amplifying information regarding threats against an organization.
Many organizations feel that they can get enough cyberthreat information from just surface web research and closed sources of information they receive daily. This is not always the case, as some of the reports they receive are based on information collected on the dark web. If the organization doesn’t allow or have the ability to access the dark web, they can’t dive deeper into the contents of these reports; if they do have access, it’s all too frequently through traditional means (e.g., Tor browser) without the proper safeguards in place..
To harness the cyberthreat intelligence benefits of the dark web, organizations need first to consider the legal and compliance requirements of access as well as the tools and tradecraft that their analysts will employ.
What can be accessed, gathered or purchased on the dark web
Up until a few years ago, there were not any real guidelines or recommendations for accessing the dark web. This meant that analysts or investigators had no firm restrictions on what they accessed, gathered or potentially purchased while on the dark web. But that has changed; the Cybersecurity Unit of the Department of Justice has published specific guidance* on what organizations should keep in mind when gathering intelligence with their memo titled “Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources.”
This memo makes clear that the government is aware that gathering cyberthreat intelligence involves the dark web: it’s where cyber crimes are discussed and planned and that stolen data is bought or sold. Additionally, the document looks at situations where private actors attempt to purchase malware, security vulnerabilities or their own stolen data — or stolen data belonging to another party with the data owner’s authorization — on dark web forums and marketplaces.
In general, there are four main takeaways from the DOJ guidance:
- Don’t access forums in an unauthorized manner: If you come across a forum on the dark web that requires a credential for access, do not attempt to evade the authorization requirements.
- Don’t assume someone else’s identity: If you need a persona to access or interact on the dark web, don’t use someone else’s identity (name, photo, phone number, email, etc.) to do so without their consent.
- Don’t do research without a plan: Have a set of written guidelines to focus research efforts, stay within the bounds of your organization’s risk appetite, and avoid running afoul with law enforcement.
- Don’t put your corporate network at risk: Consider the technical and operational risks inherent in dark web investigations and mitigate accordingly.
Read the full blog, 4 things not to do on the dark web, that breaks down the DOJ memo and provides helpful links to creating access policies and other dark web research tips.
Create SOP for accessing the dark web
With the numerous risks involved in conducting research on the dark web, organizations need to think about a standard operating procedure (SOP) for their analysts/investigators who are accessing the dark web. The SOP should follow standard guidlines for forensic investigations complete with logging procedures that may include:
- Date/time of access
- Persona or login credentials used
- Log of personas and credentials that can be used
- Sites visited by analyst/investigator
- Any logs of users accessing the dark web
This is by no means an exhaustive list of what should be included in the SOP, and organizations will also need an access control list that details not only who is allowed to access the dark web but who needs to be notified when a dark web investigation is taking place.
While a documented — and enforced (as we’ll talk about next) — SOP does not give organizations legal protection to their dark web activities, it can help coordinate with law enforcement when dark web activity is in question. Remember: law enforcement can’t always tell the difference between good-faith commercial analysts and the criminals. Organizations need to have their ducks in a row if the law comes knocking at their door.
Once SOP is created, use it and enforce it
One thing to remember is that once an organization spends the time to successfully write and implement the SOP, they need to think of it as a security control that must be enforced in order to protect the organization. This means that if employees do not follow the SOP, there have to be consequences of that action.
Many times, organizations have SOPs or security controls that have been implemented but they are not enforced, providing a false sense of security and an unreal sense of risk to the organization. This is why it is important to not only have an SOP that outlines access to the dark web but also has ramifications if that SOP is not followed.
While it may be a scary place, the dark web is useful
Many people look at the dark web as a scary place, and it can be if you or your organization is not careful. But there is information available on the dark web that may not be available anywhere else.
As a former cyberthreat intelligence analyst at a financial institution, I routinely used the dark web. It gave me access to information about recent zero days or security breaches at other organizations, as well as information that would be beneficial to several other teams in the organization like the anti-money laundering/Bank Secrecy Act (AML/BSA) team or the credit card team if there were leaked credit cards on the dark web.
In my current role as an OSINT trainer with formal intelligence training, I have talked to many cyber-related teams in cyberthreat intelligence (CTI), trust and safety, etc., who have indicated that they often do not have the tools or training to access the dark web. Therefore, they aren’t aware of the data out on the dark web that is of value to their work; during demos, I go to the dark web and show them that is simply not true, and if they had been utilizing the dark web they could have found information that would help protect their organization.
Organizations need to start looking at what open-source information they are currently using and if they are not accessing the dark web as part of that, they should consider incorporating it. Again, while the dark web can be scary, the wealth of information that is out there could be beneficial to their organization.
Using Silo for Research to access the dark web
Silo for Research is a purpose-built platform for secure and anonymous online research. It can be customized to provide simple and safe “point and click” access to dark web content. Dark web access is seamlessly integrated within Silo for Research and its suite of analyst tools, as compared to a separate and standalone dark web browser, giving analysts a single pane of glass for analysts to conduct research on the surface, deep and dark web.
Silo for Research is delivered as a service, providing a completely cloud-based browsing environment for full isolation from dark web counter-surveillance and threats (e.g., malware). It also provides organizational control to manage and deter unauthorized use of the dark web and extends comprehensive audit oversight to the dark web. Additionally, Silo allows for the downloading of non-repudiation logs of all Silo for Research activity. These can be used to backup the analyst-documented logs of their research on the dark web.
*Note: The DOJ memo and discussion in this blog do not constitute legal advice. Authentic8 is prohibited from offering you legal advice. Please consult your attorney or your organization’s attorney for legal advice before undertaking the activities considered here.
Tags Compliance Dark web research Threat intelligence